Blog
-

10 min read

GCP Cloud Configuration Review Templates - Nuclei Templates v10.2.0 🎉

Nuclei & Templates
GCP Cloud Configuration Review Templates - Nuclei Templates v10.2.0 🎉

Share

We’re excited to tell you about Nuclei Templates release v10.2.0! This new version includes newly added GCP Config Review templates. In this blog post, we’ll discuss automating Google Cloud misconfiguration review, creating custom GCP checks, and sharing results on the PDCP Cloud for review.

Following our last release on Azure Cloud Security Config Review and Kubernetes Cluster Security, we decided to expand our coverage to include GCP as well.

GCP is well-known for its powerful features and vast configuration options, which can be challenging to manage. To make securing GCP environments easier, we’ve created our security checks in a simple YAML format, allowing for easier management and review of configurations.

For those particularly interested in using the GCP Config templates, feel free to skip to the end of the blog.

GCP Cloud Config Security Review

Often simply referred to as GCP Security Audit, this process is crucial for assessing the security measures in place within your Google Cloud environments. It involves a detailed review of configurations, policies, and setups to ensure they align with security best practices and compliance requirements.

Some key activities in a GCP Cloud Config Security Review typically include:

  • Identity and Access Management Review: This involves verifying that proper roles are assigned and that Multi-Factor Authentication (MFA) or strong authentication methods are enforced for privileged users.
  • Resource Configuration and Management: Ensuring that compute, storage, and other GCP resources have correct logging and deletion-protection settings enabled to trace critical changes.
  • Network Security Configuration: Confirming that firewall rules, VPC configurations, and other network controls are properly set to restrict unnecessary access and minimize the risk of breaches.
  • Compliance and Regulatory Adherence: Verifying that all GCP services comply with relevant regulations such as HIPAA or PCI DSS, ensuring data is protected based on industry standards.
  • Security Best Practices and Policies: Checking for encryption on storage buckets, verifying that only secure protocols (HTTPS/TLS) are in use, and ensuring logging services are configured properly.

We realize that reviewing GCP cloud configurations can feel overwhelmingly complex, often more challenging than it needs to be. That’s why we’ve chosen to streamline the process by creating security checks for GCP using the straightforward YAML format used by Nuclei. These templates perform all essential checks, encompassing configurations, logging, compliance, and best practices. By leveraging these templates, we can effortlessly produce a comprehensive report on our cloud platform, detailed with remediation steps. This simplified approach makes the review process much smoother for both companies and penetration testers.

What are Code Protocol Templates?

Nuclei empowers users to execute external code on the host operating system, granting security researchers, pentesters, and developers the flexibility to expand its capabilities beyond standard protocol-based testing. This functionality enables interaction with the underlying OS, facilitating the execution of custom scripts or commands for a diverse array of tasks including system configurations, file operations, and network interactions. Such control and adaptability empower users to customize their security testing workflows to meet precise needs. Explore the Code protocol templates in our documentation for more details.

Because code templates can execute commands on hosts, users must first sign the template using their keys, and these are not included in default scans. To use these templates, you need to sign them using the -sign flag. After signing, you can run the templates by providing the -code flag.

In the example below, you’ll notice that we can easily run a gcloud command directly from the template. However, unlike other templates that execute on target hosts, this one will run the command on our own host.

cli

1id: gcp-env
2
3info:
4  name: GCP Environment Validation
5  author: princechaddha
6  severity: info
7  description: |
8    Checks if Google Cloud CLI (gcloud) is set up and all necessary tools are installed on the environment.
9  reference:
10    - https://console.cloud.google.com/
11  metadata:
12    max-request: 2
13  tags: cloud,devops,google,gcp,gcp-cloud-config
14
15self-contained: true
16code:
17  - engine:
18      - sh
19      - bash
20    source: |
21      gcloud config get-value account --format="json"
22
23    matchers:
24      - type: word
25        words:
26          - '@'
27
28    extractors:
29      - type: json
30        name: account
31        json:
32          - '.'
33        internal: true
34
35      - type: dsl
36        dsl:
37          - '"Google Cloud CLI is properly configured for account \"" + account + "\"."'

