Google Cloud
January 23, 2018

How to Make Your Google Cloud Platform Project More Secure: IAM security

How to Make Your Google Cloud Platform Project More Secure: IAM security

Interview multiple candidates

Lorem ipsum dolor sit amet, consectetur adipiscing elit proin mi pellentesque  lorem turpis feugiat non sed sed sed aliquam lectus sodales gravida turpis maassa odio faucibus accumsan turpis nulla tellus purus ut   cursus lorem  in pellentesque risus turpis eget quam eu nunc sed diam.

Search for the right experience

Lorem ipsum dolor sit amet, consectetur adipiscing elit proin mi pellentesque  lorem turpis feugiat non sed sed sed aliquam lectus sodales gravida turpis maassa odio.

  1. Lorem ipsum dolor sit amet, consectetur adipiscing elit.
  2. Porttitor nibh est vulputate vitae sem vitae.
  3. Netus vestibulum dignissim scelerisque vitae.
  4. Amet tellus nisl risus lorem vulputate velit eget.

Ask for past work examples & results

Lorem ipsum dolor sit amet, consectetur adipiscing elit consectetur in proin mattis enim posuere maecenas non magna mauris, feugiat montes, porttitor eget nulla id id.

  • Lorem ipsum dolor sit amet, consectetur adipiscing elit.
  • Netus vestibulum dignissim scelerisque vitae.
  • Porttitor nibh est vulputate vitae sem vitae.
  • Amet tellus nisl risus lorem vulputate velit eget.
Vet candidates & ask for past references before hiring

Lorem ipsum dolor sit amet, consectetur adipiscing elit ut suspendisse convallis enim tincidunt nunc condimentum facilisi accumsan tempor donec dolor malesuada vestibulum in sed sed morbi accumsan tristique turpis vivamus non velit euismod.

“Lorem ipsum dolor sit amet, consectetur adipiscing elit nunc gravida purus urna, ipsum eu morbi in enim”
Once you hire them, give them access for all tools & resources for success

Lorem ipsum dolor sit amet, consectetur adipiscing elit ut suspendisse convallis enim tincidunt nunc condimentum facilisi accumsan tempor donec dolor malesuada vestibulum in sed sed morbi accumsan tristique turpis vivamus non velit euismod.

This is the second in a series of posts about Google Cloud Platform security. The first post deals with security in general and security design of the Google Cloud Platform. This post contains practical, actionable settings you can modify in the IAM to improve your project’s security. If you’re not able or don’t want to make every change, it’s still beneficial to implement a subset of them. They individually improve security. Read further and get to know more about necessary IAM security. Also, don’t miss the rest of this series:

Article III.: How to Make Your Google Cloud Platform Project More Secure: Built-In GCE Security

Article IV.: How to Make Your Google Cloud Platform Project More Secure: GCE Network Security

Article V.: How to Make Your Google Cloud Platform project more secure: GCE OS Security

Enforce Multi-factor Authentication (MFA)

Multi-factor Authentication is a method where in addition to using one piece of information to authenticate a user (e.g. a password), at least one additional source of proof is needed to ensure the right person is accessing a system.

On Google Cloud Platform, users authenticate themselves using Google Accounts. These are individual email addresses registered as a Google Account or (more commonly) accounts of a Google Suite Domain. On the Google Cloud Platform side, you cannot enforce Google Accounts having access to your project to have MFA enabled. But if you only grant access to users from your Google Suite Domain, then the Administrator can set up MFA on it so that it forces everyone to use it. What if you need to give access to people without accounts in your Google Suite Domain? You can create accounts for them in your Google Suite Domain for the sole purpose of accessing your project. This way you can enforce settings on their accounts.

If you combine both these rules, then you can be certain that every user who has access to the Google Cloud Platform project needs to validate themselves using MFA. This makes it much harder to compromise your project, even if the password for an email address leaks from another source.

Here you can find the information about how to enforce MFA (for Google Suite Domains, MFA uses 2 factors) authentication for Google Suite Domains.

Set-up password policy for users

The password policy settings are technically not inside the Google Cloud Platform. They are at the discretion of the Google Suite Domain Administrator. If you only allow users from your domain and the domain is set up with the right password policy, these two things combined will result in the password policy being enforced on all of your GCP users. Here you can find more information about how to set up password requirements for your Google Suite Domain.

