GCP Hardening
Cloud Fast, Cloud Tight
Cloud environments change rapidly. That's why security here must be standard and automated.
For GCP Hardening, automation is leading: guardrails in code, least privilege, and continuous drift control.
This way you maintain speed in the cloud, without security depending on manual luck.
Immediate measures (15 minutes)
Why this matters
The core of GCP Hardening is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.
Defense measures
Organization Policies
Organization Policies are restrictions enforced at the organization level. They override IAM: even if an IAM policy allows something, an Organization Policy can block it.
| Policy | Description | Which attack it mitigates |
|---|---|---|
constraints/iam.disableServiceAccountKeyCreation |
Block creation of SA keys | Key theft |
constraints/compute.requireOsLogin |
Require OS Login for SSH | SSH key injection |
constraints/storage.uniformBucketLevelAccess |
Require uniform access | ACL misconfiguration |
constraints/iam.allowedPolicyMemberDomains |
Restrict members to specific domains | allUsers/allAuthenticatedUsers |
constraints/compute.requireShieldedVm |
Require Shielded VMs | Boot-level attacks |
constraints/cloudfunctions.allowedIngressSettings |
Restrict function ingress | Public function invocation |
# View active Organization Policies
gcloud resource-manager org-policies list --organization=ORG_ID
# Specific policy details
gcloud resource-manager org-policies describe constraints/iam.disableServiceAccountKeyCreation \
--organization=ORG_IDVPC Service Controls
VPC Service Controls create a "perimeter" around GCP resources that prevents data exfiltration. Resources within the perimeter cannot communicate with resources outside the perimeter, even if IAM allows it.
# View VPC Service Controls perimeters
gcloud access-context-manager perimeters list --policy=POLICY_ID
# Perimeter details
gcloud access-context-manager perimeters describe PERIMETER_NAME --policy=POLICY_IDVPC Service Controls are the most effective defense against data exfiltration in GCP. They prevent an attacker with read permissions on BigQuery from copying data to their own project. It is a hard boundary, not a soft suggestion.
BeyondCorp Enterprise
BeyondCorp is Google's implementation of zero trust: no network is trusted, no device is trusted, every access attempt is evaluated based on identity, device trust, and context. It is the GCP variant of Azure Conditional Access, but with a focus on continuous evaluation instead of point-in-time checks.
Additional Recommendations
| Measure | Description |
|---|---|
| Disable default SA | Use dedicated SAs with minimal privileges |
| Enable Data Access logs | Despite the cost, essential for detection |
| Workload Identity in GKE | Prevent node SA abuse from pods |
| Uniform bucket access | Prevent ACL inconsistencies |
| Disable SA key creation | Via Organization Policy |
| Secret Manager | Migrate from env vars to Secret Manager |
| Binary Authorization | Prevent deployment of untrusted containers |
| Monitor SA key usage | Alert on unusual SA authentication |
Reference table
| Subject | Technique | Tool | MITRE ATT&CK | Difficulty |
|---|---|---|---|---|
| Project/org enumeration | Resource discovery | gcloud CLI | T1580 (Cloud Infrastructure Discovery) | Low |
| IAM policy analysis | Permission mapping | gcloud, custom scripts | T1087.004 (Cloud Account Discovery) | Low |
| Service account key theft | Credential file discovery | find, grep, gcloud | T1552.001 (Credentials in Files) | Low |
| SA impersonation | Token generation via actAs | gcloud CLI | T1098.003 (Additional Cloud Roles) | Medium |
| SA key creation | Persistent SA access | gcloud CLI | T1098.001 (Additional Cloud Credentials) | Medium |
| Metadata server token theft | IMDS exploitation | curl | T1552.005 (Cloud Instance Metadata API) | Low |
| Startup script secrets | Credential in metadata | curl, gcloud | T1552.005 (Cloud Instance Metadata API) | Low |
| SSH key injection | Metadata modification | gcloud CLI | T1098.004 (SSH Authorized Keys) | Medium |
| Cloud Function secrets | Environment variable theft | gcloud CLI | T1552.001 (Credentials in Files) | Low |
| Cloud Function source | Source code access | gcloud, gsutil | T1213 (Data from Information Repositories) | Medium |
| Public bucket access | Storage enumeration | curl, gsutil | T1530 (Data from Cloud Storage) | Low |
| Signed URL abuse | Token reuse | curl | T1550.001 (Application Access Token) | Low |
| GKE RBAC abuse | Kubernetes privilege escalation | kubectl | T1078.004 (Cloud Accounts) | Medium-High |
| GKE metadata access | Pod to node escalation | curl | T1552.005 (Cloud Instance Metadata API) | Medium |
| BigQuery data access | Cross-project queries | bq CLI | T1530 (Data from Cloud Storage) | Medium |
| setIamPolicy abuse | Direct policy modification | gcloud CLI | T1098.003 (Additional Cloud Roles) | Low (if you have the perm) |
| actAs escalation | Resource creation as SA | gcloud CLI | T1098.003 (Additional Cloud Roles) | Medium |
| Custom role privesc | Overprivileged role abuse | gcloud CLI | T1078.004 (Cloud Accounts) | Medium |
| Audit log evasion | SA impersonation, timing | gcloud CLI | T1562.008 (Disable Cloud Logs) | High |
| Data exfiltration | Storage/BQ export | gsutil, bq | T1537 (Transfer Data to Cloud Account) | Medium |
The cloud is not magic. It's someone else's data center with a nice API on top. The attacks are different from on-premises -- no NTLM hashes, no Kerberos tickets, no forgotten service accounts with passwords from 2019. But the patterns are the same: overly broad privileges, forgotten configuration, and the unshakeable belief that someone else is keeping an eye on it. Nobody is keeping an eye on it. Except us.
Further reading in the knowledge base
These articles in the portal provide more background and practical context:
- The cloud — someone else's computer, your responsibility
- Containers and Docker — what it is and why you need to secure it
- Encryption — the art of making things unreadable
- Least Privilege — give people only what they need
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles provide additional context and depth:
