Assess Google Cloud Security with cnspec
cnspec assesses your full GCP environment for misconfigurations that put your organization at risk. You can scan your GCP account for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.
cnspec can test any aspect of your GCP configuration. For a list of GCP resources you can test, read Mondoo Google Cloud Platform (GCP) Resource Pack Reference and Mondoo Core Resource Pack Reference.
You can also use cnspec with HashiCorp Packer to build secure VM images in Google Cloud.
Connect cnspec with your GCP environment
Requirements
To test your GCP environment with cnspec, you must have:
- cnspec installed on your workstation
- A Google Platform account
- Google Cloud SDK installed
- Cloud Resource Manager API enabled
Provide access credentials
In your terminal, log into GCP with this command:
gcloud auth login --update-adc
Configure the GCP project you want assess
To test a GCP project, you must set up the project:
gcloud config set project PROJECTID
For PROJECTID, substitute the ID of the project you want to assess.
GCP confirms the setup:
Updated property [core/project].
To verify your configuration, enter:
gcloud config list
GCP returns results similar to these:
[core]
account = suki@lunalectric.com
disable_usage_reporting = True
project = gcp-project-id
Your active configuration is: [default]
Verify with a quick GCP check
To quickly confirm that cnspec has access to your GCP environment, run this check from your terminal:
cnspec run gcp project PROJECT-ID -c 'gcp.project.id!="foo"'
For PROJECT-ID, substitute your GCP project ID.
It asserts that your GCP project ID value is not foo.
cnspec returns [ok] to indicate that the test passed, and includes the actual value of the GCP project ID, similar to this:
[ok] value: "luna-dev-262317"
You've successfully used cnspec to run your first check on your GCP environment. Now you're ready to explore.
Once you've ensured that cnspec can access your GCP environment, you can begin testing. The method you choose depends on your goals:
- For widescale assessment of your GCP infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your GCP security posture.
- To run ad hoc checks against your GCP environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
Assess GCP security with policy-based scanning
The Google Cloud (GCP) Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental GCP security best practices. It checks for misconfigurations across your entire GCP infrastructure.
To scan an organization using the Google Cloud (GCP) Security by Mondoo policy, run:
cnspec scan gcp org ORGANIZATION-ID
For ORGANIZATION-ID, substitute the ID of the organization you want to scan.
To scan a project using the Google Cloud (GCP) Security by Mondoo policy, run:
cnspec scan gcp project PROJECT-ID
For PROJECT-ID, substitute the ID of the project you want to scan.
To scan a folder using the Google Cloud (GCP) Security by Mondoo policy, run:
cnspec scan gcp folder FOLDER-ID
For FOLDER-ID, substitute the ID of the folder you want to scan.
cnspec finds the default policy for GCP and runs a scan based on that policy. It returns a report summarizing the scan results.:
→ loaded configuration from /Users/suki/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
GCP project luna-dev-262317 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: A
Asset: GCP project luna-dev-262317
----------------------------------
Data queries:
gcp.project.iamPolicy.where: [
0: gcp.resourcemanager.binding id = luna-dev-262317
]
gcp.project.labels: {}
gcp.project.gke.clusters: []
gcp.compute.instances.where: []
gcp.compute.networks.length: 1
...
Checks:
✓ Pass: A 100 Ensure oslogin is enabled for compute instances
✓ Pass: A 100 Ensure that Cloud Storage buckets are not anonymously or publicly accessible
✓ Pass: A 100 Ensure "Block Project-wide SSH keys" is enabled for VM instances
✓ Pass: A 100 Ensure that Cloud Storage buckets have uniform bucket-level access enabled
✓ Pass: A 100 Ensure that instances are not configured to use the default service account
✓ Pass: A 100 Ensure instances are not configured to use the default service account with full access to all Cloud APIs
Scanned 1 assets
GCP Project
A GCP project luna-dev-262317
You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.
Test GCP with the cnspec shell
The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
To launch a shell into your GCP environment to run queries and checks, substitute ORGANIZATION-ID with the ID of the organization you want to access and run:
cnspec shell gcp org ORGANIZATION-ID
To launch a shell into your GCP environment on the project level, substitute PROJECT-ID with the ID of the project you want to access and run:
cnspec shell gcp project PROJECT-ID
To launch a shell into your GCP environment on the folder level, substitute FOLDER-ID with the ID of the folder you want to access and run:
cnspec shell gcp folder FOLDER-ID
Discover capabilities with the help command
Once inside the shell, use the help command to learn what GCP resources you can test. This command lists all the GCP resources:
help gcp
From the resulting list, you can drill down further. For example, enter this command to list all the GCP service resources you can test:
help gcp.service
From the resulting list, you can drill down even further. You can also learn about available GCP resources in the Mondoo Google Cloud Platform (GCP) Resource Pack Reference.
Run tests in the cnspec shell
Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
Assess Cloud Storage bucket access
This test assures that all Cloud Storage buckets have uniform bucket-level access enabled:
gcp.project.storageService.buckets.all( iamConfiguration['UniformBucketLevelAccess']['Enabled'] == true )
If the test passes (all Cloud Storage buckets have uniform bucket-level access enabled) then cnspec returns ok:
[ok] value: true
If the test fails, (one or more Cloud Storage buckets don't use uniform bucket-level access) then cnspec provides details about the failure:
[failed] [].all()
actual: [
0: gcp.project.storageService.bucket id = luna-bucket-3
]
The sample results above show that the luna-bucket-3 storage bucket doesn't use uniform bucket-level access.
Assess Compute Engine access
This test asserts that all Compute Engine instances have OS Login enabled:
gcp.project.computeService.instances.all( metadata['enable-oslogin'] == true )
If one or more instance aren't using OS Login, cnspec lists them:
[failed] [].all()
actual: [
0: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5894326198680570314
1: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/7160119628481766684
2: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5917688252380140477
3: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3877422285743886958
4: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3907771157037563687
5: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/4114342986437780688
6: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/9121791747047534080
7: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/2350609386795184202
8: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3078531271735985553
9: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/1236920519697087164
10: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/6674678823862797263
11: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3498829478465908910
]
Exit the cnspec shell
To exit the cnspec shell, either press Ctrl + D or type exit.
Learn more about securing Google Cloud
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For a list of all the GCP resources and fields you can query, read the Mondoo Google Cloud Platform (GCP) Resource Pack Reference.
Next step
Learn how to use snapshot scanning to assess GCP instances without affecting your production workload.