Give the necessary but the least possible privileges for IAM security

It is good practice in general to only give the minimum necessary privileges to all of your users. If all of the previously discussed account protection methods fail, your attackers will still have fewer services to break into or steal information from. The actual implementation of this principle will vary based on your usage patterns. For example, don’t grant your database administrators performing only Google Cloud SQL administration tasks a Project Editor role. Give them a Cloud SQL Admin role instead.

Double check the Google Compute Engine related roles

Most of the roles in IAM are easy to understand. They even have descriptions to help decide which one you want to use for a specific scenario. There are some notable exceptions though, where it is quite hard to decide which role is enough for a specific operation. For example, Google Compute Engine (GCE) related roles are a bit convoluted, especially since new rules have been introduced which are in the beta stage now.

The most important thing to note is that a lot of GCE-related roles grant you SSH access to the instances themselves. If the instance is running Linux, GCE creates the account in a way that allows you to sudo to become root. If you don’t want this “side effect” when you assign GCE-related roles, consult the documentation for details.

Set up Quotas

Default quotas are set for every newly created project on Google Cloud Platform. This is a last-resort security control to avoid unexpected runaway spending. For example, a faulty script creating resources in a recursive manner will only be able to create them up to the quota limits. It can also protect against a compromised account creating a lot of new resources for the attacker’s purposes.

You can change the quotas on the Quotas page, but it requires the serviceusage.quotas.update permission. This permission is only included in the following predefined roles: Owner, Editor, and Quota Administrator. So, if a compromised account or faulty script does not have this permission, the spending can only increase up to the quota limits.

Check and rotate Service Account keys

There is another type of account on Google Cloud Platform besides the user accounts: Service Accounts.

Service accounts are meant for programmatic use cases. You can’t use them to access the Google Cloud Console as they are only valid for Google Cloud API access. The most frequent use case is to run applications or instances inheriting the rights of a specific service account. This way, they can access other cloud services without extra authentication. You can read in detail about how to use service accounts in combination with GCE in the third post of the series.

Service accounts use keys for authentication. One service account can have multiple keys associated with it. It is a good practice to regularly rotate the keys of the service account. You can achieve this by creating a new key for the service account. Then, you have to overwrite the current key with the new one everywhere it was saved. Lastly, you need to delete the old key associated with the service account. This way, the attacker will only have a limited time window to use the key. Even if an application where the key was stored is compromised without your knowledge.

Further reading about IAM security

You can find some additional information on the Google Cloud Platform documentation about IAM security on this page.

If your organization is a big enterprise, you should check out the security guidelines written especially for bigger customers here.

How to Make Your Google Cloud Platform Project More Secure: IAM security

Csaba Kassai

CTO APAC

Related articles

Browse all articles
Google Cloud

How to make your Google Cloud Platform Project More Secure: An introduction

Google Cloud Platform (GCP) has many security features built in and provided by default to its users. You can read more about them here.
Read article
Google Cloud

How to Make Your Google Cloud Platform Project More Secure: GCE Network Security

In this article we will go through several network-level protection tools available to achieve GCE Network security.
Read article

Related articles

Browse all articles
Community

Alizer Stories: Why I still love working at Aliz after 10 years

In Hungary we don’t say, “Seriously, 10 years?,” we say, “That's a lot, even for dumplings,” let alone years you spend in a company.
Read article
Community

Aliz supports the further training of IT teachers

From September 2022, Aliz will provide significant financial and professional support to the IT Teacher Mentor Program (InfoTanár Mentor Program), the most significant NGO initiative in the field of IT teacher training in Hungary.
Read article

New opportunities with cloud solutions!

Aliz is a proud Google Cloud Partner with specializations in Infrastructure, Data Analytics, Cloud Migration and Machine Learning. We deliver data analytics, machine learning, and infrastructure solutions, off the shelf, or custom-built on GCP using an agile, holistic approach.

Solutions

Products

Out of the Box Solutions

Get To Know Us

InfrastructureBlueprint ManagementReplenishement ToolAbout usMachine LearningBlueprint RepositoryManufacturing OptimizationCareerDataMLOps built for GCPDemand ForecastingPrivacy PolicyApplication Development
© Copyright 2023 Aliz Tech Kft.