Best practices for securing GCP Projects: Difference between revisions
Jump to navigation
Jump to search
Created page with "== Configure MFA (Multi-Factor Authentication) for any account with owner privileges == In-order to avoid potential compromise of credentials, it is recommended to configure m..." |
No edit summary |
||
Line 18: | Line 18: | ||
* Click Verify | * Click Verify | ||
* Click Done | * Click Done | ||
== Limit number of inbound ports == | |||
Allowing large number of inbound ports access GCP resources increase the chance of network breach. | |||
Limit the number of inbound ports to required ports only and to specific resources or specific subnets. | |||
* Login to the Firewall rules page: | |||
: https://console.cloud.google.com//networking/firewalls/list | |||
* From the upper pane, select an existing GCP Project | |||
* Review the list of existing Firewall rules, specifically rules with filter "IP ranges: 0.0.0.0/0" | |||
: Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location. | |||
* Update Firewall rules as needed. | |||
* Log off the GCP Management console. | |||
== Google cloud storage permissions == | |||
Allowing public access to Google cloud storage buckets increase the chance of data breach. | |||
Make sure no Google cloud storage bucket is publicly accessible. | |||
* Open the Cloud Storage browser: | |||
: https://console.cloud.google.com/storage/browser | |||
* From the upper pane, select an existing GCP Project | |||
* Review the list of existing Cloud storage buckets | |||
* Check each bucket under "Public access" field, and make sure no bucket is configured as "Public to internet" | |||
* Configure buckets as needed. | |||
* Log off GCP Management console. |
Latest revision as of 17:22, 13 April 2020
Configure MFA (Multi-Factor Authentication) for any account with owner privileges
In-order to avoid potential compromise of credentials, it is recommended to configure multi-factor authentication for any account with project owner privilege.
- Install Google Authenticator, as instructed on:
- https://support.google.com/accounts/answer/1066447
- https://apps.apple.com/us/app/google-authenticator/id388497605
- Login to the Google Account console:
- From the left pane, click on Security
- Under "Signing in to Google", click on 2-Step Verification
- Click on "Get started"
- Enter your Google G Suite or Gmail password
- Under "Authenticator app", click on Set Up
- Choose which phone you have and click Next
- From your mobile device, click Scan a barcode
- Scan the barcode
- Click Next
- Enter the code shown on the Google Authenticator app on your phone
- Click Verify
- Click Done
Limit number of inbound ports
Allowing large number of inbound ports access GCP resources increase the chance of network breach. Limit the number of inbound ports to required ports only and to specific resources or specific subnets.
- Login to the Firewall rules page:
- From the upper pane, select an existing GCP Project
- Review the list of existing Firewall rules, specifically rules with filter "IP ranges: 0.0.0.0/0"
- Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
- Update Firewall rules as needed.
- Log off the GCP Management console.
Google cloud storage permissions
Allowing public access to Google cloud storage buckets increase the chance of data breach. Make sure no Google cloud storage bucket is publicly accessible.
- Open the Cloud Storage browser:
- From the upper pane, select an existing GCP Project
- Review the list of existing Cloud storage buckets
- Check each bucket under "Public access" field, and make sure no bucket is configured as "Public to internet"
- Configure buckets as needed.
- Log off GCP Management console.