Mondoo
Docs
CloudGoogle Cloud

Assess a GCP Project

Assess the security and compliance of a Google Cloud project with cnspec.

Scan your Google Cloud project, organization, or folder to find security risks before they become incidents. cnspec evaluates project-level settings like Compute Engine OS Login, Cloud Storage bucket access, IAM policy bindings, Cloud SQL encryption, and GKE cluster configurations. All you need is your existing Google Cloud SDK credentials.

Prerequisites

To test your Google Cloud environment with cnspec, you must have:

Log in and set the project you want to assess:

gcloud auth login --update-adc
gcloud config set project PROJECT-ID

For PROJECT-ID, substitute the ID of the project you want to assess.

Verify with a quick GCP check

To quickly confirm that cnspec can access your Google Cloud environment, run this check from your terminal:

cnspec run gcp project PROJECT-ID -c 'gcp.project.id != empty'

For PROJECT-ID, substitute your Google Cloud project ID.

If cnspec can connect, it returns the project ID and confirms the check passed:

[ok] value: "my-project-id"

If the command fails, verify that you are logged in with gcloud auth login --update-adc.

Scan Google Cloud

To scan a Google Cloud project:

cnspec scan gcp project PROJECT-ID

To scan an organization:

cnspec scan gcp org ORGANIZATION-ID

To scan a folder:

cnspec scan gcp folder FOLDER-ID

To examine scan results in detail, add the -o full flag:

cnspec scan gcp project PROJECT-ID -o full

Explore and test checks interactively

Open a cnspec shell to discover resources and test checks:

cnspec shell gcp project PROJECT-ID

List Compute Engine instances

cnspec> gcp.project.computeService.instances { name status scheduling }

Filter instances by status

cnspec> gcp.project.computeService.instances.where(status == "RUNNING") { name lastStartTimestamp }

List Cloud Storage buckets

cnspec> gcp.project.storageService.buckets { name location storageClass }

List DNS managed zones

cnspec> gcp.project.dns.managedZones

List firewall rules

cnspec> gcp.project.computeService.firewalls { name direction allowed }

Example security checks

Ensure Cloud Storage buckets use uniform bucket-level access

cnspec> gcp.project.storageService.buckets.all( iamConfiguration['UniformBucketLevelAccess']['Enabled'] == true )
[ok] value: true

Ensure Compute Engine instances have OS Login enabled

cnspec> gcp.project.computeService.instances.all( metadata['enable-oslogin'] == true )
[failed] [].all()
  actual:   [
    0: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5894326198680570314
    1: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/7160119628481766684
  ]

Ensure Cloud DNS DNSSEC is enabled

cnspec> gcp.project.dns.managedZones.all( dnssecConfig['state'] == "on" )
[ok] value: true

Learn more

Overview

Secure your Google Cloud environment by scanning for vulnerabilities and misconfigurations with cnspec.

Scan Instance Snapshots

Learn how to scan GCP instances with no impact to your production workload.

On this page

PrerequisitesVerify with a quick GCP checkScan Google CloudExplore and test checks interactivelyList Compute Engine instancesFilter instances by statusList Cloud Storage bucketsList DNS managed zonesList firewall rulesExample security checksEnsure Cloud Storage buckets use uniform bucket-level accessEnsure Compute Engine instances have OS Login enabledEnsure Cloud DNS DNSSEC is enabledLearn more