Skip to main content

Assess Google Cloud Security Compliance with cnspec

cnspec assesses your full GCP environment for misconfigurations that put your organization at risk. You can scan your GCP account for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.

cnspec can test any aspect of your GCP configuration. For a list of GCP resources you can test, read Mondoo Google Cloud Platform (GCP) Resource Pack Reference and Mondoo Core Resource Pack Reference.

info

You can also use cnspec with Hashicorp Packer to build secure VM images in Google Cloud.

Connect cnspec with your GCP environment

Requirements

To test your GCP environment with cnspec, you must have:

Provide access credentials

In your terminal, log into GCP with this command:

gcloud auth login  --update-adc

Configure the GCP project you want assess

To test a GCP project, you must set up the project:

$ gcloud config set project PROJECTID

For PROJECTID, substitute the ID of the project you want to assess.

GCP confirms the setup:

Updated property [core/project].

To verify your configuration, enter:

gcloud config list

GCP returns results similar to these:

[compute]
region = us-central1
zone = us-central1-a
[core]
account = suki@lunalectric.com
disable_usage_reporting = True
project = gcp-project-id
[run]
region = us-central1

Verify with a quick GCP check

To quickly confirm that cnspec has access to your GCP environment, run this check from your terminal:

cnspec run gcp -c 'gcp.project.id!="foo"'

It asserts that your GCP project ID value is not foo.

cnspec returns [ok] to indicate that the test passed, and includes the actual value of the GCP project ID:

[ok] value: "luna-dev-262317"

You've successfully used cnspec to run your first check on your GCP environment. Now you're ready to explore.

Once you've ensured that cnspec can access your AWS environment, you can begin testing. The method you choose depends on your goals:

  • For widescale assessment of your AWS infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your AWS security posture.
  • To run ad hoc checks against your AWS environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.

Assess GCP security with policy-based scanning

The Google Cloud (GCP) Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental GCP security best practices. It checks for misconfigurations across your entire GCP infrastructure.

To scan using the Google Cloud (GCP) Security by Mondoo policy, run:

cnspec scan gcp

cnspec finds the default policy for GCP and runs a scan based on that policy. It returns a report summarizing the scan results.:

→ loaded configuration from /Users/suki/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ connecting to asset GCP project luna-dev-262317 (api)

███████████████████████████████████████████████████████████████████████████ 100% GCP project luna-dev-262317


Asset: GCP project luna-dev-262317
====================================
Data queries:
platform.title: "Google Cloud Platform"
platform.release: ""
mondoo.jobEnvironment: {
  id: "client.mondoo.com"
  name: "Mondoo Client"
}
platform.arch: ""
mondoo.version: "7.14.0"

Controls:


Summary (1 assets)
==================

Target:     GCP project mondoo-dev-262313
Datapoints: 5

Policies:
.  ..  Platform Overview Information by Mondoo

You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.

Test GCP with the cnspec shell

The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.

To launch a shell into your GCP environment, enter:

cnspec shell gcp

Discover capabilities with the help command

Once inside the shell, use the help command to learn what GCP resources you can test. This command lists all the GCP resources:

help gcp

From the resulting list, you can drill down further. For example, enter this command to list all the GCP service resources you can test:

help gcp.service

From the resulting list, you can drill down even further. You can also learn about available GCP resources in the Mondoo Google Cloud Platform (GCP) Resource Pack Reference.

Run tests in the cnspec shell

Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.

Assess Cloud Storage bucket access

This test assures that all Cloud Storage buckets have uniform bucket-level access enabled:

gcp.project.storageService.buckets.all( iamConfiguration['UniformBucketLevelAccess']['Enabled'] == true )

If the test passes (all Cloud Storage buckets have uniform bucket-level access enabled) then cnspec returns ok:

[ok] value: true

If the test fails, (one or more Cloud Storage buckets don't use uniform bucket-level access) then cnspec provides details about the failure:

[failed] [].all()
  actual:   [
    0: gcp.project.storageService.bucket id = luna-bucket-3
  ]

The sample results above show that the luna-bucket-3 storage bucket doesn't use uniform bucket-level access.

Assess Compute Engine access

This test asserts that all Compute Engine instances have OS Login enabled:

gcp.project.computeService.instances.all( metadata['enable-oslogin'] == true )

If one or more instance aren't using OS Login, cnspec lists them:

[failed] [].all()
  actual:   [
    0: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5894326198680570314
    1: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/7160119628481766684
    2: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/5917688252380140477
    3: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3877422285743886958
    4: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3907771157037563687
    5: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/4114342986437780688
    6: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/9121791747047534080
    7: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/2350609386795184202
    8: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3078531271735985553
    9: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/1236920519697087164
    10: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/6674678823862797263
    11: gcp.project.computeService.instance id = gcp.project.computeService.instance/luna-dev-262313/3498829478465908910
  ]

Exit the cnspec shell

To exit the cnspec shell, either press Ctrl + D or type exit.

Learn more about securing Google Cloud

Next step

Learn how you can Build Secure VM Images in Google Cloud with cnspec and HashiCorp Packer.