Skip to main content

Cloud security policies in GCP: How to set them up using Terraform

Picture of Mateusz Borowski, Cloud Security Engineer

Mateusz Borowski

Cloud Security Engineer
Aug 23, 2023|10 min read
Cloud_security_policies_in_GCP_How_to_set_them_up_using_Terraform_image

With the growing popularity of cloud services, robust cloud security policies are essential. These policies protect against unauthorized access, data breaches and cyber-attacks. Organizations that adopt cloud security policies create a secure framework and protect critical assets.

Data breaches and cyber threats have the potential to cripple businesses overnight. This means the integration of stringent security measures is imperative. This is where the Google Cloud Platform (GCP) steps in as a reliable ally. By combining the capabilities of GCP with the implementation of robust security policies, organizations create a multi-layered defense encompassing cutting-edge technology and comprehensive protocols. 

Automating security policies through tools like Terraform introduces a new level of efficiency and consistency. Terraform’s ability to define and provision infrastructure as code empowers organizations to codify their security policies, making them easily replicable and less prone to human error.

This article shows how to make Google Cloud Platform (GCP) more secure using Terraform, cloud security policies, security benchmarks, and automation. The outlined steps clarify how to automate the management of cloud security policies. This guarantees seamless and effective compliance across your cloud infrastructure.

What are cloud security policies? 

Cloud security policies are the solid foundation upon which organizations build a shield to protect their digital assets in the cloud. These policies are a mix of rules, guidelines, and proven best practices. They are the first line of defense in protecting an organization’s most valuable assets – its data, applications, and resources stored in the cloud.

Let’s take a closer look at the three pillars of cloud security policies:

  • Rules act as clear-cut guidelines determining how things should operate digitally. These rules often originate from legal and regulatory frameworks and lay the essential groundwork for securing sensitive information and digital activities.
  • Guidelines provide organizations with a roadmap to navigate the complexities of cloud computing. Guidelines are a way to improve cloud security through a careful combination of industry insight, real-world experience and knowledge of the threat landscape.
  • Best practices emerge as a collection of knowledge gained from successes and challenges in cloud security. These practices represent a distillation of lessons learned, encapsulating proven methods for safeguarding cloud environments from various threats.

Cloud security policies outline a blueprint for achieving the ultimate goal of cloud security: ensuring that cloud-based assets remain confidential, integral, and available. 

Google, for example, makes it easier for organizations to include cloud security policies in their cloud environment. Organizations can use the CIS Google Cloud Computing Platform Benchmarks as a reference for implementing security policies on GCP, providing secure configuration guidelines for:

  • Identity and Access Management
  • Logging and Monitoring
  • Networking
  • Virtual Machines
  • Storage
  • Database services and BigQuery

Cloud security policies in GCP

Cloud security policies within the Google Cloud Platform (GCP) serve as the linchpin for protecting an organization’s digital assets against cyber threats in the dynamic landscape of cloud computing.

GCP cloud security policies are a roadmap for constructing a robust security stance. By defining a clear set of rules and guidelines, these policies provide organizations with a structured path to ensure their digital assets’ confidentiality, integrity, and availability. Organisations can therefore refer to the GCP organisation policy constraint to ensure trusted and secure cloud operations.

Benefits of GCP Cloud security policies

The adoption of GCP cloud security policies brings forth a range of benefits. A significant advantage lies in establishing a cohesive and unified security stance throughout an organization’s cloud environment. This consistency minimizes the likelihood of security gaps and reinforces protection, especially amidst the complex landscape of cloud operations.

The GCP Organizational Policy Service empowers companies to draft and enforce cloud security policies that guard against cyber threats and unauthorized access, maintain data integrity, and adhere to industry standards.

Google gives us several ways to do so. One of them is the Organization Policy

What is Organization Policy?

Google offers the Organization Policy Service as a specialized feature within the Google Cloud Platform (GCP). Organization Policy establishes your organization’s security and compliance. You employ Organization Policy to apply constraints that define permissible resource configurations in your organization.

Now, let’s look into the functionality of these constraints.

policy-concepts

TODO policy-concepts Source: https://cloud.google.com/resource-manager/img/org-policy-concepts.svg

As shown above, an Organisation Policy Administrator sets limitations using Organisation Policies. These policies are applied at multiple levels to enforce restrictions on resources and their descendants. To create a policy, select a constraint – a targeted restriction on Google Cloud services – and then configure it. Descendants of the selected node inherit the policy, and applying it to the root organization node ensures broad enforcement and restriction configuration.

Let’s assume this node exists at the folder level for our purposes.

