Mondoo
Docs
CloudGoogle Cloud

Assess Google Cloud Security with cnspec

Scan your Google Cloud environment for security misconfigurations with cnspec

cnspec assesses your full Google Cloud environment for misconfigurations that put your organization at risk. You can scan your Google Cloud account for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.

cnspec can test any aspect of your Google Cloud configuration. For a list of Google Cloud resources you can test, read Mondoo Google Cloud (GCP) Resource Pack Reference and Mondoo Core Resource Pack Reference.

You can also use cnspec with HashiCorp Packer to build secure VM images in Google Cloud.

Connect cnspec with your Google Cloud environment

Requirements

To test your Google Cloud environment with cnspec, you must have:

Provide access credentials

In your terminal, log into Google Cloud with this command:

gcloud auth login --update-adc

Configure the Google Cloud project you want to assess

To test a Google Cloud project, you must set up the project:

gcloud config set project PROJECTID

For PROJECTID, substitute the ID of the project you want to assess.

Google Cloud confirms the setup:

Updated property [core/project].

To verify your configuration, enter:

gcloud config list

Google Cloud returns results similar to these:

[core]
account = suki@lunalectric.com
disable_usage_reporting = True
project = gcp-project-id

Your active configuration is: [default]

Verify your connection

To quickly confirm that cnspec has access to your Google Cloud environment, run this check from your terminal:

cnspec run gcp project PROJECT-ID -c 'gcp.project.id != empty'

For PROJECT-ID, substitute your Google Cloud project ID.

If cnspec can connect, it returns the project ID and confirms the check passed. Now you're ready to explore. The method you choose depends on your goals:

  • For widescale assessment of your Google Cloud infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your GCP security posture.
  • To run ad hoc checks against your Google Cloud environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.

Assess Google Cloud security with policy-based scanning

To scan a Google Cloud organization, run:

cnspec scan gcp org ORGANIZATION-ID

For ORGANIZATION-ID, substitute the ID of the organization you want to scan.

To scan a project, run:

cnspec scan gcp project PROJECT-ID

For PROJECT-ID, substitute the ID of the project you want to scan.

To scan a folder, run:

cnspec scan gcp folder FOLDER-ID

For FOLDER-ID, substitute the ID of the folder you want to scan.

By default, cnspec applies the Mondoo Google Cloud (GCP) Security policy, which covers Compute Engine, Cloud Storage, IAM, networking, GKE, and more. To learn how to enable policies, read Manage Policies. You can also create your own policies or specify a particular policy bundle with --policy-bundle.

Test GCP with the cnspec shell

The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.

To launch a shell into your GCP environment to run queries and checks, substitute ORGANIZATION-ID with the ID of the organization you want to access and run:

cnspec shell gcp org ORGANIZATION-ID

To launch a shell into your GCP environment on the project level, substitute PROJECT-ID with the ID of the project you want to access and run:

cnspec shell gcp project PROJECT-ID

To launch a shell into your GCP environment on the folder level, substitute FOLDER-ID with the ID of the folder you want to access and run:

cnspec shell gcp folder FOLDER-ID

Discover capabilities with the help command

Once inside the shell, use the help command to learn what GCP resources you can test. This command lists all the GCP resources:

help gcp

From the resulting list, you can drill down further. For example, enter this command to list all the GCP service resources you can test:

help gcp.service

From the resulting list, you can drill down even further. You can also learn about available GCP resources in the Mondoo Google Cloud Platform (GCP) Resource Pack Reference.

Run tests in the cnspec shell

Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.

Assess Cloud Storage bucket access

This test asserts that all Cloud Storage buckets have uniform bucket-level access enabled:

gcp.project.storageService.buckets.all( iamConfiguration['UniformBucketLevelAccess']['Enabled'] == true )

If the test passes (all Cloud Storage buckets have uniform bucket-level access enabled) then cnspec returns ok:

[ok] value: true

If the test fails (one or more Cloud Storage buckets don't use uniform bucket-level access), cnspec provides details about the failure:

[failed] [].all()
  actual:   [
    0: gcp.project.storageService.bucket id = luna-bucket-3
  ]

The sample results above show that the luna-bucket-3 storage bucket doesn't use uniform bucket-level access.

Assess Compute Engine access

This test asserts that all Compute Engine instances have OS Login enabled:

gcp.project.computeService.instances.all( metadata['enable-oslogin'] == true )

If one or more instances aren't using OS Login, cnspec lists them:

[failed] [].all()
  actual:   [
    0: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5894326198680570314
    1: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/7160119628481766684
    2: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5917688252380140477
    3: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3877422285743886958
    4: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3907771157037563687
    5: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/4114342986437780688
    6: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/9121791747047534080
    7: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/2350609386795184202
    8: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3078531271735985553
    9: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/1236920519697087164
    10: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/6674678823862797263
    11: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3498829478465908910
  ]

Exit the cnspec shell

To exit the cnspec shell, either press Ctrl + D or type exit.

Learn more about securing Google Cloud

Next step

Learn how to use snapshot scanning to assess GCP instances without affecting your production workload.

Azure

Scan your Microsoft Azure environment for security misconfigurations with cnspec

Scan Instance Snapshots

Learn how to scan GCP instances with no impact to your production workload.

On this page

Connect cnspec with your Google Cloud environmentRequirementsProvide access credentialsConfigure the Google Cloud project you want to assessVerify your connectionAssess Google Cloud security with policy-based scanningTest GCP with the cnspec shellDiscover capabilities with the help commandRun tests in the cnspec shellAssess Cloud Storage bucket accessAssess Compute Engine accessExit the cnspec shellLearn more about securing Google CloudNext step