Skip to content

Commit

Permalink
feat: Support GCP NIST Access Control Configuration, Policies and DNS…
Browse files Browse the repository at this point in the history 
… Best Practices
  • Loading branch information
@m-pizarro
m-pizarro committed May 20, 2022
1 parent 6a8b54d commit 6bb4657
Show file tree
Hide file tree
Showing 15 changed files with 2,654 additions and 25 deletions.
19 changes: 13 additions & 6 deletions src/gcp/nist-800-53-rev4/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,17 @@ Policy Pack based on the [800-53 Rev. 4](https://csrc.nist.gov/publications/deta
}
```

<!--
TODO: Uncomment table when rules available
## Available Ruleset
| Rule | Description |
| ------------ | ------------------------------------------------------------------------------------------------------ |
| - | - |
-->

| Rule | Description |
| ------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| AWS NIST 1.1 | Compute instances should not use the default service account |
| AWS NIST 1.2 | Compute instances should not use the default service account with full access to all Cloud APIs |
| AWS NIST 1.3 | Compute instance "block-project-ssh-keys should be enabled |
| AWS NIST 1.4 | Compute instances should not have public IP addresses |
| AWS NIST 1.5 | Compute instances "Enable connecting to serial ports" should not be enabled |
| AWS NIST 1.6 | SQL database instances should not permit access from 0.0.0.0/0 |
| AWS NIST 1.7 | SQL database instances should not have public IPs |
| AWS NIST 2.1 | DNS managed zone DNSSEC should be enabled |
| AWS NIST 2.2 | DNS managed zone DNSSEC key-signing keys should not use RSASHA1 |
| AWS NIST 2.3 | DNS managed zone DNSSEC zone-signing keys should not use RSASHA1 |
109 changes: 109 additions & 0 deletions src/gcp/nist-800-53-rev4/rules/gcp-nist-800-53-rev4-1.1.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
// GCP CIS 1.2.0 Rule equivalent 4.1
export default {
id: 'gcp-nist-800-53-rev4-1.1',
title:
'GCP NIST 1.1 Compute instances should not use the default service account',
description: `It is recommended to configure your instance to not use the default Compute Engine
service account because it has the Editor role on the project.`,
audit: `**From Console:**
1. Go to the *VM instances* page by visiting: https://console.cloud.google.com/compute/instances.
2. Click on each instance name to go to its *VM instance details* page.
3. Under the section *Service Account*, ensure that the default Compute Engine service account is not used. This account is named *[PROJECT_NUMBER][email protected]*.
**From Command Line:**
1. List the instances in your project:
gcloud compute instances list
2. Get the details on each instance:
gcloud compute instances describe INSTANCE_NAME --zone ZONE
3. Ensure that the service account section does not have an email that matches the pattern used does not match the pattern *[PROJECT_NUMBER][email protected]*.
**Exception:**
VMs created by GKE should be excluded. These VMs have names that start with *gke-* and
are labeled *goog-gke-node*.`,
rationale: `The default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. To defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended to not use the default Compute Engine service account. Instead, you should create a new service account and assigning only the permissions needed by your instance.
The default Compute Engine service account is named *[PROJECT_NUMBER]- [email protected]*.`,
remediation: `**From Console:**
1. Go to the *VM instances* page by visiting:https://console.cloud.google.com/compute/instances.
2. Click on the instance name to go to its *VM instance details* page.
3. Click *STOP* and then click *EDIT*.
4. Under the section *Service Account*, select a service account other than the default Compute Engine service account. You may first need to create a new service account.
