π What is GCP Security?
GCP (Google Cloud Platform) provides a powerful infrastructure for cloud computing, but misconfigurations and poor access controls can expose organizations to serious risks. This guide walks you through best practices, real-world examples, and hands-on techniques to secure GCP environments effectively.
π¦ GCP Security Basics
Key Concepts:
- Projects: Logical containers for resources
- IAM (Identity & Access Management): Fine-grained permissions system
- Service Accounts: Identities used by applications and services
- Cloud Audit Logs: Logging activities for visibility and monitoring
π§ Step-by-Step: Hardening GCP
1. Audit IAM Permissions
Run the following to list all IAM policies in a project:
gcloud projects get-iam-policy my-project-idLook for roles/owner assigned to users or service accounts unnecessarily.
2. Enforce Least Privilege
Use custom roles to give only the permissions needed. Avoid using Editor or Owner roles in production.
3. Monitor with Cloud Audit Logs
gcloud logging read "resource.type=gce_instance" --limit=10This helps identify unexpected VM actions like unauthorized creation or shutdowns.
4. Secure Storage (GCS Buckets)
- Make sure buckets are not public:
gsutil iam get gs://my-bucketallUsers or allAuthenticatedUsers bindings if not required.5. Secure Service Accounts
Restrict service accounts and disable key file downloads when possible:
gcloud iam service-accounts disable-key --key=KEY_ID6. Enable Security Command Center (Premium)
Provides threat detection, misconfiguration alerts, and compliance reports in real time.
βοΈ Advanced GCP Security Techniques
Workload Identity Federation
Allow external identities (e.g., GitHub Actions) to access GCP resources securely without service account keys.
gcloud iam workload-identity-pools create "github-pool" \
--location="global" --display-name="GitHub Pool"Private Google Access
Allow instances without public IPs to access Google APIs securely via internal networking.
gcloud compute networks subnets update default \
--region=us-central1 --enable-private-ip-google-accessVPC Firewall Rules
Apply tight ingress/egress rules:
gcloud compute firewall-rules create deny-all-ingress \
--direction=INGRESS --priority=1000 --action=DENY \
--rules=all --network=defaultπ Real-World Scenario: Public GCS Bucket
Example of an exposed storage bucket leaking sensitive files:
# Check bucket permissions
gsutil iam get gs://client-data-bucket
# Remove public access
gsutil iam ch -d allUsers gs://client-data-bucketThis type of misconfiguration is often exploited in bug bounty programs.
π‘ Pro Tips
- Enable MFA for all users in GCP IAM
- Rotate service account keys regularly (or disable them entirely)
- Use the principle of separation of duties: donβt assign multiple roles to a single account
- Enable alerts for IAM policy changes
- Review access logs weekly