Git Product home page Git Product logo

secure-gcp-reference's Introduction

This content is provided by the team at DoiT International, a global product and service organization dedicated to making the public cloud accessible while secure for all.

Secure configuration example

Example GCP Secure Configuration

Checklists

Initial setup

  • Configure org policies
    • Restrict allowed IAM domains
    • Disable SA key creation
    • Disable SA key upload
    • Skip default network
    • Disable external IPs
    • Restrict prod networks to folder
    • Require shielded VM
    • Require OSLogin
    • Require uniform bucket access
    • Disable lein removal
  • Prepare for VPC service controls (data protection)
    • Create access policy (one per org)
  • Disable org-level roles
    • Billing admin
    • Project creator
  • Define disaster recovery plan
    • DR team and contacts
    • Geographical regions
    • RTO, RPO
    • Data backups
    • Configuration management
    • Continuous deployment
    • Test schedule (at least annual)
  • Establish user groups in GSuite / Cloud Identity
    • Organization Admin
    • Network Admin
    • Security Admin
    • Billing Admin
    • Devops
    • Developers
    • Data Scientists
    • Contractors
    • Teams (project or folder-level as you grow)
  • Establish resource hierarchy
    • Define folder and project hierarchy
    • Define environment data security perimeters (VPC service controls)
    • Set up IAM permissions
      • Billing
      • Org
        • Folder
          • Project
      • Tips:
        • assign only groups IAM roles (not users)
        • use conditions where possible to limit access scope
        • set minimal permissions at each level as needed
        • highest permission Editor for any project
    • Set up Network
      • Document IP address ranges (IPAM)
        • Clusters
          • secondary ranges
        • VMs
        • Databases
        • Connectors
        • Managed services
        • Bastion (jump host)
      • Create shared VPC (host project)
        • VPCs
          • Subnets
          • Firewall rules
        • Cloud Router
        • NAT
      • Serverless VPC Connector
    • Set up Security project
      • Enable audit logging at org level
      • Create audit logging storage bucket
      • Create aggregated audit log sinks to security project
    • Set up Devops project
      • Override key download policy (for this project)
      • Create Terraform service account(s)
        • Admin
        • Developer (optional)
      • Create artifact registry
        • Service account permissions
        • Container analysis
        • Binary authorization
      • Cloud Build
        • Service account permissions
        • Connect Git repositories
    • Set up Billing project
      • Create BigQuery dataset to store billing data
      • Create billing export to bq dataset (only 1 per billing ID)
      • Define resource labeling plan
    • Set up Monitoring project
      • Create initial workspace and add projects above
      • Create logging bucket(s)
      • Create notification channels
  • Set up monitoring / alerts

Project considerations

  • Add project leins to prevent accidental deletion (i.e. production)
  • Audit log sink to security project
  • Log sink to monitoring project logging bucket
    • Add exclusion filters or disable _Default
  • Ensure network resources available
    • Plan out or request network resources from shared VPC
    • Add as service project
  • Set up Service Accounts
    • CI/CD
    • Cache
    • Database
    • Storage
    • App Runtime
  • Add only permissions required for tasks
  • OS Login
  • Considerations:
    • Storage bucket policy and lifecycle
    • Data replications and RPO
    • Data security perimeter
    • Data loss prevention and PII
    • Label resources
    • Quotas
    • Cloud IAP
    • Firewall rules
    • Monitoring
      • Uptime checks
      • Define SLO / SLI
      • Dashboards
      • Alerts

Helpful links

secure-gcp-reference's People

Contributors

mikesparr avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.