GCP Security Services: Comprehensive Security Controls
GCP

GCP Security Services: Comprehensive Security Controls

Master Google Cloud's security services. Learn about Identity and Access Management (IAM), Cloud KMS, Security Command Center, Cloud Armor, and best practices for securing your cloud infrastructure.

March 3, 2024
Technical Writer
5 min read

GCP Security Services: Comprehensive Security Controls

Google Cloud Platform provides a robust set of security services to protect your applications and data. This guide covers key security services and implementation best practices.

Security Architecture Overview

graph TB subgraph Security["Security Services"] direction TB subgraph Identity["Identity & Access"] direction LR IAM["Cloud IAM"] IDS["Identity Services"] ORG["Organization Policy"] end subgraph DataSecurity["Data Security"] direction LR KMS["Cloud KMS"] DLP["Cloud DLP"] SECRETS["Secret Manager"] end subgraph NetworkSecurity["Network Security"] direction LR ARMOR["Cloud Armor"] FW["Firewall"] VPC["VPC Service Controls"] end end subgraph Monitoring["Security Monitoring"] direction TB SCC["Security Command Center"] AUDIT["Cloud Audit Logs"] THREAT["Threat Detection"] end Security --> Monitoring classDef primary fill:#4285f4,stroke:#666,stroke-width:2px,color:#fff classDef secondary fill:#34a853,stroke:#666,stroke-width:2px,color:#fff classDef tertiary fill:#fbbc05,stroke:#666,stroke-width:2px,color:#fff class Security,Identity primary class DataSecurity,NetworkSecurity secondary class Monitoring tertiary

Identity and Access Management (IAM)

1. Role Management

# roles.yaml roles: - name: custom.developer title: "Custom Developer Role" description: "Custom role for developers" permissions: - compute.instances.get - compute.instances.list - storage.objects.get - storage.objects.list stage: GA

2. Service Account Configuration

# Create service account gcloud iam service-accounts create my-sa \ --display-name="My Service Account" # Assign roles gcloud projects add-iam-policy-binding my-project \ --member="serviceAccount:my-sa@my-project.iam.gserviceaccount.com" \ --role="roles/storage.objectViewer" # Create and download key gcloud iam service-accounts keys create key.json \ --iam-account=my-sa@my-project.iam.gserviceaccount.com

Cloud Key Management Service (KMS)

1. Key Configuration

# Create key ring gcloud kms keyrings create my-keyring \ --location=global # Create encryption key gcloud kms keys create my-key \ --keyring=my-keyring \ --location=global \ --purpose=encryption \ --rotation-period=90d \ --next-rotation-time=2024-06-01T12:00:00Z

2. Data Encryption

# encryption.py from google.cloud import kms def encrypt_data(project_id, location_id, keyring_id, key_id, plaintext): """Encrypt data using Cloud KMS.""" client = kms.KeyManagementServiceClient() key_name = client.crypto_key_path(project_id, location_id, keyring_id, key_id) encrypt_response = client.encrypt( request={ 'name': key_name, 'plaintext': plaintext.encode('utf-8') } ) return encrypt_response.ciphertext

Cloud DLP (Data Loss Prevention)

1. Content Inspection

# dlp_inspection.py from google.cloud import dlp_v2 def inspect_string(project_id, text_content, info_types): """Inspect string for sensitive data.""" client = dlp_v2.DlpServiceClient() parent = f"projects/{project_id}/locations/global" inspect_config = { "info_types": [{"name": info_type} for info_type in info_types] } item = {"value": text_content} response = client.inspect_content( request={ "parent": parent, "inspect_config": inspect_config, "item": item } ) return response.result

2. Data Masking

# dlp_redaction.py def redact_info_types(project_id, text_content, info_types): """Redact sensitive data.""" client = dlp_v2.DlpServiceClient() parent = f"projects/{project_id}/locations/global" deidentify_config = { "info_type_transformations": { "transformations": [{ "primitive_transformation": { "replace_config": { "new_value": {"string_value": "[REDACTED]"} } } }] } } inspect_config = { "info_types": [{"name": info_type} for info_type in info_types] } item = {"value": text_content} response = client.deidentify_content( request={ "parent": parent, "deidentify_config": deidentify_config, "inspect_config": inspect_config, "item": item } ) return response.item.value

Security Command Center

1. Security Sources Configuration

# security-sources.yaml securitySources: - displayName: "Custom Security Source" description: "Custom security findings source" finding_categories: - category_id: "CUSTOM_VULNERABILITY" display_name: "Custom Vulnerability" description: "Custom vulnerability finding" severity: HIGH

