Skip to main content

Google Cloud & Mondoo - Overview


This page details all of the ways you can use Mondoo to assess security configurations and risk for your infrastructure running in Google Cloud.

Gather vulnerability information during build-time​

Gather vulnerability information during run-time​

Preparation​

  1. Install the gcloud CLI and login via gcloud auth login. Then set your project:
$ gcloud config set project <projectID>
Updated property [core/project].

You can verify your configuration via:

gcloud config list
[compute]
region = us-central1
zone = us-central1-a
[core]
account = user@example.com
disable_usage_reporting = True
project = gcp-project-id
[run]
region = us-central1
  1. Install the Mondoo Client on your workstation

Scan GCP Cloud Account​

With a few steps, we analyse the GCP account

  1. Activate the CIS Google Cloud Platform Foundation Benchmark Level 1 Profile
  2. Open your terminal and run
# uses the default project with the ssh username chris
$ mondoo scan -t gcp://
  1. See the results

Mondoo GCP Project Result

Scan GCP Cloud Account including Compute instances​

We are going to scan a GCP project including its compute instances. Before we start, lets check that the project includes running instances:

gcloud compute instances list

Mondoo uses the instance information from GCP, including their public IP, and tries to connect to each instance via SSH. Make sure you are able to connect to all instances via SSH. e.g. use SSH keys in metadata

note

Mondoo Client leverages ~/.ssh/config to determine the users for each detected public IP. Instead of using the same ssh username for all instances, you can also configure the SSH config and configure the username for each instance with their username:

Host 123.123.123.123
User chris

Host yourdomain.com
IdentityFile /your/path/keyname

If you require a specific list of instances with more detailed configuration, consider the use of an Ansible inventory

1. Create an inventory

Mondoo has the ability to define a list of assets including the used discovery mechanism.

inventory.yml
apiVersion: v1
kind: Inventory
metadata:
name: mondoo-inventory
labels:
environment: production
spec:
# uses ssh username chris and ssh agent to get the credentials for VMs
credential_query: "{ user: 'chris', type: 'ssh_agent' }"
assets:
- name: gcp
connections:
- backend: gcp
insecure: true # to allow missing host-keys
discover:
targets:
- all
options:
project: gcp-project-1233
  • credential_query defines the way credentials are retrieved per discovered asset
  • discover defines if mondoo should look for assets within this cloud account
  • options.project defines the gcp project that should be scanned

2. Scan the inventory

$ mondoo scan --inventory inventory.yml