After defining the policy, the designated GCP service will enforce it automatically. Furthermore, all resources falling under the folder’s scope will adopt the policy, maintaining consistent application across the hierarchy.

Let’s see how you can automate cloud security policy deployment.

Advantages of Policy as Code

Once we identify the security policies, we can explore how to implement them. The recommended method involves the policy-as-code paradigm, which offers distinct advantages. This approach automates deploying and managing GCP resources, minimizing human errors. It also enhances the visibility of security policies, enabling tracking changes, conducting audits, and maintaining an auditable history of policy revisions.

You can implement policies as code in GCP through two effective methods:

  1. Google Cloud Deployment Manager: This service automates creating and managing GCP resources, including policies as code.
  2. Terraform: An open-source infrastructure-as-code software tool, Terraform offers a consistent CLI workflow for managing various cloud services, allowing you to create and manage policies as code.

Terraform’s open-source nature, multi-cloud compatibility, and ease of use make it a superior option for implementing cloud security policies as code in GCP compared to Google Cloud Deployment Manager, which lacks these benefits. Terraform’s widespread adoption makes it the obvious choice for efficient policy implementation in cloud environments. Finally, Terraform helps reduce the risk of vendor lock-in and works with both on-premises and cloud infrastructure.

Let’s take a quick look at the key benefits for organizations using Terraform to manage security policies in the cloud.

Leveraging Terraform for cloud security policies

Terraform’s capabilities extend beyond its role in provisioning and maintaining Google Cloud Platform (GCP) resources. It also helps reduce human error, provides change tracking, and preserves policy history. Specifically, Terraform allows policies to be defined using HashiCorp Configuration Language (HCL) or JSON syntax, providing versatility that addresses various security concerns such as IAM, network security, encryption, and logging. These adaptable methods help organizations efficiently implement policies, automate resource management, and ensure compliance within cloud infrastructures.

Let’s take a look at some practical examples.

How to implement cloud security policies with Terraform

When strengthening cloud security with Terraform, you take a comprehensive range of measures to ensure robust protection and compliance, including:

  1. Disabling Global Access to VM Serial Ports for Compute Engine Services
  2. Restricting TLS Versions
  3. Enforcing Public Access Prevention for Cloud Storage services
  4. Configuring Shielded VMs for Compute Engine Services
  5. Setting service account key expiry duration for Identity and Access Management

These policies hold utmost importance as they are prone to setup errors, posing a significant risk. We will implement these policies using Terraform’s org-policy module, which streamlines the management of organizational policies within the GCP environment. 

Simpler cloud security with the org-policy module

Terraform’s org-policy module makes managing organization policies for your Google Cloud environment easier. Org Policies help organizations ensure compliance more effectively than Identity and Access Management (IAM), which deals with user access to resources. Benefits include:

  • Improved security and reduced operational burden for cloud users. Org policies prevent breaches, saving on detection and remediation costs. 
  • For regions with strict data residency rules, the Location org policy maps resources to a specific cloud region. 
  • Administrators can use a custom Org Policy to restrict unverified images in Google Kubernetes Engine (GKE) or Cloud Run. This ensures that only trusted deployments are allowed by blocking the creation or update of clusters without proper authorization.

Now let’s acquaint ourselves with the variables used and examine the implementation examples.

policy_forDetermines the level you want to implement the policy.
constraintSpecify the name of the policy to be set by GCP (you can see the full list here)
project_id and organisation_idBoth variables set parameters for your GCP environment
policy_typeWe distinguish two types of constraint: “boolean” true/false for enforcing that, or “list” when we should add information about list length and set variables with square brackets [ ].

You can refer to the complete list of variables here.

Disable Global Access to VM Serial Ports for Compute Engine services

This Constraint disables global serial port access for Compute Engine VMs. By default, users can enable serial port access for Compute Engine VMs.

1module "disableGlobalSerialPortAccess" {
2  source        	= "terraform-google-modules/org-policy/google"
3  version       	= "~> 5.2.2"
4  policy_for    	= "project"
5  project_id    	= "XXXXXXXXX"
6  constraint    	= "constraints/compute.disableGlobalSerialPortAccess"
7  policy_type   	= "boolean"
8  organisation_id   = "XXXXXXXXX"
9  enforce       	= true
10}

Restrict TLS Versions

This Constraint defines the set of TLS versions that cannot be used. By default, all TLS versions are allowed.