Example #1:

In this example, we will create a template that identifies publicly accessible Google Cloud Storage buckets, which is a serious misconfiguration and can expose sensitive data to unauthorized users.

  • We’ve set self-contained: true because this Nuclei template runs locally and independently using GCloud and gsutil commands to inspect IAM policies.
  • The first code block fetches a list of GCP project IDs.
  • In the flow section, we first run code(1) to get the list of project IDs. For each project, we then run code(2) to retrieve the associated storage buckets.
  • After fetching the bucket list, we iterate over each bucket and run code(3) to get the IAM policy for that bucket.
  • The matcher in the final code block looks for allUsers or allAuthenticatedUsers, which indicate that the bucket is publicly accessible.
  • The extractors output a formatted message showing which project and bucket are misconfigured with public access.

cli

1id: gcloud-publicly-accessible-storage-buckets
2
3info:
4  name: Check for Publicly Accessible Cloud Storage Buckets
5  author: princechaddha
6  severity: high
7  description: |
8    Ensure that the IAM policy associated with your Google Cloud Storage buckets is restricting anonymous and/or public access.
9  impact: |
10    Publicly accessible Cloud Storage buckets can lead to unauthorized access and potential data breaches.
11  remediation: |
12    Update the IAM policy of your Google Cloud Storage buckets to remove bindings for "allUsers" and "allAuthenticatedUsers".
13  reference:
14    - https://cloud.google.com/storage/docs/access-control/iam
15  tags: cloud,devops,gcp,gcloud,google-cloud-storage,iam,security,public-access,gcp-cloud-config
16
17flow: |
18  code(1)
19  for(let projectId of iterate(template.projectIds)){
20    set("projectId", projectId)
21    code(2)
22    for(let bucketName of iterate(template.buckets)){
23      set("bucketName", bucketName)
24      code(3)
25    }
26  }  
27
28self-contained: true
29
30code:
31  - engine:
32      - sh
33      - bash
34    source: |
35            gcloud projects list --format="json(projectId)"
36
37    extractors:
38      - type: json
39        name: projectIds
40        internal: true
41        json:
42          - '.[].projectId'
43
44  - engine:
45      - sh
46      - bash
47    source: |
48            gsutil ls -p $projectId | jq -R . | jq -s .
49
50    extractors:
51      - type: json
52        name: buckets
53        internal: true
54        json:
55          - '.[]'
56
57  - engine:
58      - sh
59      - bash
60    source: |
61            gsutil iam get $bucketName --format=json | jq -r '.bindings[].members[]? // "null"'
62
63    matchers:
64      - type: word
65        words:
66          - 'allUsers'
67          - 'allAuthenticatedUsers'
68        condition: or
69
70    extractors:
71      - type: dsl
72        dsl:
73          - '"The bucket " + bucketName + " in project " + projectId + " is publicly accessible because it includes \"allUsers\" or \"allAuthenticatedUsers\" in its IAM policy."'

Example #2:

In this example, we will create a template that identifies IAM users or service accounts with administrative roles, which can violate the principle of least privilege and lead to potential misuse or unauthorized modifications.

  • We’ve set self-contained: true because this Nuclei template operates independently of any specific host, using local GCloud configurations to fetch and analyze policy data.
  • The first code block starts by specifying the engine we wish to use for executing the command, followed by the command itself in the source section. This block includes an extractor that extracts the list of project IDs.
  • After defining the initial code block, we introduce a flow. Initially, we execute code(1) to fetch the project IDs. This is followed by iterating over each project.
  • The second code block runs the GCloud command to get the IAM policy for each project and checks for administrative roles such as owner, editor, or any role containing 'admin'.
  • The extractors output the name of the project that has such admin roles assigned.

