Compute Engine

Metadata Server

The Metadata Server is a service provided by Compute Engine that allows instances to access metadata about themselves and the project they belong to. This metadata can include information such as instance ID, project ID, network interfaces, and SSH keys.

Metadata Server - Default Credentials

By default, instances can access the Metadata Server using the instance's service account credentials. These credentials are automatically generated by Compute Engine and are stored on the instance's metadata.

Metadata Server - SSRF Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability in the Metadata Server can allow an attacker to make requests to internal services or retrieve sensitive information from the metadata. This can lead to unauthorized access to resources or information leakage.

Instance Metadata

Instance metadata is information about an instance that can be accessed through the Metadata Server. This metadata can include details such as instance ID, project ID, zone, and network interfaces.

Instance Metadata - User-Provided Metadata

Users can provide custom metadata to instances during creation. This metadata can be used to configure the instance or provide additional information.

Instance Metadata - Startup Scripts

Startup scripts can be used to run commands or scripts when an instance starts up. These scripts can be specified as metadata during instance creation.

Cloud Storage

Signed URLs

Signed URLs are a way to grant temporary access to specific objects in Cloud Storage. These URLs contain a signature that allows access to the object for a limited time and with specific permissions.

Signed URLs - Expiration Time

When creating a signed URL, an expiration time can be set to specify how long the URL will be valid. After the expiration time, the URL will no longer grant access to the object.

Signed URLs - Permissions

Signed URLs can be created with specific permissions, such as read or write access. This allows fine-grained control over the access granted to the object.

Cloud Functions

Environment Variables

Environment variables can be used to store sensitive information or configuration values in Cloud Functions. These variables are set at the time of function deployment and can be accessed by the function code.

Environment Variables - Sensitive Information

Care should be taken when storing sensitive information in environment variables, as they can be accessed by anyone with access to the Cloud Functions console or the function's code.

Environment Variables - Secrets Manager

To securely store sensitive information, it is recommended to use a secrets manager service provided by the cloud platform, such as Secret Manager in GCP.

Cloud SQL

Database Credentials

Database credentials are used to authenticate and access a Cloud SQL database. These credentials typically include a username and password.

Database Credentials - Strong Passwords

It is important to use strong passwords for database credentials to prevent unauthorized access. Strong passwords should be long, complex, and unique.

Database Credentials - Rotation

Regularly rotating database credentials can help mitigate the risk of unauthorized access. This involves changing the passwords at regular intervals or in response to security incidents.

Cloud Pub/Sub

Access Control

Access control in Cloud Pub/Sub is managed through IAM roles and permissions. IAM policies can be used to grant or revoke access to topics and subscriptions.

Access Control - Principle of Least Privilege

When granting access to topics and subscriptions, the principle of least privilege should be followed. This means granting only the necessary permissions to perform specific actions.

Access Control - Audit Logs

Enabling audit logs for Cloud Pub/Sub can help track and monitor access to topics and subscriptions. These logs can provide valuable information for security analysis and incident response.

Cloud IAM

Service Accounts

Service accounts are used to authenticate and authorize applications and services to access resources in GCP. Each service account is associated with a set of credentials, including a private key or a JSON key file.

Service Accounts - Least Privilege

When assigning roles to service accounts, the principle of least privilege should be followed. This means granting only the necessary permissions for the service account to perform its intended functions.

Service Accounts - Key Management

Private keys and JSON key files associated with service accounts should be securely managed. They should be protected from unauthorized access and regularly rotated to mitigate the risk of compromise.

Cloud Logging

Log Exports

Cloud Logging allows exporting logs to external destinations, such as Cloud Storage or BigQuery. This can be useful for long-term retention, analysis, or integration with other systems.

Log Exports - Sensitive Information

When exporting logs, care should be taken to ensure that sensitive information is not included. This can include personally identifiable information (PII), authentication tokens, or other sensitive data.

Log Exports - Encryption

If logs contain sensitive information, they should be encrypted during transit and at rest. This helps protect the confidentiality and integrity of the log data.

Cloud Monitoring

Alerting Policies

Alerting policies in Cloud Monitoring can be used to define conditions and thresholds for generating alerts. These alerts can be sent to various notification channels, such as email, SMS, or PagerDuty.

Alerting Policies - Thresholds

When defining alerting policies, appropriate thresholds should be set to avoid false positives or missing critical events. Thresholds should be based on the expected behavior of the monitored resource.

Alerting Policies - Escalation

In some cases, it may be necessary to define escalation policies for alerts. This ensures that critical alerts are escalated to the appropriate individuals or teams for timely response and resolution.