2. Custom Finding Creation

# security_findings.py from google.cloud import securitycenter_v1 def create_finding(organization_id, source_id, finding_id): """Create a security finding.""" client = securitycenter_v1.SecurityCenterClient() source_name = client.source_path(organization_id, source_id) finding = { "state": securitycenter_v1.Finding.State.ACTIVE, "category": "CUSTOM_VULNERABILITY", "severity": securitycenter_v1.Finding.Severity.HIGH, "event_time": { "seconds": int(time.time()) }, "source_properties": { "critic": "HIGH", "custom_field": "custom_value" } } created_finding = client.create_finding( request={ "parent": source_name, "finding_id": finding_id, "finding": finding } ) return created_finding

Cloud Armor

1. Security Policy

# security-policy.yaml securityPolicies: - name: my-security-policy rules: - priority: 1000 action: allow match: versionedExpr: SRC_IPS_V1 config: srcIpRanges: ["10.0.0.0/8"] - priority: 2000 action: deny(403) match: versionedExpr: EXPR_V1 expr: or: - eq: - origin: ["headers", "user-agent"] - const: "BadBot" - xss: {}

2. WAF Configuration

# Create WAF policy gcloud compute security-policies create waf-policy \ --description="WAF security policy" # Add WAF rules gcloud compute security-policies rules create 1000 \ --security-policy=waf-policy \ --expression="evaluatePreconfiguredExpr('xss')" \ --action=deny-403 \ --description="Block XSS attacks"

VPC Service Controls

1. Service Perimeter

# service-perimeter.yaml servicePerimeter: name: "accessPolicies/12345/servicePerimeters/my_perimeter" title: "My Service Perimeter" description: "Perimeter for sensitive services" status: resources: - "projects/12345" restrictedServices: - "storage.googleapis.com" - "bigquery.googleapis.com" ingressPolicies: - ingressFrom: sources: - accessLevel: "accessPolicies/12345/accessLevels/trusted_networks" ingressTo: operations: - serviceName: "storage.googleapis.com" methodSelectors: - method: "google.storage.objects.get"

2. Access Level Configuration

# access-level.yaml accessLevel: name: "accessPolicies/12345/accessLevels/trusted_networks" title: "Trusted Networks" basic: conditions: - ipSubnetworks: - "10.0.0.0/8" devicePolicy: requireScreenLock: true allowedEncryptionStatuses: ["ENCRYPTED"] regions: - "US"

Security Monitoring

1. Audit Logging

# Enable audit logging gcloud organizations add-iam-policy-binding 12345 \ --member="user:admin@example.com" \ --role="roles/logging.configWriter" # Configure audit logs gcloud logging sinks create my-sink \ storage.googleapis.com/my-audit-logs \ --log-filter="resource.type=audit_log"

2. Alert Configuration

# alert-policy.yaml alertPolicies: - displayName: "High Severity Finding Alert" combiner: OR conditions: - displayName: "SCC High Severity Finding" conditionThreshold: filter: > resource.type="organization" AND severity="HIGH" duration: 0s comparison: COMPARISON_GT thresholdValue: 0 notificationChannels: - "projects/my-project/notificationChannels/12345"

Compliance and Governance

1. Organization Policy

# org-policy.yaml constraints: - constraint: "constraints/compute.disableSerialPortAccess" booleanPolicy: enforced: true - constraint: "constraints/storage.uniformBucketLevelAccess" booleanPolicy: enforced: true

2. Asset Inventory

# Export asset inventory gcloud asset export \ --project=my-project \ --content-type=resource \ --asset-types="compute.googleapis.com/Instance" \ --output-path=gs://my-bucket/asset-inventory

Best Practices

  1. Identity Management

    • Use principle of least privilege
    • Implement service accounts properly
    • Regular access reviews
    • Enable 2FA/MFA
  2. Data Security

    • Encrypt data at rest and in transit
    • Use Cloud KMS for key management
    • Implement DLP policies
    • Regular security assessments
  3. Network Security

    • Implement Cloud Armor
    • Use VPC Service Controls
    • Enable firewall logging
    • Regular penetration testing
  4. Monitoring

    • Enable audit logging
    • Configure alerts
    • Regular compliance checks
    • Incident response planning

Conclusion

GCP provides comprehensive security controls for protecting your cloud infrastructure. Key takeaways:

  • Implement proper IAM controls
  • Use encryption everywhere
  • Enable security monitoring
  • Follow compliance requirements
  • Regular security reviews

For more information, refer to the official documentation:

gcp
security
iam
encryption
compliance