Google Cloud Security Toolbox

February 22, 2017 Published by Gianluca Brindisi

At Spotify, we actively manage more than 800 Google Cloud Platform projects. As such, maintaining a proper security posture at scale has proven to be a challenging task. In an effort to seamlessly audit and strengthen the security stance of our massive cloud infrastructure, we are investing various resources into building our own tools and methodologies.

As a result of these efforts, we are excited to open source two of our internal tools in hopes to benefit the community and to share knowledge.

Both tools are heavily used within Spotify, and we hope other Google Cloud customers find benefit as well. Contributions are enthusiastically welcome!

GCP Audit

Inspired by Scout2, we built a security auditing tool dedicated to the Google Cloud Platform: GCP-Audit.

The tool allows analysts to scan Google Cloud projects to highlight common security issues like inadequate permissions on storage buckets, publicly exposed Compute Engine instances, misconfigured CloudSQL, and more. Issues are defined by an internal rules repository that is designed to be easily expandable.

For example, we believe that in a cloud environment, reducing the number of exposed services is critical to minimize our attack surface and effectively enforce security controls.
Consider the following rule:

{
   “name”: “Traffic allowed from all IP’s to CloudSQL instance”,
   “filters”: [{
       “matchtype”: “exact”,
       “filter”: {
         “settings”:{
           “ipConfiguration”:{
             “authorizedNetworks”:[{
               “value”:“0.0.0.0/0”
             }]
           }
         }
       }
   }]
}

This rule will find CloudSQL instances that are exposed to 0.0.0.0/0. Rule definitions support either JSON or YAML format, and the GCP-Audit engine will apply the filters defined in the rule to Google’s API responses, then check if there are any concerning differences.

Learn more about it on Github: https://github.com/spotify/gcp-audit

GCP-Firewall-Enforcer

We’ve found that monitoring firewall rules across multiple networks of cloud services is burdensome: maintaining a consistent firewalling policy between ephemeral services and a sane audit trail spanning through different projects is a task that does not scale easily. To improve the process and automatically increase our cloud security stance, we’ve built GCP-Firewall-Enforcer.

The goal of this tool is continuously enforce an audited set of firewall rules across multiple Google Cloud projects. This way, accidental firewall alterations are promptly detected and automatically fixed.

The approach provides multiple benefits: we can automatically mitigate dangerous firewall issues as they happen, as well as easily monitor and investigate network issues. This enabled our security team to maintain control of firewall policies while allowing for reviews by network specialists.

Read more about it on GitHub: https://github.com/spotify/gcp-firewall-enforcer


Tags: