Enhance GCP security with cloud security policies. Implement best practices, use Terraform, and leverage GCP tools for robust protection.
With the growing popularity of cloud services, robust cloud security policies are essential. These policies protect against unauthorised access, data breaches and cyber-attacks. Organisations that adopt cloud security policies create a secure framework and protect critical assets.
Data breaches and cyber threats have the potential to cripple businesses overnight. This means the integration of stringent security measures is imperative. This is where the Google Cloud Platform (GCP) steps in as a reliable ally. By combining the capabilities of GCP with the implementation of robust security policies, organisations create a multi-layered defence encompassing cutting-edge technology and comprehensive protocols.
Automating security policies through tools like Terraform introduces a new level of efficiency and consistency. Terraform’s ability to define and provision infrastructure as code empowers organisations to codify their security policies, making them easily replicable and less prone to human error.
This article shows how to make Google Cloud Platform (GCP) more secure using Terraform, cloud security policies, security benchmarks and automation. The outlined steps clarify how to automate the management of cloud security policies. This guarantees seamless and effective compliance across your cloud infrastructure.
Cloud security policies are the solid foundation upon which organisations build a shield to protect their digital assets in the cloud. These policies are a mix of rules, guidelines and proven best practices. They are the first line of defence in protecting an organisation’s most valuable assets – its data, applications, and resources stored in the cloud.
Let’s take a closer look at the three pillars of cloud security policies:
Cloud security policies outline a blueprint for achieving the ultimate goal of cloud security: ensuring that cloud-based assets remain confidential, integral, and available.
Google, for example, makes it easier for organisations to include cloud security policies in their cloud environment. Organisations can use the CIS Google Cloud Computing Platform Benchmarks as a reference for implementing security policies on GCP, providing secure configuration guidelines for:
Cloud security policies within the Google Cloud Platform (GCP) serve as the linchpin for protecting an organisation’s digital assets against cyber threats in the dynamic landscape of cloud computing.
GCP cloud security policies are a roadmap for constructing a robust security stance. By defining a clear set of rules and guidelines, these policies provide organisations with a structured path to ensure their digital assets’ confidentiality, integrity, and availability. Organisations can therefore refer to the GCP organisation policy constraint to ensure trusted and secure cloud operations.
The adoption of GCP cloud security policies brings forth a range of benefits. A significant advantage lies in establishing a cohesive and unified security stance throughout an organisation’s cloud environment. This consistency minimises the likelihood of security gaps and reinforces protection, especially amidst the complex landscape of cloud operations.
The GCP Organizational Policy Service empowers companies to draft and enforce cloud security policies that guard against cyber threats and unauthorised access, maintain data integrity, and adhere to industry standards.
Google gives us several ways to do so. One of them is the Organization Policy.
Google offers the Organization Policy Service as a specialised feature within the Google Cloud Platform (GCP). Organization Policy establishes your organisation’s security and compliance. You employ Organization Policy to apply constraints that define permissible resource configurations in your organisation.
Now, let’s look into the functionality of these constraints.
As shown above, an Organisation Policy Administrator sets limitations using Organisation Policies. These policies are applied at multiple levels to enforce restrictions on resources and their descendants. To create a policy, select a constraint – a targeted restriction on Google Cloud services – and then configure it. Descendants of the selected node inherit the policy, and applying it to the root organisation node ensures broad enforcement and restriction configuration.
Let’s assume this node exists at the folder level for our purposes.
After defining the policy, the designated GCP service will enforce it automatically. Furthermore, all resources falling under the folder’s scope will adopt the policy, maintaining consistent application across the hierarchy.
Let’s see how you can automate cloud security policy deployment.
Once we identify the security policies, we can explore how to implement them. The recommended method involves the policy-as-code paradigm, which offers distinct advantages. This approach automates deploying and managing GCP resources, minimising human errors. It also enhances the visibility of security policies, enabling tracking changes, conducting audits, and maintaining an auditable history of policy revisions.
You can implement policies as code in GCP through two effective methods:
Terraform’s open-source nature, multi-cloud compatibility and ease of use make it a superior option for implementing cloud security policies as code in GCP compared to Google Cloud Deployment Manager, which lacks these benefits. Terraform’s widespread adoption makes it the obvious choice for efficient policy implementation in cloud environments. Finally, Terraform helps reduce the risk of vendor lock-in and works with both on-premises and cloud infrastructure.
Let’s take a quick look at the key benefits for organisations using Terraform to manage security policies in the cloud.
Terraform’s capabilities extend beyond its role in provisioning and maintaining Google Cloud Platform (GCP) resources. It also helps reduce human error, provides change tracking and preserves policy history. Specifically, Terraform allows policies to be defined using HashiCorp Configuration Language (HCL) or JSON syntax, providing versatility that addresses various security concerns such as IAM, network security, encryption and logging. These adaptable methods help organisations efficiently implement policies, automate resource management and ensure compliance within cloud infrastructures.
Let’s take a look at some practical examples.
