HackerOne Blog

GCP Security Configuration Review and Best Practices

Grahame Turner
Technical Writer, Security Assessments
Jaimin Gohel
Senior Technical Engagement Manager
Tech Background

As organizations turn to cloud solutions to address their information technology (IT) needs, environments such as the Google Cloud Platform (GCP) become highly attractive targets for cybercriminals seeking to exploit various configuration vulnerabilities. 

To safeguard GCP environments, HackerOne offers a methodology-driven penetration testing solution delivered via a Pentest as a Service (PTaaS) model. This approach connects organizations with a heavily vetted cohort of a global ethical hacker community for comprehensive, end-to-end pentesting. Frequently performing dedicated pentesting, using a community-driven PTaaS is crucial to finding vulnerabilities specific to the products and services in your GCP environment.

Testing Methodologies

HackerOne’s GCP testing methodologies are grounded in the principles of the PTESCIS Google Cloud Computing Platform Benchmark, and the Google Cloud Well-Architected Framework. Additionally, our testing processes adhere to the standards required for CREST certification/accreditation, ensuring comprehensive and reliable assessments across various cloud environments, including GCP. Organizations can now better protect against risk and attacks with highly skilled experts with specialized, proven expertise in vulnerabilities specific to GCP.

Common Vulnerabilities

GCP operates with a shared responsibility model that outlines the division of security responsibilities between Google and its customers. The division of areas of responsibility vary based on the deployment type: Infrastructure as a Service (IaaS), Platform as a Service (Paas), Software as a Service (SaaS), and Function as a Service (FaaS).

Shared Responsibility Model
Google Cloud Shared Responsibility Model

To address the challenges that the shared responsibility model does not cover, Google Cloud also operates on a shared fate model to assist their customers in securing their assets.

 

With the vast number of potential combinations of GCP assets, it can be easy to overlook vulnerabilities that can arise from misconfigurations.

Permission Misconfigurations

Allow policies are the Identity and Access Management (IAM) controls for GCP environments. When granting roles to principles, it is critical that the concept of least privilege is followed to ensure that members and workloads of your organization do not hold permissions beyond their scope of duty. Due to their complexity, the management and auditing overhead of allow policies is highly susceptible to misconfigurations.

 

The basic roles defined by Google include thousands of permissions across all services and grant members an excessive level of privilege. Granting basic roles can easily lead to unauthorized access to sensitive data and functionality. These roles should not be used outside of testing in production environments unless no alternatives exist.

 

Instead, it is recommended that the most appropriate predefined role be granted. However, GCP currently includes 1992 different predefined roles that span across over 150 services.

 

Management becomes even more complex when custom roles are created. Defining custom roles requires a complete understanding of the access requirements of principles throughout your organization. This level of comprehension can quickly become ungovernable, especially in large enterprises.

 

The security of your cloud data is paramount as public access to sensitive data will result in compliance violations. When implementing Cloud Storage IAM controls, access at the organization, folder, project, and bucket levels must be taken into consideration to account for inheritance to child resources. In addition to IAM permissions over projects and buckets, Access Control Lists (ACLs) should be used in any cases where access on a per object basis is necessary. IAM controls must also be correctly configured to determine the appropriate availability to log files.

 

Additionally, aspects such as service accounts, groups, conditional role bindings and temporary access further complicate the auditing process of granted privileges.

 

Due to the dynamic nature of an enterprise, guaranteeing proper IAM controls becomes an intricate task that can have devastating consequences. Allow, deny, and principle access boundary policies must all be used in a strategic manner to secure resources against unauthorized access.

VPC Firewall Misconfigurations

Proper firewall implementation is critical to achieving a zero-trust network posture to protect from internal and external attacks. However, due to the multiple components of each firewall rule and their propensity to accumulate as your environment expands, security gaps can arise that open ingress and egress paths to attackers.

 

Each Virtual Private Cloud (VPC) firewall rule is defined by its priority, action on match, enforcement status, target instances, source and destination filters, and protocol and port. Due to their variability numerous misconfigurations can arise that leave assets at risk of compromise. For instance, rules intended to protect a target may be shadowed by a rule with an equal or higher priority. Even completely secure rules may simply be left disabled or applied to the wrong targets.

 

Additionally, unless explicitly disabled via the creation of an organization policy, each new project starts with a default VPC network that is pre-populated with certain firewall rules that allow connections between VM instances within the same network as well as SSH, RDP, and ICMP connections. As these rules are overly permissive, they should not be considered appropriate for sensitive environments since they expose you to multiple known attack vectors.

