Best practices for securing GCP Projects

From PUBLIC-WIKI
Jump to navigation Jump to search

Configure MFA (Multi-Factor Authentication) for any account with owner privileges

In-order to avoid potential compromise of credentials, it is recommended to configure multi-factor authentication for any account with project owner privilege.

  • Install Google Authenticator, as instructed on:
https://support.google.com/accounts/answer/1066447
https://apps.apple.com/us/app/google-authenticator/id388497605
  • Login to the Google Account console:
https://myaccount.google.com/
  • From the left pane, click on Security
  • Under "Signing in to Google", click on 2-Step Verification
  • Click on "Get started"
  • Enter your Google G Suite or Gmail password
  • Under "Authenticator app", click on Set Up
  • Choose which phone you have and click Next
  • From your mobile device, click Scan a barcode
  • Scan the barcode
  • Click Next
  • Enter the code shown on the Google Authenticator app on your phone
  • Click Verify
  • Click Done

Limit number of inbound ports

Allowing large number of inbound ports access GCP resources increase the chance of network breach. Limit the number of inbound ports to required ports only and to specific resources or specific subnets.

  • Login to the Firewall rules page:
https://console.cloud.google.com//networking/firewalls/list
  • From the upper pane, select an existing GCP Project
  • Review the list of existing Firewall rules, specifically rules with filter "IP ranges: 0.0.0.0/0"
Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
  • Update Firewall rules as needed.
  • Log off the GCP Management console.

Google cloud storage permissions

Allowing public access to Google cloud storage buckets increase the chance of data breach. Make sure no Google cloud storage bucket is publicly accessible.

  • Open the Cloud Storage browser:
https://console.cloud.google.com/storage/browser
  • From the upper pane, select an existing GCP Project
  • Review the list of existing Cloud storage buckets
  • Check each bucket under "Public access" field, and make sure no bucket is configured as "Public to internet"
  • Configure buckets as needed.
  • Log off GCP Management console.
Retrieved from "http://public-wiki.iucc.ac.il/index.php?title=Best_practices_for_securing_GCP_Projects&oldid=969"