Secure a Google Cloud Project
Scan a Google Cloud project against security and compliance best practices with cnspec.
Scan your Google Cloud project, organization, or folder to find security risks before they become incidents. cnspec evaluates project-level settings such as Compute Engine OS Login, Cloud Storage bucket access, IAM policy bindings, Cloud SQL encryption, and GKE cluster configurations. All you need is your existing Google Cloud SDK credentials.
Prerequisites
To scan Google Cloud with cnspec, you must have:
- cnspec installed on your workstation
- A Google Cloud account
- The Google Cloud SDK installed
- The Cloud Resource Manager API enabled
Log in and set the project you want to assess:
gcloud auth login --update-adc
gcloud config set project PROJECT-IDFor PROJECT-ID, substitute the ID of the project you want to assess.
Verify with a quick Google Cloud check
Confirm that cnspec can reach your Google Cloud environment:
cnspec run gcp project PROJECT-ID -c 'gcp.project.id != empty'If cnspec connects, it returns the project ID and confirms the check passed:
[ok] value: "my-project-id"If the command fails, verify that you are logged in with gcloud auth login --update-adc.
Scan Google Cloud
Scan a project:
cnspec scan gcp project PROJECT-IDScan an organization:
cnspec scan gcp org ORGANIZATION-IDScan a folder:
cnspec scan gcp folder FOLDER-IDAdd the -o full flag to see results in detail:
cnspec scan gcp project PROJECT-ID -o fullScan with the Mondoo Google Cloud Security policy
Mondoo maintains an out-of-the-box Google Cloud Security policy that checks Compute Engine OS Login, Cloud Storage bucket access, IAM policy bindings, Cloud SQL encryption, GKE cluster configurations, and more.
Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "Google Cloud", and add the policy. All future scans of your Google Cloud projects automatically evaluate against it. To learn more, read Manage Policies.
Open source users: Pass the policy bundle URL directly to cnspec:
cnspec scan gcp project PROJECT-ID \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-gcp-security.mql.yamlExplore and test checks interactively
Open a cnspec shell to discover resources and try out checks:
cnspec shell gcp project PROJECT-IDList Compute Engine instances
cnspec> gcp.project.computeService.instances { name status scheduling }Filter instances by status
cnspec> gcp.project.computeService.instances.where(status == "RUNNING") { name lastStartTimestamp }List Cloud Storage buckets
cnspec> gcp.project.storageService.buckets { name location storageClass }List DNS managed zones
cnspec> gcp.project.dns.managedZonesList firewall rules
cnspec> gcp.project.computeService.firewalls { name direction allowed }Example security checks
Ensure Cloud Storage buckets use uniform bucket-level access
cnspec> gcp.project.storageService.buckets.all( iamConfiguration['UniformBucketLevelAccess']['Enabled'] == true )
[ok] value: trueEnsure Compute Engine instances have OS Login enabled
cnspec> gcp.project.computeService.instances.all( metadata['enable-oslogin'] == true )
[failed] [].all()
actual: [
0: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5894326198680570314
1: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/7160119628481766684
]Ensure Cloud DNS DNSSEC is enabled
cnspec> gcp.project.dns.managedZones.all( dnssecConfig['state'] == "on" )
[ok] value: trueLearn more
- Mondoo Google Cloud Resource Pack Reference — every Google Cloud resource and field cnspec can query
- Write Effective MQL — guide to authoring checks and queries
- Continuously Scan Google Cloud — set up the Mondoo Google Cloud integration for ongoing assessment