Google Cloud & Mondoo - Overview
This page details all of the ways you can use Mondoo to assess security configurations and risk for your infrastructure running in Google Cloud.
Gather vulnerability information during build-timeβ
- Risk assessment in GCP CloudBuild
- Risk assessment for GCP Container Registry
- Build AMIs with Packer
- Test Docker Images in GCP Cloudbuild
Gather vulnerability information during run-timeβ
- Scan GCP cloud account
- Install Mondoo Client via Cloud-Init
- Terraform deployment
- Verify instances managed by Chef/AWS OpsWorks
- Verify instances managed by Ansible
Preparationβ
$ gcloud config set project <projectID>
Updated property [core/project].
You can verify your configuration via:
gcloud config list
[compute]
region = us-central1
zone = us-central1-a
[core]
account = user@example.com
disable_usage_reporting = True
project = gcp-project-id
[run]
region = us-central1
- Install the Mondoo Client on your workstation
Scan GCP Cloud Accountβ
With a few steps, we analyse the GCP account
- Activate the
CIS Google Cloud Platform Foundation Benchmark Level 1 Profile
- Open your terminal and run
# uses the default project with the ssh username chris
$ mondoo scan -t gcp://
- See the results
Scan GCP Cloud Account including Compute instancesβ
We are going to scan a GCP project including its compute instances. Before we start, lets check that the project includes running instances:
gcloud compute instances list
Mondoo uses the instance information from GCP, including their public IP, and tries to connect to each instance via SSH. Make sure you are able to connect to all instances via SSH. e.g. use SSH keys in metadata
note
Mondoo Client leverages ~/.ssh/config
to determine the users for each detected public IP. Instead of using the same ssh username for all instances, you can also configure the SSH config and configure the username for each instance with their username:
Host 123.123.123.123
User chris
Host yourdomain.com
IdentityFile /your/path/keyname
If you require a specific list of instances with more detailed configuration, consider the use of an Ansible inventory
1. Create an inventory
Mondoo has the ability to define a list of assets including the used discovery mechanism.
apiVersion: v1
kind: Inventory
metadata:
name: mondoo-inventory
labels:
environment: production
spec:
# uses ssh username chris and ssh agent to get the credentials for VMs
credential_query: "{ user: 'chris', type: 'ssh_agent' }"
assets:
- name: gcp
connections:
- backend: gcp
insecure: true # to allow missing host-keys
discover:
targets:
- all
options:
project: gcp-project-1233
credential_query
defines the way credentials are retrieved per discovered assetdiscover
defines if mondoo should look for assets within this cloud accountoptions.project
defines the gcp project that should be scanned
2. Scan the inventory
$ mondoo scan --inventory inventory.yml