As one of the proud contributors to the newest version of the CIS Google Cloud Platform Foundation Benchmark, I wanted to raise awareness about the new version release of this benchmark [1] by the Center for Internet Security (CIS) and how it can help a company to set a strong security baseline or foundation for their Google Cloud environment. As we have seen previously in our Shaking The Foundation of An Online Collaboration Tool blog post [3], the CIS Microsoft 365 Security Foundation Benchmark (to which we also contributed) was very helpful in setting the baseline security that organizations should aim to have for Microsoft 365 deployments.
This time we will take a closer look at what the CIS Google Cloud Platform Foundation Benchmark offers against 10 of the most common GCP misconfigurations that NCC Group comes across during client assessments. These were previously discussed in our blog post called Securing Google Cloud Platform – Ten best practices [2]. In addition, at the end of the post we will see if the CIS Benchmark is indeed in line with the recommendations from the engagements in real life. The top 10 best practices will be extended if possible with the benchmark recommendations and called out if anything is missing. The best practices are often related to misconfigurations in a service, so the post will group them together around the related service if possible.
NCC Top 10 best practices vs CIS Google Cloud Platform Foundation Benchmark
Resource Segregation
The first recommendation was segregate resources by projects to create isolation boundaries and ensure that projects contain the resources that are related to the project.
The benchmark automatically assumes resource segregation as stated in the Overview section: “Most of the recommendations provided with this release of the benchmark cover security considerations only at the individual project level and not at the organization level.”. [1] Even though there is no recommendation in the categories, there are some for separation of duties.
The CIS Benchmark has the following recommendations related to separation, segmentation and segregation:
- Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
- Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
Although the benchmark already assumes project level segregation, it adds some more recommendations for IAM separation which is also related to the next main area.
IAM
Next in the list were two IAM security related best practices: limit the use of cloud IAM primitive roles and rotate cloud IAM service account access keys periodically. The primitive roles are not following the principal of least privileges and should be avoided. Instead, predefined roles by GCP are the recommended way to assign to groups or users. Service account access keys are highly sensitive, because they could belong to an application or an instance and in case of compromise, an attacker would be able to access and interact with those resources accessible by the service account in the GCP environment.
The CIS Benchmark has the following recommendations for IAM:
- Ensure that Corporate Login Credentials are Used
- Ensure that Multi-Factor Authentication is ‘Enabled’ for All Non-Service Accounts
- Ensure that Security Key Enforcement is Enabled for All Admin Accounts
- Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
- Ensure That Service Account Has No Admin Privileges
- Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
- Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
- Ensure API Keys Are Rotated Every 90 Days
We can see that the benchmark includes the same recommendations with more controls around authentication and authorization to reduce the risk of an attacker elevating privileges or performing successful password attacks and to limit the radius of a compromised account.
Network Security
Another important category was network security where NCC Group often examine overly permissive firewall rules and disabled VPC flow logs in client environments. It is important to lock down the network while allowing network communications only between hosts who are required to communicate, so that attack vectors are minimized and lateral movement across virtual machines and networks can be prevented.
The CIS Benchmark has the following recommendations for Networks:
- Ensure That DNSSEC Is Enabled for Cloud DNS
- Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
- Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
- Ensure That SSH Access Is Restricted From the Internet
- Ensure That RDP Access Is Restricted From the Internet
- Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
- Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
- Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are ‘Allowed’
We can see that the benchmark break security controls into smaller and specific recommendations for securing networks and extends its jurisdiction to DNS, SSL and IAP. It is worth noting that some of the network security settings are discussed or mentioned in other sections as well where the actual service recommendations are defined, for example Cloud SQL and the corresponding firewall rules.
Cloud Storage
One of the most often used services after Compute Engine is Cloud Storage Buckets which often hold sensitive data. More often than not the principal of least privilege is not applied and either the “allAuthenticatedUsers” or “allUsers” have access to a storage bucket. In addition, the available access and administrative modification logs play a big role in a successful security incident investigation.
The CIS Benchmark has the following recommendations for Cloud Storage Bucket:
- Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
- Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
- Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project
The CIS Google Foundation Benchmark splits the recommendation here but at the end they were the same as in the ten best practices.
Compute Engine
The most used service is the Compute Engine service that works with application configurations and customer data. People would possibly expect the highest focus of security, but instances were still identified without snapshots that would enable data disk recovery in case of application or virtual machine crash that could corrupt any data.
The CIS Benchmark has the following recommendations for Compute Engine:
- Ensure That Instances Are Not Configured To Use the Default Service Account
- Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
- Ensure “Block Project-Wide SSH Keys” Is Enabled for VM Instances
- Ensure Oslogin Is Enabled for a Project
- Ensure ‘Enable Connecting to Serial Ports’ Is Not Enabled for VM Instance
- Ensure That IP Forwarding Is Not Enabled on Instances
- Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
- Ensure Compute Instances Are Launched With Shielded VM Enabled
- Ensure That Compute Instances Do Not Have Public IP Addresses
- Ensure That App Engine Applications Enforce HTTPS Connections
- Ensure That Compute Instances Have Confidential Computing Enabled
- Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
The CIS benchmark emphasizes here more on hardening side of security for an instance with built-in security features, limiting access to the virtual machines and securing the communication channels. Interestingly, enabling backups or snapshots was not in the list of the recommendations. This will probably be in the next release, as the benchmark is constantly revised to contain the latest information.
Cloud SQL
Another service that is often utilized by many companies are relational databases. Unfortunately, they are usually identified without a way for recovering lost data in Cloud SQL instances and therefore exposed to risk of losing data.
The CIS Benchmark has the following recommendations for Cloud SQL:
- Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
- Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
- Ensure That Cloud SQL Database Instances Do Not Have Public IPs
- Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
- Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project
In addition to the automatic backup recommendation, we can see in the list that additional network access and secure communication channel related security controls are mentioned.
Logging and Monitoring
In general, enabling audit logging will provide exceptional value during security incident investigation and allow creating alerts that could be the first signal of an ongoing attack. Alerts will notify the cloud administrators and security people in case of administrative changes in multiple services.
The CIS Benchmark has the following recommendations for Logging and Monitoring:
- Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project
- Ensure That Sinks Are Configured for All Log Entries
- Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
- Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
- Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
- Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
- Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
- Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
- Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
- Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
- Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
The CIS Google Security Foundation Benchmark here emphasizes on log metric filtering with alerts on permissions, modifications and configuration changes related to specific services in addition to the general audit logging across all services.
Conclusion
In conclusion, the new CIS Google Cloud Computing Platform Benchmark offers powerful best practices that companies can introduce to improve their baseline security of GCP deployments – and furthermore, these best practices can help to mitigate many of the most common security issues we find in real-world environments during our security testing. As we have seen before with the CIS Microsoft 365 Security Foundation Benchmark, these benchmarks offer plenty of recommendations that a company can start with and apply to prevent the most common mistakes and misconfigurations before moving on to more advanced security controls and defenses in the cloud environment.
References
[1] CIS Google Cloud Platform Foundation Benchmark: https://www.cisecurity.org/benchmark/google_cloud_computing_platform
[2] Securing Google Cloud Platform – Ten best practices: https://research.nccgroup.com/2018/10/12/securing-google-cloud-platform-ten-best-practices/
[3] Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5 Attacks vs the CIS Microsoft 365 Foundation Benchmark:
https://research.nccgroup.com/2022/02/18/shaking-the-foundation-of-an-online-collaboration-tool-microsoft-365-top-5-attacks-vs-the-cis-microsoft-365-foundation-benchmark/