Also read - Identity Aware Proxy in GCP 

Overview

IAM is the most often misconfigured and compromised service. To that end, GCP provides two unique services (boundaries) that go beyond traditional cloud networking constructs.

  1. The Project Boundary - Limits the IAM Blast Radius
  2. VPC Service Controls - Think IAM Credentials Compromised - Can we still block someone from logging in from another network?

Here's a 2 minute combination of IAM and Networking Security that one can implement in GCP

IAM + VPC Service Controls = Defense in Depth

The 4 minute version - Also build in Private Google Access and include the hosts in The Service Controls Perimeter

IAM - 2 minute GCP IAM Security Solution

Why Service Controls?

PaaS services allow any user with IAM credentials to get access. Typically, on GCP, these credentials are in the form of a service account (as opposed to human users).

 If those service account credentials are accidentally committed to GitHub (or any public repo), anyone can get to those and consequently, to YOUR cloud storage bucket / PaaS service.

What ARE VPC service controls? And why the VPC pre-pend?

  1. Ordinarily, when you make an API request against a GCS bucket or a  PubSub topic or a BigQuery Dataset..... that request is resolved to an external endpoint protected with IAM policies.
  2. If IAM policies are configured to allow it (e.g. AllUsers access), ANYONE could access those endpoints since they are in fact publicly facing.
  3. VPC Service Controls offers a way to specify a trusted perimeter around projects, such that only projects within that perimeter are allowed to communicate with your GCP resources.
  4. This is accomplished at the network layer of VPCs owned by your project.

How do I ensure that only on premises users get access to my Cloud Storage resources?

A Service Project Perimeter ensures that only resources in the perimeter protected project access the service - but nothing outside of it.

This project can also include things such as a VPN tunnel - which would allow tunnel users to access the storage service as well.

How do I actually configure Service Controls (Independent of IAM Policies)

At the VPC level, define a new VPC Service Perimeter.

  1. Permission Type = Perimeter (default)
  2. Choose the Projects to Protect
  3. Choose the Access Level by creating an Access Policy (e.g. access allowed to this VPC or VPN or CIDR Block)

Example Use Case - IAM Credentials Compromised - Can we still block someone from logging in from another network?

  • Create perimeters around your resources, such as Storage buckets or Persistent Disks or BigQuery
  • Set conditions to allow data flow outside of the perimeter
  • IAM allow access would still be blocked based on the service control perimeter

What is Access Context Manager in GCP?

  • Another service that works in tandem with VPC service controls
  • Allows admins to define the rules for access using certain criteria
    ○ Device type and operating system
    ○ IP address
    ○ User identity

What are the limitations of VPC Service Controls?

They are not available for EVERY GCP service. Storage, Compute, BigQuery etc.. are all the big ones - and these have the ability to define the service perimeter.

Private Google Access - How does this tie in to VPC Service Controls?

First, let us talk about 'Why Private Google Access'

Private Google Access offers private connectivity to hosts either in a VPC network or on-premises network that use private IP addresses to access Google APIs and services.

You can extend a VPC Service Controls service perimeter to hosts in those (VPC or On Prem) networks to control access to protected resources.

For hosts in a VPC network, they must have a private IP address only (no public IP address) and be in a subnet with Private Google Access enabled.

What is Cloud IAP?

Say you have a resource with a private IP. Need to access it publicly, but don't want to create a VPN tunnel to do so? Enter IAP.

Normally, to SSH or RDP into a private VM (Compute Instance with a private IP), you would need a VPN Tunnel. However, what if you did not have a VPN tunnel, but still wanted to be able to connect  to the VM?

Enter Cloud Identity-Aware Proxy. This allows authentication at the Proxy layer - and allows users to RDP or SSH in without having to set up VPN tunnels.

SSO Groups 

How do you federate identities to GCP?

Summary

If you are not using VPC Service Controls, you are missing out on a simple, yet powerful tool to define additional perimeters (to prevent data exfiltration). Combined with IAM Policies, these two GCP services can lock down any resource.




Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.