1module "restrictTLSVersion" {
2  source        	= "terraform-google-modules/org-policy/google"
3  version       	= "~> 5.2.2"
4  policy_for    	= "project"
5  project_id    	= "XXXXXXXXX"
6  constraint    	= "constraints/gcp.restrictTLSVersion"
7  policy_type   	= "list"
8  organisation_id   = "XXXXXXXXX"
9  deny         	= ["TLS_VERSION_1", "TLS_VERSION_1_1"]
10  deny_list_length = 2
11}

Enforce Public Access Prevention for Cloud Storage services

Protect your Cloud Storage data from public exposure by enforcing public access prevention.

1module "publicAccessPrevention" {
2  source        	= "terraform-google-modules/org-policy/google"
3  version       	= "~> 5.2.2"
4  policy_for    	= "project"
5  project_id    	= "XXXXXXXXX"
6  constraint    	= "constraints/storage.publicAccessPrevention"
7  policy_type   	= "boolean"
8  organisation_id   = "XXXXXXXXX"
9  enforce       	= true
10}

Shielded VMs for Compute Engine services

This Constraint, when set to True, requires that all new Compute Engine VM instances use shielded disk images with Secure Boot, vTPM, and Integrity Monitoring options enabled.

1module "shieldedvm" {
2  source        	= "terraform-google-modules/org-policy/google"
3  version       	= "~> 5.2.2"
4  policy_for    	= "project"
5  project_id    	= "XXXXXXXXX"
6  constraint     	= "constraints/compute.requireShieldedVm"
7  policy_type   	= "boolean"
8  organisation_id   = "XXXXXXXXX"
9  enforce       	= true
10}

Service account key expiry duration in hours for Identity and Access Management

This Constraint establishes the maximum time for service account key expiration. By default, the system creates keys that never expire.

1module "serviceaccountskeyrotation"{
2  source        	= "terraform-google-modules/org-policy/google"
3  version       	= "~> 5.2.2"
4  policy_for    	= "project"
5  project_id    	= "XXXXXXXXX"
6  constraint    	= "constraints/iam.serviceAccountKeyExpiryHours"
7  policy_type   	= "list"
8  organisation_id   = "XXXXXXXXX"
9  allow        	= ["2160h"] // 90 days
10  allow_list_length = 1
11}

Of course, you must also configure Terraform and its permissions and set it up as a Google Cloud provider. We recommend this reference to get you started. 

You must also enable the orgpolicy API to configure governance rules on Google Cloud resources.

1# Enable the organisation Policy API
2resource "google_project_service" "orgpolicy_api" {
3  service = "orgpolicy.googleapis.com"
4  project = "XXXXXXXXX"
5}

That’s it! As you can see, it’s not as difficult as it might seem at first.

Final thoughts: cloud security policies, automation, and full compliance

We hope this article will serve as a guide for strengthening your cloud security on the Google Cloud Platform (GCP). Cloud security policies are the cornerstone, providing a comprehensive framework of rules, guidelines, and best practices to protect valuable digital assets from modern cyber threats.

GCP’s provision of the CIS Google Cloud Computing Platform Benchmarks provides a tangible pathway for implementing security policies effectively. The Organization Policy Service within GCP stands as a linchpin, allowing you to enforce constraints and ensure consistent security configurations across all levels of their cloud infrastructure.

Implementing these security measures as code through Terraform emerges as a game-changing strategy. Terraform’s versatility, ease of use, and adaptability enable you to seamlessly automate security policy deployment and resource management, effectively minimizing errors and maintaining compliance.

Using the approach outlined in this article, you ensure comprehensive compliance across your cloud infrastructure and strengthen your organization’s security posture:

  • Leverage the Organization Policy Service: Understand how organizational policies establish security and compliance.
  • Align with GCP constraints: Efficiently implement security requirements by aligning them with GCP organizational policy constraints.
  • Deploy policies as code: Explore the benefits of policies as code and apply them using Terraform.
  • Practical Illustrations: Gain insights from practical scenarios such as enforcing public access prevention for cloud storage and other real-world cases.

This article equips you with a roadmap for strengthening your cloud security posture. By adopting cloud security policies, leveraging GCP tools, and adopting the policy-as-code paradigm, you can ensure the security, integrity, and availability of your cloud-based assets while navigating the complex terrain of cloud computing.

Curated by Sebastian Synowiec

Previous articleNext article

Subscribe to our newsletter and never miss an article

Explore more topics

data-min

Preventing Fraud and Fighting Account Takeovers with Kafka Streams [reference architecture]

Reference_Architecture__A_roadmap_to_efficiency_and_scalability_image

Reference Architecture: A roadmap to efficiency and scalability

Internal_developer_portals_a_springboard_to_platform_engineering_image-min.jpg

Internal developer portals: a springboard to platform engineering