cli

1id: gcloud-iam-admin-roles
2
3info:
4  name: IAM Users with Administrative Roles
5  author: princechaddha
6  severity: medium
7  description: |
8    Ensure that IAM roles with privileged administrative permissions are not assigned to IAM identities (users, groups, and service accounts) to promote least privilege.
9  impact: |
10    Administrative roles grant excessive permissions that violate the principle of least privilege, potentially allowing users to perform unauthorized or accidental changes across resources.
11  remediation: |
12    Remove administrative roles (Owner, Editor, and roles containing "Admin" or "admin") from IAM members and replace them with more granular roles that follow the principle of least privilege.
13  reference:
14    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/IAM/roles-with-admin-permissions.html
15    - https://cloud.google.com/iam/docs/understanding-roles
16  tags: cloud,devops,gcp,gcloud,iam,security,admin,permissions,gcp-cloud-config
17
18flow: |
19  code(1)
20  for(let projectId of iterate(template.projectIds)){
21    set("projectId", projectId)
22    code(2)
23  }  
24
25self-contained: true
26
27code:
28  - engine:
29      - sh
30      - bash
31    source: |
32            gcloud projects list --format="json(projectId)"
33
34    extractors:
35      - type: json
36        name: projectIds
37        internal: true
38        json:
39          - '.[].projectId'
40
41  - engine:
42      - sh
43      - bash
44    source: |
45            gcloud projects get-iam-policy $projectId --format="json(bindings[?(@.role=='roles/owner' || @.role=='roles/editor' || @.role contains 'admin' || @.role contains 'Admin')])"
46
47    matchers:
48      - type: word
49        words:
50          - '"role":'
51
52    extractors:
53      - type: dsl
54        dsl:
55          - '"Project " + projectId + " has IAM users with administrative roles that grant excessive permissions"'

Example #3:

This template checks Google Compute Engine (GCE) instances to ensure they are not configured to use the default service account with full API access, a common misconfiguration that violates least privilege.

cli

1id: gcloud-vm-default-service-account-full-access
2
3info:
4  name: VM Instance Using Default Service Account with Full API Access
5  author: princechaddha
6  severity: medium
7  description: |
8    Ensure that your Google Compute Engine instances are not configured to use the default service account with the Cloud API access scope set to "Allow full access to all Cloud APIs".
9  impact: |
10    Using default service accounts with full API access violates the principle of least privilege and could allow compromised instances to make unauthorized API calls to any GCP service.
11  remediation: |
12    Either replace the default service account with a custom one having minimal permissions, or change the access scope to only required permissions.
13  reference:
14    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/default-service-accounts-with-full-access-in-use.html
15    - https://cloud.google.com/compute/docs/access/service-accounts
16  tags: cloud,devops,gcp,gcloud,compute,security,iam,service-account,gcp-cloud-config
17
18flow: |
19  code(1)
20  for(let projectId of iterate(template.projectIds)){
21    set("projectId", projectId)
22    code(2)
23    for(let instance of iterate(template.instances)){
24      instance = JSON.parse(instance)
25      set("instanceName", instance.name)
26      set("zone", instance.zone)
27      code(3)
28    }
29  }  
30
31self-contained: true
32
33code:
34  - engine:
35      - sh
36      - bash
37    source: |
38            gcloud projects list --format="json(projectId)"
39
40    extractors:
41      - type: json
42        name: projectIds
43        internal: true
44        json:
45          - '.[].projectId'
46
47  - engine:
48      - sh
49      - bash
50    source: |
51            gcloud compute instances list --project $projectId --format="json(name,zone.basename())"
52
53    extractors:
54      - type: json
55        name: instances
56        internal: true
57        json:
58          - '.[]'
59
60  - engine:
61      - sh
62      - bash
63    source: |
64            gcloud compute instances describe $instanceName --zone $zone --project $projectId --format="json(serviceAccounts[].email,serviceAccounts[].scopes[])"
65
66    matchers:
67      - type: word
68        words:
69          - "compute@developer.gserviceaccount.com"
70          - "https://www.googleapis.com/auth/cloud-platform"
71        condition: and
72
73    extractors:
74      - type: dsl
75        dsl:
76          - '"VM instance " + instanceName + " in zone " + zone + " of project " + projectId + " is using the default Compute Engine service account with full API access"'

Check out all the other GCP templates by visiting the Nuclei Templates GitHub repository.