When strengthening cloud security with Terraform, you take a comprehensive range of measures to ensure robust protection and compliance, including:
These policies hold utmost importance as they are prone to setup errors, posing a significant risk. We will implement these policies using Terraform’s org-policy module, which streamlines the management of organisational policies within the GCP environment.
Terraform’s org-policy module makes managing organisation policies for your Google Cloud environment easier. Org Policies help organisations ensure compliance more effectively than Identity and Access Management (IAM), which deals with user access to resources. Benefits include:
Now let’s acquaint ourselves with the variables used and examine the implementation examples.
| policy_for | Determines the level you want to implement the policy. |
| constraint | Specify the name of the policy to be set by GCP (you can see the full list here) |
| project_id and organisation_id | Both variables set parameters for your GCP environment |
| policy_type | We distinguish two types of constraint: “boolean” true/false for enforcing that, or “list” when we should add information about list length and set variables with square brackets [ ]. |
This Constraint disables global serial port access for Compute Engine VMs. By default, users can enable serial port access for Compute Engine VMs.
module "disableGlobalSerialPortAccess" {
source = "terraform-google-modules/org-policy/google"
version = "~> 5.2.2"
policy_for = "project"
project_id = "XXXXXXXXX"
constraint = "constraints/compute.disableGlobalSerialPortAccess"
policy_type = "boolean"
organisation_id = "XXXXXXXXX"
enforce = true
}
This Constraint defines the set of TLS versions that cannot be used. By default, all TLS versions are allowed.
module "restrictTLSVersion" {
source = "terraform-google-modules/org-policy/google"
version = "~> 5.2.2"
policy_for = "project"
project_id = "XXXXXXXXX"
constraint = "constraints/gcp.restrictTLSVersion"
policy_type = "list"
organisation_id = "XXXXXXXXX"
deny = ["TLS_VERSION_1", "TLS_VERSION_1_1"]
deny_list_length = 2
}
Protect your Cloud Storage data from public exposure by enforcing public access prevention.
module "publicAccessPrevention" {
source = "terraform-google-modules/org-policy/google"
version = "~> 5.2.2"
policy_for = "project"
project_id = "XXXXXXXXX"
constraint = "constraints/storage.publicAccessPrevention"
policy_type = "boolean"
organisation_id = "XXXXXXXXX"
enforce = true
}
This Constraint, when set to True, requires that all new Compute Engine VM instances use shielded disk images with Secure Boot, vTPM and Integrity Monitoring options enabled.
module "shieldedvm" {
source = "terraform-google-modules/org-policy/google"
version = "~> 5.2.2"
policy_for = "project"
project_id = "XXXXXXXXX"
constraint = "constraints/compute.requireShieldedVm"
policy_type = "boolean"
organisation_id = "XXXXXXXXX"
enforce = true
}
This Constraint establishes the maximum time for service account key expiration. By default, the system creates keys that never expire.
module "serviceaccountskeyrotation"{
source = "terraform-google-modules/org-policy/google"
version = "~> 5.2.2"
policy_for = "project"
project_id = "XXXXXXXXX"
constraint = "constraints/iam.serviceAccountKeyExpiryHours"
policy_type = "list"
organisation_id = "XXXXXXXXX"
allow = ["2160h"] // 90 days
allow_list_length = 1
}
Of course, you must also configure Terraform and its permissions and set it up as a Google Cloud provider. We recommend this reference to get you started.
You must also enable the orgpolicy API to configure governance rules on Google Cloud resources.
# Enable the organisation Policy API
resource "google_project_service" "orgpolicy_api" {
service = "orgpolicy.googleapis.com"
project = "XXXXXXXXX"
}
That’s it! As you can see, it’s not as difficult as it might seem at first.
We hope this article will serve as a guide for strengthening your cloud security on the Google Cloud Platform (GCP). Cloud security policies are the cornerstone, providing a comprehensive framework of rules, guidelines and best practices to protect valuable digital assets from modern cyber threats.
GCP’s provision of the CIS Google Cloud Computing Platform Benchmarks provides a tangible pathway for implementing security policies effectively. The Organization Policy Service within GCP stands as a linchpin, allowing you to enforce constraints and ensure consistent security configurations across all levels of their cloud infrastructure.
Implementing these security measures as code through Terraform emerges as a game-changing strategy. Terraform’s versatility, ease of use, and adaptability enable you to seamlessly automate security policy deployment and resource management, effectively minimising errors and maintaining compliance.
Using the approach outlined in this article, you ensure comprehensive compliance across your cloud infrastructure and strengthen your organisation’s security posture:
This article equips you with a roadmap for strengthening your cloud security posture. By adopting cloud security policies, leveraging GCP tools and adopting the policy-as-code paradigm, you can ensure the security, integrity and availability of your cloud-based assets while navigating the complex terrain of cloud computing.
If you like this article, we recommend reading the following:
How to set up a Bazel testing configuration: The comprehensive guide for Scala and Java →
How to improve agility: Make your team adaptable and agile again →
