Assess Google Cloud Security Compliance with cnspec
cnspec assesses your full GCP environment for misconfigurations that put your organization at risk. You can scan your GCP account for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.
cnspec can test any aspect of your GCP configuration. For a list of GCP resources you can test, read Mondoo Google Cloud Platform (GCP) Resource Pack Reference and Mondoo Core Resource Pack Reference.
You can also use cnspec with Hashicorp Packer to build secure VM images in Google Cloud.
Connect cnspec with your GCP environment
To test your GCP environment with cnspec, you must have:
Provide access credentials
In your terminal, log into GCP with this command:
gcloud auth login --update-adc
Configure the GCP project you want assess
To test a GCP project, you must set up the project:
$ gcloud config set project PROJECTID
PROJECTID, substitute the ID of the project you want to assess.
GCP confirms the setup:
Updated property [core/project].
To verify your configuration, enter:
gcloud config list
GCP returns results similar to these:
region = us-central1
zone = us-central1-a
account = email@example.com
disable_usage_reporting = True
project = gcp-project-id
region = us-central1
Verify with a quick GCP check
To quickly confirm that cnspec has access to your GCP environment, run this check from your terminal:
cnspec run gcp -c 'gcp.project.id!="foo"'
It asserts that your GCP project ID value is not
[ok] to indicate that the test passed, and includes the actual value of the GCP project ID:
[ok] value: "luna-dev-262317"
You've successfully used cnspec to run your first check on your GCP environment. Now you're ready to explore.
Once you've ensured that cnspec can access your AWS environment, you can begin testing. The method you choose depends on your goals:
- For widescale assessment of your AWS infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your AWS security posture.
- To run ad hoc checks against your AWS environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
Assess GCP security with policy-based scanning
The Google Cloud (GCP) Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental GCP security best practices. It checks for misconfigurations across your entire GCP infrastructure.
To scan using the Google Cloud (GCP) Security by Mondoo policy, run:
cnspec scan gcp
cnspec finds the default policy for GCP and runs a scan based on that policy. It returns a report summarizing the scan results.:
→ loaded configuration from /Users/suki/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ connecting to asset GCP project luna-dev-262317 (api)
███████████████████████████████████████████████████████████████████████████ 100% GCP project luna-dev-262317
Asset: GCP project luna-dev-262317
platform.title: "Google Cloud Platform"
name: "Mondoo Client"
Summary (1 assets)
Target: GCP project mondoo-dev-262313
. .. Platform Overview Information by Mondoo
You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.
Test GCP with the cnspec shell
The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
To launch a shell into your GCP environment, enter:
cnspec shell gcp
Discover capabilities with the
Once inside the shell, use the
help command to learn what GCP resources you can test. This command lists all the GCP resources:
From the resulting list, you can drill down further. For example, enter this command to list all the GCP service resources you can test:
From the resulting list, you can drill down even further. You can also learn about available GCP resources in the Mondoo Google Cloud Platform (GCP) Resource Pack Reference.
Run tests in the cnspec shell
Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
Assess Cloud Storage bucket access
This test assures that all Cloud Storage buckets have uniform bucket-level access enabled:
gcp.project.storageService.buckets.all( iamConfiguration['UniformBucketLevelAccess']['Enabled'] == true )
If the test passes (all Cloud Storage buckets have uniform bucket-level access enabled) then cnspec returns
[ok] value: true
If the test fails, (one or more Cloud Storage buckets don't use uniform bucket-level access) then cnspec provides details about the failure:
0: gcp.project.storageService.bucket id = luna-bucket-3
The sample results above show that the
luna-bucket-3 storage bucket doesn't use uniform bucket-level access.
Assess Compute Engine access
This test asserts that all Compute Engine instances have OS Login enabled:
gcp.project.computeService.instances.all( metadata['enable-oslogin'] == true )
If one or more instance aren't using OS Login, cnspec lists them:
0: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5894326198680570314
1: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/7160119628481766684
2: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5917688252380140477
3: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3877422285743886958
4: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3907771157037563687
5: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/4114342986437780688
6: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/9121791747047534080
7: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/2350609386795184202
8: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3078531271735985553
9: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/1236920519697087164
10: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/6674678823862797263
11: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3498829478465908910
Exit the cnspec shell
To exit the cnspec shell, either press
Ctrl + D or type
Learn more about securing Google Cloud
- To learn more about how the MQL query language works, read Write Effective MQL.
- For a list of all the GCP resources and fields you can query, read the Mondoo Google Cloud Platform (GCP) Resource Pack Reference.
Learn how you can Build Secure VM Images in Google Cloud with cnspec and HashiCorp Packer.