GCP Security Alerts
- Solomon F Prophete
- Jase T. English
- Former user (Deleted)
Welcome to the GCP Security Monitoring knowledge base!
The CUIT Cybersecurity team has built this security monitoring process to detect security vulnerabilities or misconfigurations in the GCP Cloud. Each alert has a criticality assigned to demonstrate how to prioritize the issue detected. A description and remediation are also provided in each alert to guide you as the project owner on how to solve the issue at hand. Additionally each alert has references to the GCP Support Site, CIS Benchmark or MITRE ATT&CK framework which were the teams source to build the monitoring alerts.
Below is a search bar which will let you type in the alert name and find additional information about the event. On the left you can see a drop down under GCP Security Monitoring, this will provide you access to a comprehensive list of detections which we use in our monitoring.
GCP Security Best Practices
We have compiled the following list as best practices to provide a security foundation to GCP Project owners. These controls are designed to limit exposure and reduce the attack surface of your cloud resources.
Run Antivirus or Anti-Malware on virtual machines
If you are looking for antivirus or anti-malware CUIT provides Malwarebytes to the university
IT Staff around the university can request a site to manage their endpoints
Limit public resources
Buckets and databases should be restricted from being directly accessible from the outside world as noted in the GCP Security Controls
This will prevent from information being exposed which it was not intended to
Google recommends against this configuration
“The Cloud Storage access control system includes the ability to specify that buckets are publicly writable. While configuring a bucket this way can be convenient for various purposes, we recommend against using this permission - it can be abused for distributing illegal content, viruses, and other malware, and the bucket owner is legally and financially responsible for the content stored in their buckets”
Limit which region resources are provisioned
Since Columbia University is operating out of the United States from a legal perspective it is in the Universities best interest to host data within the same region.
Deploying workloads to regions outside of the US will require an exception, you can find that process to the left of this page
Leverage University login systems and Multi Factor authentication
The Identity and access management system provide a platform to enable UNI based authentication on applications
No Public IPs on Virtual Machines
Security best practice is to limit which network ports are accessible via the world on virtual machines
To facilitate applications which need to be publicly accessible a load balancer should be used to provide that connectivity. This will also provide you additional features such as distribution of workload and high availability
Critical Alerts for GCP
- Monitor for web application attacks
- Workloads Operating in non-US Region
- Ensure that corporate login credentials are used instead of Gmail accounts
- Monitor for Malicious Logins against GCP Console
- Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
- Ensure that Cloud SQL database Instances are not open to the world
- Ensure that any source IP address is not used on network ports besides web services
- Ensure that Cloud Storage bucket is not anonymously or publicly accessible
- Ensure that there are no publicly accessible objects in storage buckets
High Alerts for GCP
- Ensure connecting to serial ports is not enabled for VM Instance
- Ensure Block Project-wide SSH keys are enabled for VM instances
- Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
- Ensure Kubernetes Cluster is created with Private cluster enabled
- Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
- Monitor for brute force attacks against APIs
- Monitor for malicious communications to project
- Ensure that Cloud SQL database instance requires all incoming connections to use SSL
- Ensure that IAM users are not assigned Service Account User role at project level
- Ensure that IP forwarding is not enabled on Instances
- Ensure Network policy is enabled on Kubernetes Engine Clusters
- Ensure Pod Security Policy controller is enabled on the Kubernetes Engine Clusters
- Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
- Ensure automatic node repair is enabled for Kubernetes Clusters
- Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
- Ensure that RDP access is restricted from the internet
- Ensure that SSH access is restricted from the internet
- Ensure Private Google Access is enabled for all subnetwork in VPC Network
- Monitor for port scanning of resources
- Malicious User Agent Detected
Medium Alerts for GCP
- Ensure Basic Authentication is disabled on Kubernetes Engine Clusters
- Ensure that Separation of duties is enforced while assigning service account related roles to users
- Monitor for brute force attacks against GCP Console
- Ensure that Service Account has no Admin privileges.
- Ensure user-managed/external keys for service accounts are rotated every 90 days or less
- Ensure API keys are restricted to only APIs that application needs access
- Ensure Encryption keys are rotated within a period of 365 days
- Ensure API keys are rotated every 90 days
- Ensure API keys are not created for a project
- Ensure API keys are restricted to use by only specified Hosts and Apps
- Ensure that sinks are configured for all Log entries
- Ensure OS login is enabled for a Project
- Ensure Kubernetes Cluster is created with Client Certificate enabled
- Ensure default Service account is not used for Project access in Kubernetes Clusters
- Ensure Kubernetes Cluster is created with Alias IP ranges enabled
- Ensure log metric filter and alerts exists for Audit Configuration Changes
- Ensure that object versioning is enabled on log-buckets
- Ensure the default network does not exist in a project
Low Alerts for GCP
- Monitor for folder deletion
- Monitor for instances deletion
- Monitor for snap shot creations
- Ensure that logging is enabled for Cloud buckets
- Ensure Kubernetes Clusters are configured with Labels
- Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
- Ensure log metric filter and alerts exists for Custom Role changes
- Ensure VPC Flow logs is enabled for every subnet in VPC Network
- Monitor for firewall rule creation
- GCP Security Center - AUDIT_LOGGING_DISABLED