Assess Google Cloud Security with cnspec

cnspec assesses your full GCP environment for misconfigurations that put your organization at risk. You can scan your GCP account for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.

cnspec can test any aspect of your GCP configuration. For a list of GCP resources you can test, read Mondoo Google Cloud Platform (GCP) Resource Pack Reference and Mondoo Core Resource Pack Reference.

info

You can also use cnspec with Hashicorp Packer to build secure VM images in Google Cloud.

Connect cnspec with your GCP environment

Requirements

To test your GCP environment with cnspec, you must have:

• cnspec installed on your workstation.
• A Google Platform account
• Google Cloud SDK installed

Provide access credentials

In your terminal, log into GCP with this command:

gcloud auth login  --update-adc

Configure the GCP project you want assess

To test a GCP project, you must set up the project:

gcloud config set project PROJECTID

For PROJECTID, substitute the ID of the project you want to assess.

GCP confirms the setup:

Updated property [core/project].

To verify your configuration, enter:

gcloud config list

GCP returns results similar to these:

[core]
account = suki@lunalectric.com
disable_usage_reporting = True
project = gcp-project-id

Your active configuration is: [default]

Verify with a quick GCP check

To quickly confirm that cnspec has access to your GCP environment, run this check from your terminal:

cnspec run gcp project PROJECT-ID -c 'gcp.project.id!="foo"'

For PROJECT-ID, substitute your GCP project ID.

It asserts that your GCP project ID value is not foo.

cnspec returns [ok] to indicate that the test passed, and includes the actual value of the GCP project ID, similar to this:

[ok] value: "luna-dev-262317"

You've successfully used cnspec to run your first check on your GCP environment. Now you're ready to explore.

Once you've ensured that cnspec can access your GCP environment, you can begin testing. The method you choose depends on your goals:

• For widescale assessment of your GCP infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your GCP security posture.
• To run ad hoc checks against your GCP environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.

Assess GCP security with policy-based scanning

The Google Cloud (GCP) Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental GCP security best practices. It checks for misconfigurations across your entire GCP infrastructure.

To scan an organization using the Google Cloud (GCP) Security by Mondoo policy, run:

cnspec scan gcp org ORGANIZATION-ID

For ORGANIZATION-ID, substitute the ID of the organization you want to scan.

To scan a project using the Google Cloud (GCP) Security by Mondoo policy, run:

cnspec scan gcp project PROJECT-ID

For PROJECT-ID, substitute the ID of the project you want to scan.

To scan a folder using the Google Cloud (GCP) Security by Mondoo policy, run:

cnspec scan gcp folder FOLDER-ID

For FOLDER-ID, substitute the ID of the folder you want to scan.

cnspec finds the default policy for GCP and runs a scan based on that policy. It returns a report summarizing the scan results.:

→ loaded configuration from /Users/suki/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1

 GCP project luna-dev-262317 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: A


Asset: GCP project luna-dev-262317
----------------------------------
Data queries:
gcp.project.iamPolicy.where: [
  0: gcp.resourcemanager.binding id = luna-dev-262317
]
gcp.project.labels: {}
gcp.project.gke.clusters: []
gcp.compute.instances.where: []
gcp.compute.networks.length: 1

...

Checks:
✓ Pass:  A 100  Ensure oslogin is enabled for compute instances
✓ Pass:  A 100  Ensure that Cloud Storage buckets are not anonymously or publicly accessible
✓ Pass:  A 100  Ensure "Block Project-wide SSH keys" is enabled for VM instances
✓ Pass:  A 100  Ensure that Cloud Storage buckets have uniform bucket-level access enabled
✓ Pass:  A 100  Ensure that instances are not configured to use the default service account
✓ Pass:  A 100  Ensure instances are not configured to use the default service account with full access to all Cloud APIs

Scanned 1 assets

GCP Project
    A GCP project luna-dev-262317

To learn about the command, read cnspec scan gcp.

You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.

Test GCP with the cnspec shell

The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.

To launch a shell into your GCP environment to run queries and checks, run:

cnspec shell gcp org ORGANIZATION-ID

For PROJECT-ID, substitute the ID of the project you want to explore.

To launch a shell into your GCP environment on the project level, substitute PROJECT-ID with the ID of the project you want to access and run the following command:

cnspec shell gcp project PROJECT-ID

To launch a shell into your GCP environment on the folder level, substitute FOLDER-ID with the ID of the folder you want to access and run the following command:

cnspec shell gcp folder FOLDER-ID

Discover capabilities with the help command

Once inside the shell, use the help command to learn what GCP resources you can test. This command lists all the GCP resources:

help gcp

From the resulting list, you can drill down further. For example, enter this command to list all the GCP service resources you can test:

help gcp.service

From the resulting list, you can drill down even further. You can also learn about available GCP resources in the Mondoo Google Cloud Platform (GCP) Resource Pack Reference.

Run tests in the cnspec shell

Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.

Assess Cloud Storage bucket access

This test assures that all Cloud Storage buckets have uniform bucket-level access enabled:

gcp.project.storageService.buckets.all( iamConfiguration['UniformBucketLevelAccess']['Enabled'] == true )

If the test passes (all Cloud Storage buckets have uniform bucket-level access enabled) then cnspec returns ok:

[ok] value: true

If the test fails, (one or more Cloud Storage buckets don't use uniform bucket-level access) then cnspec provides details about the failure:

[failed] [].all()
  actual:   [
    0: gcp.project.storageService.bucket id = luna-bucket-3
  ]

The sample results above show that the luna-bucket-3 storage bucket doesn't use uniform bucket-level access.

Assess Compute Engine access

This test asserts that all Compute Engine instances have OS Login enabled:

gcp.project.computeService.instances.all( metadata['enable-oslogin'] == true )

If one or more instance aren't using OS Login, cnspec lists them:

[failed] [].all()
  actual:   [
    0: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5894326198680570314
    1: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/7160119628481766684
    2: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5917688252380140477
    3: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3877422285743886958
    4: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3907771157037563687
    5: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/4114342986437780688
    6: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/9121791747047534080
    7: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/2350609386795184202
    8: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3078531271735985553
    9: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/1236920519697087164
    10: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/6674678823862797263
    11: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3498829478465908910
  ]

Exit the cnspec shell

To exit the cnspec shell, either press Ctrl + D or type exit.

Learn more about securing Google Cloud

• To learn more about how the MQL query language works, read Write Effective MQL.

• For a list of all the GCP resources and fields you can query, read the Mondoo Google Cloud Platform (GCP) Resource Pack Reference.

• To learn about cnspec commands for Google Cloud, read:

  • cnspec scan gcp

  • cnspec shell gcp

  • cnspec run gcp

  • cnspec vuln gcp

Next step

Learn how to use snapshot scanning to assess GCP instances without affecting your production workload.

---