OUR LATEST NEWS

How to Make Your Google Cloud Platform Project More Secure: IAM security

hero

Csaba Kassai | January 23, 2018

4 Minutes Read

This is the second in a series of posts about Google Cloud Platform security. The first post deals with security in general and security design of the Google Cloud Platform. This post contains practical, actionable settings you can modify in the IAM to improve your project’s security. If you’re not able or don’t want to make every change, it’s still beneficial to implement a subset of them. They individually improve security. Read further and get to know more about necessary IAM security. Also, don’t miss the rest of this series:

Article III.: How to Make Your Google Cloud Platform Project More Secure: Built-In GCE Security

Article IV.: How to Make Your Google Cloud Platform Project More Secure: GCE Network Security

Article V.: How to Make Your Google Cloud Platform project more secure: GCE OS Security

Enforce Multi-factor Authentication (MFA)

Multi-factor Authentication is a method where in addition to using one piece of information to authenticate a user (e.g. a password), at least one additional source of proof is needed to ensure the right person is accessing a system.

On Google Cloud Platform, users authenticate themselves using Google Accounts. These are individual email addresses registered as a Google Account or (more commonly) accounts of a Google Suite Domain. On the Google Cloud Platform side, you cannot enforce Google Accounts having access to your project to have MFA enabled. But if you only grant access to users from your Google Suite Domain, then the Administrator can set up MFA on it so that it forces everyone to use it. What if you need to give access to people without accounts in your Google Suite Domain? You can create accounts for them in your Google Suite Domain for the sole purpose of accessing your project. This way you can enforce settings on their accounts.

If you combine both these rules, then you can be certain that every user who has access to the Google Cloud Platform project needs to validate themselves using MFA. This makes it much harder to compromise your project, even if the password for an email address leaks from another source.

Here you can find the information about how to enforce MFA (for Google Suite Domains, MFA uses 2 factors) authentication for Google Suite Domains.

Set-up password policy for users

The password policy settings are technically not inside the Google Cloud Platform. They are at the discretion of the Google Suite Domain Administrator. If you only allow users from your domain and the domain is set up with the right password policy, these two things combined will result in the password policy being enforced on all of your GCP users. Here you can find more information about how to set up password requirements for your Google Suite Domain.

Give the necessary but the least possible privileges for IAM security

It is good practice in general to only give the minimum necessary privileges to all of your users. If all of the previously discussed account protection methods fail, your attackers will still have fewer services to break into or steal information from. The actual implementation of this principle will vary based on your usage patterns. For example, don’t grant your database administrators performing only Google Cloud SQL administration tasks a Project Editor role. Give them a Cloud SQL Admin role instead.

Double check the Google Compute Engine related roles

Most of the roles in IAM are easy to understand. They even have descriptions to help decide which one you want to use for a specific scenario. There are some notable exceptions though, where it is quite hard to decide which role is enough for a specific operation. For example, Google Compute Engine (GCE) related roles are a bit convoluted, especially since new rules have been introduced which are in the beta stage now.

The most important thing to note is that a lot of GCE-related roles grant you SSH access to the instances themselves. If the instance is running Linux, GCE creates the account in a way that allows you to sudo to become root. If you don’t want this “side effect” when you assign GCE-related roles, consult the documentation for details.

Set up Quotas

Default quotas are set for every newly created project on Google Cloud Platform. This is a last-resort security control to avoid unexpected runaway spending. For example, a faulty script creating resources in a recursive manner will only be able to create them up to the quota limits. It can also protect against a compromised account creating a lot of new resources for the attacker’s purposes.

You can change the quotas on the Quotas page, but it requires the serviceusage.quotas.update permission. This permission is only included in the following predefined roles: Owner, Editor, and Quota Administrator. So, if a compromised account or faulty script does not have this permission, the spending can only increase up to the quota limits.

Check and rotate Service Account keys

There is another type of account on Google Cloud Platform besides the user accounts: Service Accounts.

Service accounts are meant for programmatic use cases. You can’t use them to access the Google Cloud Console as they are only valid for Google Cloud API access. The most frequent use case is to run applications or instances inheriting the rights of a specific service account. This way, they can access other cloud services without extra authentication. You can read in detail about how to use service accounts in combination with GCE in the third post of the series.

Service accounts use keys for authentication. One service account can have multiple keys associated with it. It is a good practice to regularly rotate the keys of the service account. You can achieve this by creating a new key for the service account. Then, you have to overwrite the current key with the new one everywhere it was saved. Lastly, you need to delete the old key associated with the service account. This way, the attacker will only have a limited time window to use the key. Even if an application where the key was stored is compromised without your knowledge.

Further reading about IAM security

You can find some additional information on the Google Cloud Platform documentation about IAM security on this page.

If your organization is a big enterprise, you should check out the security guidelines written especially for bigger customers here.

How to Power Banking Services with Google Cloud

clock

2022-06-23

4 Minutes Read

Here’s why your company should be using the Google Cloud features to power banking services and how it makes things easy for financial service organizations.

Google Cloud Infrastructure Modernization - Stay Agile With An Open Architecture

clock

2022-02-17

3 Minutes Read

Learn more about how Google Cloud infrastructure modernization solutions can help your business to become more competitive.

Google BigQuery materialized view test drive

clock

2022-04-07

3 Minutes Read

I have tested the BigQuery materialized views against the documentation. While most of the functionality and limitations are accurate, there are a few gotchas you need to be aware of.

hero
logo

Ready for the future? Let’s talk!

Reach out, and let’s take your business to the next level.

image

By clicking submit below, you consent to allow Aliz.ai to store and process the personal information submitted above and share information about our products and services, as well as other content that may be of interest to you. For more information, please review our Privacy Policy. You may unsubscribe at any time. Your data will not be passed on to third parties.

I agree to receive other communications from Aliz.ai.

badge

New opportunities with cloud solutions!

Aliz is a proud Google Cloud Partner with specializations in Infrastructure, Data Analytics, Cloud Migration and Machine Learning. We deliver data analytics, machine learning, and infrastructure solutions, off the shelf, or custom-built on GCP using an agile, holistic approach.

logo

© Copyright 2022 Aliz Tech Kft.

logologologologo