From Lighthouse to Loran - Navigating GCP Security Auditing Tools

From Lighthouse to Loran - Navigating GCP Security Auditing Tools

Recently, I embarked on a journey into Google Cloud Platform (GCP), having spent a lot of time with AWS and Azure in the past, I wanted to dive into GCP and learn more. This exploration, fuelled by completing the Google Cybersecurity Certificate, and checking out sadcloud by NCCGroup , and the Enterprise Foundations Blueprint , led me to look more into auditing in GCP.

This blog post dives into the available auditing tools within GCP, focusing on both the standard tier offerings and open-source gems. But before we begin, let’s address some of the critical challenges we’ll be tackling:

  • Gotta Keep ’em Separated - Access Control: Balancing identities, roles, scopes, exposed resources, open ports, and vulnerable functions can feel like guarding a medieval castle under siege. Oh, and serverless != threatless
  • How many eggs ya got in those baskets? - Visibility: In security, we often preach, “Don’t put all your eggs in one basket.” But in the cloud, keeping track of “how many baskets” and “where all the eggs are” can be a real head-scratcher. Regular audits are our trusty magnifying glass in this game
  • You left your keys in the door - Misconfiguration: Cloud environments are dynamic, and misconfigurations, whether at setup or during updates, can lurk in the shadows, creating headaches

Inspired by Scott Piper and his older post on auditing AWS accounts , I aim to follow a similar approach here for GCP. Scott, along with others has done great work when it comes to knowing how many baskets exist and where all the eggs are kept for AWS. The success of the tools and techniques proves that it is no easy job sometimes to keep track of those blasted eggs and baskets. Add an element of scale, and the challenge intensifies. So, let’s take a look at how GCP tackles this with built-in tools and explore open-source tools that can lend a hand.

Free Tools for Auditing GCP Security

Interestingly, I noticed that quite a few of the popular open-source tolls are now archived or end-of-life, such as Forseti and Netflix’s Security Monkey . The reason stated in Forseti for example is that over the years GCP Security has introduced features and capabilities that have addressed many of the areas and challenges these tools were targeting.

Built-in Google Tools

Security Command Center

https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview Launched in October 2022 (the first alpha was March 2021), Google Cloud Security Command Center (SCC) is a powerful tool which is included as part of the standard free tier for all GCP users. There are limitations compared to the tier which has both a pay-as-you-go or subscription model.

picture of Google Cloud Security Command Ceter dashboard illustration of the core services and operations in Security Command Center

The standard tier includes functions like:

  • Security Health Analytics: You’ll get alerts around misconfiguration, like open firewall ports, MFA not being enforced, public log bucket, public SQL, legacy authorisation enabled or outdated software. Focuses on high-severity.
  • Web Security Scanner: Vuln checks in App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications. Custom scans are part of the standard tier, but managed scans are not. It’s worth checking out the best practises for this as there are some caveats, as ever, you need to be careful using this kind of tool in prod https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview#best_practices , web scanner does, as mentioned in the docs, err on the side of underreporting and doesn’t report on low-confidence findings.
  • VPC Service Controls: Sets security boundaries and restricts data transfer within your VPC. https://cloud.google.com/vpc-service-controls/docs/enable , https://medium.com/google-cloud/mitigating-data-exfiltration-risks-in-gcp-using-vpc-service-controls-part-1-82e2b440197 .
  • Anomaly Detection: This can check for leaked creds and cryptocurrency mining.
  • Cloud Identity-Aware Proxy (IAP): Not a feature of Security Command Center, but worth highlighting. IAP Allows you to control access to apps with user identity and other contextual factors. Think Zero Trust over having an app open behind a VPN. This video shows an example: https://www.youtube.com/watch?v=ayTGOuCaxuc
  • Cloud Asset Inventory: OK, so Cloud Asset Inventory is not part of Security Command Center, though Command Center does use the information and data from this to monitor for changes, suspicious activity and risks. Cloud Asset Inventory has a separate API and interface and can be used for discovery, inventory, and managing GCP resources.

Some of the limits of the standard tier to be aware of; you get a subset of the vulnerabilities and misconfigurations, fewer detection modules, limited customisation on reporting and analytics (like how far you can go back in reporting), fewer integrations with third party tools and the visibility is focused on project level, rather than organisation-wide. There is more info on the docs page which lists the features vs what is in the premium tier: https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview#tiers


GCP Scanner

https://github.com/google/gcp_scanner

Interestingly, this tool is in the Google GitHub repo but specifically states “This project is not an official Google project. It is not supported by Google and Google specifically disclaims all warranties as to its quality, merchantability, or fitness for a particular purpose.”.

Launched in March 2023, gcp_scanner can be used to evaluate the impact of VM/container compromise, GCP service account or OAtuh2 token key leakage. The tool does point out that Policy Analyzer (mentioned below) can help but “If you just have a GCP SA key, access to a previously compromised VM, or an OAUth2 refresh token, gcp_scanner is the best option to use.”