5. Click *Save* and then click *START*.
**From Command Line:**
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME --service-account=SERVICE_ACCOUNT
3. Restart the instance:
gcloud compute instances start INSTANCE_NAME`,
references: [
'https://cloud.google.com/compute/docs/access/service-accounts',
'https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances',
'https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account',
],
gql: `{
querygcpVmInstance{
__typename
id
project{
id
}
name
labels{
value
}
serviceAccounts{
email
}
}
}`,
resource: 'querygcpVmInstance[*]',
severity: 'medium',
conditions: {
path: '@',
or: [
{
path: '@',
and: [
{
path: '[*].name',
match: /^gke-.*$/,
},
{
path: '[*].labels',
array_any: {
path: '[*].value',
equal: 'goog-gke-node',
},
},
],
},
{
jq: `[{ "defaultEmail" : (.project[].id | split("/") | .[1] + "[email protected]")} + .serviceAccounts[]]
| [.[] | select(.defaultEmail == .email) ]
| {"match" : (length > 0)}`,
path: '@',
and: [
{
path: '@.match',
notEqual: true,
},
],
},
],
},
}
126 changes: 126 additions & 0 deletions src/gcp/nist-800-53-rev4/rules/gcp-nist-800-53-rev4-1.2.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
// GCP CIS 1.2.0 Rule equivalent 4.2
export default {
id: 'gcp-nist-800-53-rev4-1.2',
title:
'GCP NIST 1.2 Compute instances should not use the default service account with full access to all Cloud APIs',
description: `To support principle of least privileges and prevent potential privilege escalation it is
recommended that instances are not assigned to default service account Compute Engine
default service account with Scope Allow full access to all Cloud APIs.`,
audit: `**From Console:**
1. Go to the *VM instances* page by visiting: https://console.cloud.google.com/compute/instances.
2. Click on each instance name to go to its *VM instance details* page.
3. If the *Default Compute Engine service account* is selected under *Service Account*, ensure that *Cloud API access scopes* is not set to *Allow full access to all Cloud APIs*.
**From Command Line:**
1. List Instances from project
gcloud compute instances list
2. Get the details on each instance:
gcloud compute instances describe INSTANCE_NAME --zone ZONE
3. Ensure that the instance is not configured to allow the https://www.googleapis.com/auth/cloud-platform scope for the default Compute Engine service account:
serviceAccounts:
- email: [PROJECT_NUMBER][email protected]
scopes:
- https://www.googleapis.com/auth/cloud-platform
**Exception:** Instances created by GKE should be excluded. These instances have names that
start with "gke-" and are labeled "goog-gke-node"`,
rationale: `Along with ability to optionally create, manage and use user managed custom service accounts, Google Compute Engine provides default service account *Compute Engine default service account* for an instances to access necessary cloud services. *Project Editor* role is assigned to *Compute Engine default service account* hence, This service account has almost all capabilities over all cloud services except billing. However, when *Compute Engine default service account* assigned to an instance it can operate in 3 scopes.
1. Allow default access: Allows only minimum access required to run an Instance (Least Privileges)
2. Allow full access to all Cloud APIs: Allow full access to all the cloud APIs/Services (Too much access)
3. Set access for each API: Allows Instance administrator to choose only those APIs that are needed to perform specific business functionality expected by instance
When an instance is configured with *Compute Engine default service account* with Scope *Allow full access to all Cloud APIs*, based on IAM roles assigned to the user(s) accessing Instance, it may allow user to perform cloud operations/API calls that user is not supposed to perform leading to successful privilege escalation.`,
remediation: `**From Console:**
1. Go to the *VM instances* page by visiting: https://console.cloud.google.com/compute/instances.
2. Click on the impacted VM instance.
3. If the instance is not stopped, click the *Stop* button. Wait for the instance to be stopped.
4. Next, click the *Edit* button.
5. Scroll down to the *Service Account* section.
6. Select a different service account or ensure that *Allow full access to all Cloud APIs* is not selected.
7. Click the *Save* button to save your changes and then click *START*.
**From Command Line:**
1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
2. Update the instance:
gcloud compute instances set-service-account INSTANCE_NAME --service- account=SERVICE_ACCOUNT --scopes [SCOPE1, SCOPE2...]