Custom Templates for Specific Use Cases

Custom GCP security checks allow security teams, pentesters, and DevOps professionals to address unique security concerns and operational practices within their Google Cloud environments. Here are a few scenarios where creating custom GCP Nuclei templates might be particularly beneficial:

  • Custom Resource Checks: For organizations using specialized services in GCP, custom templates ensure these resources adhere to security best practices. For example, verifying whether Google Cloud Functions have proper environment variables secured or if Cloud SQL instances enforce SSL connections.
  • Specific Compliance Audits: Different industries have specific regulatory requirements. Custom templates can help enforce compliance through continuous monitoring. For instance, a template could verify that all BigQuery datasets have the correct access policies enabled to comply with industry security standards.
  • Service-Specific Policies: GCP services like Google Kubernetes Engine (GKE) or Compute Engine may have unique security policies. Custom templates can help ensure each service adheres to those policies, such as enabling Workload Identity or checking for default VPC usage.
  • Integration with CI/CD Pipelines: Custom templates can be integrated into pipelines to automatically check for security issues before new GCP resources are deployed. For example, scanning new Terraform configurations to ensure no misconfigurations are pushed into production.
  • Advanced Network Security Testing: Detailed checks on firewall rules, VPC restrictions, or ensuring appropriate usage of Private Service Connect can be performed with custom templates to validate an organization's specific network security posture.
  • Performance and Resource Optimization: While security is key, custom templates can also highlight underutilized resources or missing best practices recommended by Google’s own cost optimization guidance.

Running GCP Security Templates

To use these templates, ensure your environment is set up correctly. You need to install the Google Cloud CLI (gcloud) and configure its contexts or specific access permissions using.

In Nuclei-Templates, we’ve introduced the concept of profiles, which allow users to run a specific set of templates tailored for a particular use case. For GCP Cloud Config security reviews, we have a profile named gcp-cloud-config.

Once the environment is properly configured, users can execute the following command to ensure everything is set up correctly before running the profile:

cli

1pwnmachine@PD gcp % nuclei -id gcloud-env -code
2
3                     __     _
4   ____  __  _______/ /__  (_)
5  / __ \/ / / / ___/ / _ \/ /
6 / / / / /_/ / /__/ /  __/ /
7/_/ /_/\__,_/\___/_/\___/_/   v3.3.2
8
9        projectdiscovery.io
10
11[INF] Current nuclei version: v3.4.2 (latest)
12[INF] Current nuclei-templates version: v10.2.0 (latest)
13[WRN] Scan results upload to cloud is disabled.
14[INF] Templates loaded for current scan: 1
15[INF] Executing 1 signed templates from triage
16
17[gcp-env] [code] [info]  ["Google Cloud CLI is properly configured for account "testdemoemail@gmail.com"."]

If the template matches, this indicates that the environment has all the necessary tools installed and GCloud is set up.

Users can also specify the project they want to scan using the following command if they have multiple projects, before running the templates:

cli

1gcloud config set project <project-id>

Uploading Results to ProjectDiscovery Cloud Platform

To upload results to the cloud, you need to obtain an authentication token. Here are the steps to follow:

  1. Go to PDCP Cloud and log in to your account.
  2. Click on your profile picture in the top-right corner and select API key.
  3. Copy your API key, and in your terminal, type nuclei -auth <your-api-key>.

Now you’re all set to run the templates!

cli

1nuclei -profile gcp-cloud-config -cloud-upload

Now that we have a lot of findings, it would be very convenient to view these on the Cloud. Simply log into PDCP Cloud, and you will find a scan created with the results.

We have added 225 templates categorized by services. We invite the community to share their feedback. We anticipate this number will grow as the security community continues to contribute and collaborate.

Conclusion

The Nuclei templates for GCP provide significant creativity and flexibility, enabling users to craft checks that cater to their specific workflow and environment. This approach not only helps in identifying and resolving security misconfigurations but also facilitates monitoring of their overall Google Cloud environment.

You can also join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you, once again!

By leveraging Nuclei and actively engaging with the open-source community, or by becoming a part of the ProjectDiscovery Cloud Platform, companies can enhance their security measures, proactively address emerging threats, and establish a more secure digital landscape. Security represents a shared endeavor, and by collaborating, we can consistently adapt and confront the ever-evolving challenges posed by cyber threats.