2

Recently, the IAM key of GCP was exposed, and miner was installed.

In the case of AWS, 2fa can be set when accessing with an access key, or access can be made only from a specific IP.

If there was such a setting, the accident would not have occurred immediately even if the key was exposed.

I searched for ACL and 2FA settings in GCP, but there is no key setting, only the instance access setting is checked.

Is it possible to set up GCP's Web Console access, 2FA for access to IAM key, and IP ACL?

In addition, an IP-based ACL is required for BigQuery, but it is impossible to access the ACL for BigQuery access when contacting other teams, and it is only controlled by IAM.

If IAM is exposed by user error, is there any way GCP can prevent this?

김남진
  • 23
  • 3

2 Answers2

2

You can enforce 2fa and IP control on IAM service (with IAM conditions and context-aware access).

Google helps you as it can:

  • The support contact you in case of abnormal activity, such as miner installed your VM and thus suspicious network activity
  • The public repository, such as Github, are periodically scanned by google and in case of service account key file found, you are notified
  • Platform proposes you solution to mitigate the risk
    • Context aware accesss
    • IAM condition
    • Organisation policy to disable the capacity to generate service account key file. Only a small group of users are able to generate them after the validation of the user request. The target is to limit the number of key and to generate them only when the use case require them
    • SCC (Security Command Center) findings can raise primitive role on service account: too much roles, use predefined role instead
    • IAM recommender that propose you to reduce the permission scope based on the 90 last days of activities

So a set of tools to be proactive and reactive to events.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Thank you. I thought there would be basic security functions like IP ACL unconditionally, but even if I searched, only 2fa settings for VM Instance were listed, so I was worried. It is determined that access control to the GCP infrastructure can be performed using this function. – 김남진 Jan 14 '21 at 04:37
0

You can set up 2 step-verification(2sv) which is triggerd when trying to access GCP vm instances.

Follow this guide to set up 2sv to your instance.

Also, VPC service control can add additional sercurity layer for managed service like bigQuery.

You can block specific IP address bia this service.

This article will help you a lot in using VPC Service Control.

SeungwooLee
  • 959
  • 3
  • 12