GCP
GCP Security Services: Comprehensive Security Controls
Master Google Cloud's security services. Learn about Identity and Access Management (IAM), Cloud KMS, Security Command Center, Cloud Armor, and best practices for securing your cloud infrastructure.
March 3, 2024
Technical Writer
5 min read
GCP Security Services: Comprehensive Security Controls
Google Cloud Platform provides a robust set of security services to protect your applications and data. This guide covers key security services and implementation best practices.
Security Architecture Overview
graph TB
subgraph Security["Security Services"]
direction TB
subgraph Identity["Identity & Access"]
direction LR
IAM["Cloud IAM"]
IDS["Identity Services"]
ORG["Organization Policy"]
end
subgraph DataSecurity["Data Security"]
direction LR
KMS["Cloud KMS"]
DLP["Cloud DLP"]
SECRETS["Secret Manager"]
end
subgraph NetworkSecurity["Network Security"]
direction LR
ARMOR["Cloud Armor"]
FW["Firewall"]
VPC["VPC Service Controls"]
end
end
subgraph Monitoring["Security Monitoring"]
direction TB
SCC["Security Command Center"]
AUDIT["Cloud Audit Logs"]
THREAT["Threat Detection"]
end
Security --> Monitoring
classDef primary fill:#4285f4,stroke:#666,stroke-width:2px,color:#fff
classDef secondary fill:#34a853,stroke:#666,stroke-width:2px,color:#fff
classDef tertiary fill:#fbbc05,stroke:#666,stroke-width:2px,color:#fff
class Security,Identity primary
class DataSecurity,NetworkSecurity secondary
class Monitoring tertiary
Identity and Access Management (IAM)
1. Role Management
# roles.yaml roles: - name: custom.developer title: "Custom Developer Role" description: "Custom role for developers" permissions: - compute.instances.get - compute.instances.list - storage.objects.get - storage.objects.list stage: GA
2. Service Account Configuration
# Create service account gcloud iam service-accounts create my-sa \ --display-name="My Service Account" # Assign roles gcloud projects add-iam-policy-binding my-project \ --member="serviceAccount:my-sa@my-project.iam.gserviceaccount.com" \ --role="roles/storage.objectViewer" # Create and download key gcloud iam service-accounts keys create key.json \ --iam-account=my-sa@my-project.iam.gserviceaccount.com
Cloud Key Management Service (KMS)
1. Key Configuration
# Create key ring gcloud kms keyrings create my-keyring \ --location=global # Create encryption key gcloud kms keys create my-key \ --keyring=my-keyring \ --location=global \ --purpose=encryption \ --rotation-period=90d \ --next-rotation-time=2024-06-01T12:00:00Z
2. Data Encryption
# encryption.py from google.cloud import kms def encrypt_data(project_id, location_id, keyring_id, key_id, plaintext): """Encrypt data using Cloud KMS.""" client = kms.KeyManagementServiceClient() key_name = client.crypto_key_path(project_id, location_id, keyring_id, key_id) encrypt_response = client.encrypt( request={ 'name': key_name, 'plaintext': plaintext.encode('utf-8') } ) return encrypt_response.ciphertext
Cloud DLP (Data Loss Prevention)
1. Content Inspection
# dlp_inspection.py from google.cloud import dlp_v2 def inspect_string(project_id, text_content, info_types): """Inspect string for sensitive data.""" client = dlp_v2.DlpServiceClient() parent = f"projects/{project_id}/locations/global" inspect_config = { "info_types": [{"name": info_type} for info_type in info_types] } item = {"value": text_content} response = client.inspect_content( request={ "parent": parent, "inspect_config": inspect_config, "item": item } ) return response.result
2. Data Masking
# dlp_redaction.py def redact_info_types(project_id, text_content, info_types): """Redact sensitive data.""" client = dlp_v2.DlpServiceClient() parent = f"projects/{project_id}/locations/global" deidentify_config = { "info_type_transformations": { "transformations": [{ "primitive_transformation": { "replace_config": { "new_value": {"string_value": "[REDACTED]"} } } }] } } inspect_config = { "info_types": [{"name": info_type} for info_type in info_types] } item = {"value": text_content} response = client.deidentify_content( request={ "parent": parent, "deidentify_config": deidentify_config, "inspect_config": inspect_config, "item": item } ) return response.item.value
Security Command Center
1. Security Sources Configuration
# security-sources.yaml securitySources: - displayName: "Custom Security Source" description: "Custom security findings source" finding_categories: - category_id: "CUSTOM_VULNERABILITY" display_name: "Custom Vulnerability" description: "Custom vulnerability finding" severity: HIGH
2. Custom Finding Creation