There is also a visualiser built into this tool too.

image of gcp_scanner html dashboard

GCP Policy Analyser

https://cloud.google.com/policy-intelligence/docs/policy-analyzer-overview

Note

“After April 29, 2024, some Policy Intelligence features will only be available for customers with organization-level activations of the Premium tier of Security Command Center .”

screenshot of iam policy analyzer

One thing I like here is that there is a policy simulator: https://cloud.google.com/policy-intelligence/docs/iam-simulator-overview , so you can make adjustments and check to see what will happen. This was something customers of Duo used to ask us about a lot in Customer Success. This is the kind of feature that doesn’t often find an easy way off the backlog, so it’s nice to see here.


IAM Recommender

https://cloud.google.com/policy-intelligence/docs/role-recommendations-overview

Note

“After April 29, 2024, some Policy Intelligence features will only be available for customers with organization-level activations of the Premium tier of Security Command Center .”

screenshot of iam recommender page with findings

The recommender will analyse IAM policies and identify potential issues like overly permissive permissions. It’ll generate recommendations which you can apply directly or investigate further.

The history tab allows you to revert changes if you apply a change and something breaks.

screenshot of iam recommender history page

CLI

https://cloud.google.com/cli

screenshot of google cloud cli help page on a terminal

This might seem an odd tool to point to but getting the most out of the exposed APIs sometimes means using the CLI. There are around 11,384 API methods within Google Cloud, so there is a lot to check out (https://gcp.permissions.cloud/ used as the data source).


Open-source Tools

Prowler

https://prowler.com/

screenshot of prowler cli output

https://github.com/prowler-cloud/prowler

Prowler has come a long way since its release in September 2016. in-fact the Prowler team just got investment from Decibel VC https://prowler.com/blog/seed-funding/ . Prowler will output best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It has a lot of in-built control coverage, so it’s able to check against these, such as: CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and custom security frameworks. You can also spit out reports to HTML, JSON, CVS.

image of prowler architecture https://www.helpnetsecurity.com/2024/02/07/prowler-open-source-security-tool-aws-google-cloud-platform-azure/


ScoutSuite

https://github.com/nccgroup/ScoutSuite

Scout Suite was designed by security consultants/ auditors. It can quickly give you a report from an assessment, and these can be worked into automation. A multi-cloud tool, released in 2018. It has checks and functions for GCP, AWS and Azure. You can output reports to JSON and CSV, you can also get a nice HTML view.

screenshot of Scout Suite dashboard Here is the dashboard.

You can customise rules (https://github.com/nccgroup/ScoutSuite/wiki/Using-a-Custom-Ruleset ) and checks to align to your policies and needs.

screenshot of Scout Suite custom rules

Customisation can be as simple as flipping enabled to false or true, along with adjusting parameters.

There’s a nice post here for integrating ScoutSuite with Cloud Run: https://asrinandirin.medium.com/integrating-scoutsuite-with-cloud-run-serverless-security-and-compliance-automation-fbcef6141bb9


CloudSploit

https://github.com/aquasecurity/cloudsploit

screenshot of cloudsploit output on a terminal

Designed to allow detection of security risks in cloud infrastructure accounts. These scripts are designed to return a series of potential misconfigurations and security risks.

GCP configuration instructions: https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration


Cloud Custodian

https://cloudcustodian.io/ - https://github.com/cloud-custodian/cloud-custodian

screenshot cloudcustodian site with breakdown of cloud solution coverage

Arriving in 2016, Cloud Custodian is more of an enforcement rules engine. It can take action on its findings, such as powering down instances and changing the visibility of buckets to private. A good portion of this is focused on cost management the idea is that this will run on a schedule to enforce your policies. I’ve briefly looked at Cloud Custodian, so there is more to check out, though it seems light on rule examples, and the enforcing and terminating resources function means it’ll require a good amount of caution and planning to use.

https://cloudcustodian.io/docs/gcp/gettingstarted.html


Other mentions

Conclusion

There are plenty more tools out there, and new ones emerging all the time. I haven’t covered them all here, hopefully, this breakdown shows the progress that GCP has made on building security in as well as the tools like Prowler that are growing and expanding. Remember, the best toolset for you depends on your specific needs. Consider factors like the complexity of your environment, your security priorities, and your team’s technical expertise.

Google Cloud Platform has some great tools built-in already, which some of the open-source tools have given way to. Prowler and ScoutSuite are tools that can give a good lay of the land with actions to take, and things like Steampipe can help with visibility across GCP and further.

Related Posts

Outcome Over Output - Measuring Change in Security Education

Outcome Over Output - Measuring Change in Security Education

“100% of employees completed the annual security awareness training 🥳”, “Yay, we are secure 🎊”… 🙃

Read More
Books... They Have Been Read!

Books... They Have Been Read!

I’m a collector I have to admit something… I am a book collector.

Read More
In Praise of Constraints

In Praise of Constraints

Our digital lives allow for so much sprawl, we get lost, I get lost.

Read More