3. Restart the instance:
gcloud compute instances start INSTANCE_NAME`,
references: [
'https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances',
'https://cloud.google.com/compute/docs/access/service-accounts',
],
gql: `{
querygcpVmInstance{
__typename
id
project{
id
}
name
labels{
value
}
serviceAccounts{
email
scopes
}
}
}`,
resource: 'querygcpVmInstance[*]',
severity: 'medium',
conditions: {
path: '@',
or: [
{
path: '@',
and: [
{
path: '[*].name',
match: /^gke-.*$/,
},
{
path: '[*].labels',
array_any: {
path: '[*].value',
equal: 'goog-gke-node',
},
},
],
},
{
jq: `[{ "defaultEmail" : (.project[].id | split("/") | .[1] + "[email protected]")} + .serviceAccounts[]]
| [.[] | select(.defaultEmail == .email) ]
| {"match" : (length > 0), "scopes": .[].scopes} // {"match" : false, "scopes": []}`,
path: '@',
and: [
{
path: '@.match',
notEqual: true,
},
{
path: '[*].scopes',
array_all: {
notEqual: 'https://www.googleapis.com/auth/cloud-platform',
},
},
],
},
],
},
}
128 changes: 128 additions & 0 deletions src/gcp/nist-800-53-rev4/rules/gcp-nist-800-53-rev4-1.3.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
// GCP CIS 1.2.0 Rule equivalent 4.3
export default {
id: 'gcp-nist-800-53-rev4-1.3',
title:
'GCP NIST 1.3 Compute instance "block-project-ssh-keys should be enabled',
description: `It is recommended to use Instance specific SSH key(s) instead of using common/shared
project-wide SSH key(s) to access Instances.`,
audit: `**From Console:**
1. Go to the *VM instances* page by visiting https://console.cloud.google.com/compute/instances. It will list all the instances in your project.
2. For every instance, click on the name of the instance.
3. Under *SSH Keys*, ensure *Block project-wide SSH keys* is selected.
**From Command Line:**
1. List all instances in a project:
gcloud compute instances list
2. For every instance, get the instance metadata:
gcloud compute instances describe INSTANCE_NAME
3. Ensure key: *block-project-ssh-keys* set to *value*: '*true*'.
**Exception:**
Instances created by GKE should be excluded. These instances have names that start with
"gke-" and are labeled "goog-gke-node".`,
rationale: 'Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.',
remediation: `**From Console:**
1. Go to the *VM instances* page by visiting: https://console.cloud.google.com/compute/instances. It will list all the instances in your project.
2. Click on the name of the Impacted instance
3. Click *Edit* in the toolbar
4. Under SSH Keys, go to the *Block project-wide SSH keys* checkbox
5. To block users with project-wide SSH keys from connecting to this instance, select *Block project-wide SSH keys*
6. Click *Save* at the bottom of the page
7. Repeat steps for every impacted Instance
**From Command Line:**
Block project-wide public SSH keys, set the metadata value to *TRUE*:
gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project- ssh-keys=TRUE`,
references: [
'https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys',
],
gql: `{
querygcpVmInstance{
__typename
id
project{
id
}
name
labels{
value
}
serviceAccounts{
email
scopes
}
metadata{
items{
key
value
}
}
}
}`,
resource: 'querygcpVmInstance[*]',
severity: 'medium',
conditions: {
path: '@',
or: [
{
path: '@',
and: [
{
path: '[*].name',
match: /^gke-.*$/,
},
{
path: '[*].labels',
array_any: {
path: '[*].value',
equal: 'goog-gke-node',
},
},
],
},
{
path: '[*].metadata.items',
isEmpty: true
},
{
and: [
{
path: '[*].metadata.items',
array_any: {
and: [
{
path: '[*].key',
equal: 'block-project-ssh-keys',
},
{
path: '[*].value',
equal: 'true',
},
],
},
},
{
jq: `[{ "defaultEmail" : (.project[].id | split("/") | .[1] + "[email protected]")} + .serviceAccounts[]]
| [.[] | select(.defaultEmail == .email) ]
| {"match" : (length > 0)} // {"match" : false}`,
path: '@',
and: [
{
path: '@.match',
notEqual: true,
},
],
},
],
},
],
},
}
Loading

0 comments on commit 6bb4657

Please sign in to comment.