# security_findings.py from google.cloud import securitycenter_v1 def create_finding(organization_id, source_id, finding_id): """Create a security finding.""" client = securitycenter_v1.SecurityCenterClient() source_name = client.source_path(organization_id, source_id) finding = { "state": securitycenter_v1.Finding.State.ACTIVE, "category": "CUSTOM_VULNERABILITY", "severity": securitycenter_v1.Finding.Severity.HIGH, "event_time": { "seconds": int(time.time()) }, "source_properties": { "critic": "HIGH", "custom_field": "custom_value" } } created_finding = client.create_finding( request={ "parent": source_name, "finding_id": finding_id, "finding": finding } ) return created_finding
Cloud Armor
1. Security Policy
# security-policy.yaml securityPolicies: - name: my-security-policy rules: - priority: 1000 action: allow match: versionedExpr: SRC_IPS_V1 config: srcIpRanges: ["10.0.0.0/8"] - priority: 2000 action: deny(403) match: versionedExpr: EXPR_V1 expr: or: - eq: - origin: ["headers", "user-agent"] - const: "BadBot" - xss: {}
2. WAF Configuration
# Create WAF policy gcloud compute security-policies create waf-policy \ --description="WAF security policy" # Add WAF rules gcloud compute security-policies rules create 1000 \ --security-policy=waf-policy \ --expression="evaluatePreconfiguredExpr('xss')" \ --action=deny-403 \ --description="Block XSS attacks"
VPC Service Controls
1. Service Perimeter
# service-perimeter.yaml servicePerimeter: name: "accessPolicies/12345/servicePerimeters/my_perimeter" title: "My Service Perimeter" description: "Perimeter for sensitive services" status: resources: - "projects/12345" restrictedServices: - "storage.googleapis.com" - "bigquery.googleapis.com" ingressPolicies: - ingressFrom: sources: - accessLevel: "accessPolicies/12345/accessLevels/trusted_networks" ingressTo: operations: - serviceName: "storage.googleapis.com" methodSelectors: - method: "google.storage.objects.get"
2. Access Level Configuration
# access-level.yaml accessLevel: name: "accessPolicies/12345/accessLevels/trusted_networks" title: "Trusted Networks" basic: conditions: - ipSubnetworks: - "10.0.0.0/8" devicePolicy: requireScreenLock: true allowedEncryptionStatuses: ["ENCRYPTED"] regions: - "US"
Security Monitoring
1. Audit Logging
# Enable audit logging gcloud organizations add-iam-policy-binding 12345 \ --member="user:admin@example.com" \ --role="roles/logging.configWriter" # Configure audit logs gcloud logging sinks create my-sink \ storage.googleapis.com/my-audit-logs \ --log-filter="resource.type=audit_log"
2. Alert Configuration
# alert-policy.yaml alertPolicies: - displayName: "High Severity Finding Alert" combiner: OR conditions: - displayName: "SCC High Severity Finding" conditionThreshold: filter: > resource.type="organization" AND severity="HIGH" duration: 0s comparison: COMPARISON_GT thresholdValue: 0 notificationChannels: - "projects/my-project/notificationChannels/12345"
Compliance and Governance
1. Organization Policy
# org-policy.yaml constraints: - constraint: "constraints/compute.disableSerialPortAccess" booleanPolicy: enforced: true - constraint: "constraints/storage.uniformBucketLevelAccess" booleanPolicy: enforced: true
2. Asset Inventory
# Export asset inventory gcloud asset export \ --project=my-project \ --content-type=resource \ --asset-types="compute.googleapis.com/Instance" \ --output-path=gs://my-bucket/asset-inventory
Best Practices
-
Identity Management
- Use principle of least privilege
- Implement service accounts properly
- Regular access reviews
- Enable 2FA/MFA
-
Data Security
- Encrypt data at rest and in transit
- Use Cloud KMS for key management
- Implement DLP policies
- Regular security assessments
-
Network Security
- Implement Cloud Armor
- Use VPC Service Controls
- Enable firewall logging
- Regular penetration testing
-
Monitoring
- Enable audit logging
- Configure alerts
- Regular compliance checks
- Incident response planning
Conclusion
GCP provides comprehensive security controls for protecting your cloud infrastructure. Key takeaways:
- Implement proper IAM controls
- Use encryption everywhere
- Enable security monitoring
- Follow compliance requirements
- Regular security reviews
For more information, refer to the official documentation:
gcp
security
iam
encryption
compliance