Logging and Monitoring Misconfigurations

If logging and monitoring tools are not properly configured, detection of exploitation attempts or successful breaches be delayed, allowing attackers to operate unimposed for extended periods of time. In extreme cases, post-attack investigations can be hindered due to a lack of records.

 

Insufficient monitoring can also breach the terms of regulations, leading to non-compliance.

 

Audit logs are produced by most GCP services and are classified into four log types:

 

  • Admin Activity: These logs contain entries for API calls or actions that modify the configuration or metadata of resources.
  • Data Access: These logs contain API calls that read the configuration or metadata of resources. User-driven API calls that create, modify, or ready user data are also included. By default, logs of this type are disabled by default. However, as they are used to troubleshoot issues with your account, it is recommended that they are enabled.
  • System Event: These logs contain entries of system actions that modified the configuration of resources.
  • Policy Denied: These logs contain entries that identify when a service denied access to a user or service account due to a security policy violation.

 

These log types, along with Access Transparency logs are considered to be security-related as they identify which principles executed actions in chronological order.

 

Log-based alerting policies should be leveraged in order to receive notifications of potential security incidents such as when secrets are accessed or instances when a user decrypts a value.

GCP Configuration Review Best Practices

Careful Scoping

Having the right scope is crucial to a successful pentest—what is being tested can be just as important as how it is being tested. A GCP environment can be vast, with various resources and services distributed throughout.

 

By strategically selecting targets within your cloud environment, you can ensure quality time is dedicated to your most critical cloud assets. This curation can mean the difference between an inconsequential configuration review and a valuable review that discovers high-impact vulnerabilities. HackerOne assesses your assets to provide guidance on which assets to include and delivers a quote tailored to your specific requirements.

Skills-Based Tester Matching

Traditional consultancies often rely on in-house pentesters with general skills. However, GCP pentesting requires specialized knowledge of the environment and cloud security practices.

 

With HackerOne Pentest, delivered via a Pentest as a Service (PTaaS) model, customers gain access to a diverse pool of elite, vetted security researchers who bring a wide range of skills, certifications, and experience specific to GCP. The HackerOne platform keeps track of each researcher's skill set based on their track record and matches the most suitable researchers for each engagement. The community-driven PTaaS approach delivers comprehensive coverage, versatility, and the highest-quality results tailored to the services of your GCP environments.

Case Study: Alice's Table Leak

In April of 2024, security researchers identified a publicly exposed Google Cloud bucket that contained 37,349 files of personally identifiable information (PII). The data belonged to customers of Alice's Table, a floral arrangement company popularized by its appearance on the ABC show Shark Tank in 2017.

 

The exposed PII included customers' full names, email addresses, and home addresses. This data breach was particularly concerning because it affected not only individual customers but also accounts associated with large organizations, such as Pfizer, Charles Schwab, and various government agencies. The exposure of such sensitive information raised serious concerns about the potential for malicious actors to exploit the data for nefarious purposes, including phishing attacks, identity theft, and other forms of cybercrime.

 

The misconfiguration of the Google Cloud bucket highlights the critical importance of robust security measures for cloud storage. Organizations that store sensitive data in the cloud must ensure that access controls are properly implemented and regularly reviewed to prevent unauthorized access and data breaches. The incident also underscores the potential risks associated with storing PII, especially when it involves customers of large organizations and government agencies. The fallout from this data breach could include significant financial losses, reputational damage, and legal consequences for Alice's Table and potentially other affected organizations.

Why HackerOne is the Best Option for GCP Review

By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven PTaaS model that provides unmatched expertise and resources for GCP security configuration pentests. The HackerOne platform streamlines the entire pentest process to deliver the greatest return on investment in risk reduction.

By leveraging the people and the technology, your organization gains the following advantages:

  • Comprehensive GCP Security Configuration Reviews: Access pentesters with deep expertise in auditing and improving GCP configurations to secure your cloud infrastructure against vulnerabilities.
  • Efficient Program Initiation: Experience rapid program setup with direct communication channels to testers, ensuring on-demand delivery of findings.
  • Extended Attack Surface Coverage: Our diverse community of security researchers excels in uncovering misconfigurations and vulnerabilities unique to GCP environments, enabling comprehensive security audits without the need to switch vendors.

Contact the HackerOne team today to get started

Cloud Security