Skip to main content

Google Cloud & Mondoo - Overview

This page details all of the ways you can use Mondoo to assess security configurations and risk for your infrastructure running in Google Cloud.

Gather vulnerability information during build-time

Gather vulnerability information during run-time

Preparation

  1. Install the gcloud CLI and log in with the gcloud auth login command. Then set your project:
$ gcloud config set project <projectID>
Updated property [core/project].

You can verify your configuration via:

gcloud config list
[compute]
region = us-central1
zone = us-central1-a
[core]
account = user@example.com
disable_usage_reporting = True
project = gcp-project-id
[run]
region = us-central1
  1. Install Mondoo Client on your workstation.

Scan a Google Cloud account

With a few steps, we analyze the Google Cloud account

  1. Activate the CIS Google Cloud Platform Foundation Benchmark Level 1 Profile
  2. Open your terminal and run:
# uses the default project with the ssh username chris
$ mondoo scan gcp
  1. View the results.

Mondoo GCP Project Result

Scan a Google Cloud account including compute instances

You can include a Google Cloud project's compute instances in a scan. Before you start, check that the project includes running instances:

gcloud compute instances list

Mondoo uses the instance information from Google Cloud, including their public IP, and tries to connect to each instance via SSH. Make sure you are able to connect to all instances via SSH. e.g. use SSH keys in metadata

note

Mondoo Client uses ~/.ssh/config to determine the users for each detected public IP. Instead of using the same ssh username for all instances, you can also configure the SSH config and configure the username for each instance with their username:

Host 123.123.123.123
User chris

Host www.lunalectric.com
IdentityFile /your/path/key_name

If you require a specific list of instances with more detailed configuration, consider the use of an Ansible inventory

1. Create an inventory

Mondoo has the ability to define a list of assets including the used discovery mechanism.

inventory.yml
apiVersion: v1
kind: Inventory
metadata:
name: mondoo-inventory
labels:
environment: production
spec:
# uses ssh username chris and ssh agent to get the credentials for VMs
credential_query: "{ user: 'chris', type: 'ssh_agent' }"
assets:
- name: gcp
connections:
- backend: gcp
insecure: true # to allow missing host-keys
discover:
targets:
- all
options:
project: gcp-project-1233
  • credential_query defines the way credentials are retrieved per discovered asset
  • discover defines if mondoo should look for assets within this cloud account
  • options.project defines the project to scan

2. Scan the inventory

$ mondoo scan --inventory-file inventory.yml