GCP - Services
Compute Engine
Metadata Server
The Metadata Server is a service provided by Compute Engine that allows instances to access metadata about themselves and the project they belong to. This metadata can include information such as instance ID, project ID, network interfaces, and SSH keys.
Metadata Server - Default Credentials
By default, instances can access the Metadata Server using the instance's service account credentials. These credentials are automatically generated by Compute Engine and are stored on the instance's metadata.
Metadata Server - SSRF Vulnerability
A Server-Side Request Forgery (SSRF) vulnerability in the Metadata Server can allow an attacker to make requests to internal services or retrieve sensitive information from the metadata. This can lead to unauthorized access to resources or information leakage.
Instance Metadata
Instance metadata is information about an instance that can be accessed through the Metadata Server. This metadata can include details such as instance ID, project ID, zone, and network interfaces.
Instance Metadata - User-Provided Metadata
Users can provide custom metadata to instances during creation. This metadata can be used to configure the instance or provide additional information.
Instance Metadata - Startup Scripts
Startup scripts can be used to run commands or scripts when an instance starts up. These scripts can be specified as metadata during instance creation.
Cloud Storage
Signed URLs
Signed URLs are a way to grant temporary access to specific objects in Cloud Storage. These URLs contain a signature that allows access to the object for a limited time and with specific permissions.
Signed URLs - Expiration Time
When creating a signed URL, an expiration time can be set to specify how long the URL will be valid. After the expiration time, the URL will no longer grant access to the object.
Signed URLs - Permissions
Signed URLs can be created with specific permissions, such as read or write access. This allows fine-grained control over the access granted to the object.
Cloud Functions
Environment Variables
Environment variables can be used to store sensitive information or configuration values in Cloud Functions. These variables are set at the time of function deployment and can be accessed by the function code.
Environment Variables - Sensitive Information
Care should be taken when storing sensitive information in environment variables, as they can be accessed by anyone with access to the Cloud Functions console or the function's code.
Environment Variables - Secrets Manager
To securely store sensitive information, it is recommended to use a secrets manager service provided by the cloud platform, such as Secret Manager in GCP.
Cloud SQL
Database Credentials
Database credentials are used to authenticate and access a Cloud SQL database. These credentials typically include a username and password.
Database Credentials - Strong Passwords
It is important to use strong passwords for database credentials to prevent unauthorized access. Strong passwords should be long, complex, and unique.
Database Credentials - Rotation
Regularly rotating database credentials can help mitigate the risk of unauthorized access. This involves changing the passwords at regular intervals or in response to security incidents.
Cloud Pub/Sub
Access Control
Access control in Cloud Pub/Sub is managed through IAM roles and permissions. IAM policies can be used to grant or revoke access to topics and subscriptions.
Access Control - Principle of Least Privilege
When granting access to topics and subscriptions, the principle of least privilege should be followed. This means granting only the necessary permissions to perform specific actions.
Access Control - Audit Logs
Enabling audit logs for Cloud Pub/Sub can help track and monitor access to topics and subscriptions. These logs can provide valuable information for security analysis and incident response.
Cloud IAM
Service Accounts
Service accounts are used to authenticate and authorize applications and services to access resources in GCP. Each service account is associated with a set of credentials, including a private key or a JSON key file.
Service Accounts - Least Privilege
When assigning roles to service accounts, the principle of least privilege should be followed. This means granting only the necessary permissions for the service account to perform its intended functions.
Service Accounts - Key Management
Private keys and JSON key files associated with service accounts should be securely managed. They should be protected from unauthorized access and regularly rotated to mitigate the risk of compromise.
Cloud Logging
Log Exports
Cloud Logging allows exporting logs to external destinations, such as Cloud Storage or BigQuery. This can be useful for long-term retention, analysis, or integration with other systems.
Log Exports - Sensitive Information
When exporting logs, care should be taken to ensure that sensitive information is not included. This can include personally identifiable information (PII), authentication tokens, or other sensitive data.
Log Exports - Encryption
If logs contain sensitive information, they should be encrypted during transit and at rest. This helps protect the confidentiality and integrity of the log data.
Cloud Monitoring
Alerting Policies
Alerting policies in Cloud Monitoring can be used to define conditions and thresholds for generating alerts. These alerts can be sent to various notification channels, such as email, SMS, or PagerDuty.
Alerting Policies - Thresholds
When defining alerting policies, appropriate thresholds should be set to avoid false positives or missing critical events. Thresholds should be based on the expected behavior of the monitored resource.
Alerting Policies - Escalation
In some cases, it may be necessary to define escalation policies for alerts. This ensures that critical alerts are escalated to the appropriate individuals or teams for timely response and resolution.
Last updated