Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

GCP Security

GCP Security

Section titled “GCP Security”

5 automated security scanners

GCP Data Protection

Section titled “GCP Data Protection”

Purpose: The GCP Data Protection Scanner is designed to identify and report publicly exposed Google Cloud Platform (GCP) data stores such as Cloud Storage buckets and BigQuery datasets. It aims to detect potential unintentional data leaks in public code repositories associated with a GCP project, thereby safeguarding sensitive information from exposure.

What It Detects:

  • Public Cloud Storage Exposure: The scanner searches for publicly accessible Cloud Storage buckets via search engine dorking, flagging URLs pointing directly to storage.googleapis.com and identifying buckets with common naming conventions indicative of data storage.
  • Data Leaks in Code Repositories: It scans GitHub for files containing sensitive information (e.g., .csv, .sql, .json) committed alongside the project ID, as well as specific keywords like database, export, backup, and password.
  • Public BigQuery Dataset Exposure: The scanner scans for public documentation or mentions of BigQuery datasets linked to the project, detecting potential exposure.

Inputs Required:

  • domain (string): The primary domain associated with the project (e.g., google.com).
  • gcp_project_id (string): The GCP Project ID to analyze (e.g., vigilguard-production-31337).

Business Impact: Publicly exposed data is a significant security risk, as it can lead to major breaches compromising sensitive information such as financial records, personal identifiable information (PII), and intellectual property. This scanner helps in identifying and mitigating these risks by ensuring that GCP projects are securely configured with appropriate access controls and minimizing the exposure of sensitive data through public repositories.

Risk Levels:

  • Critical: When there is a high number of potential exposures, such as multiple publicly accessible Cloud Storage buckets or significant leaks detected in code repositories.
  • High: When there is evidence of at least one major exposure but fewer than the critical threshold.
  • Medium: When there are several minor exposures that could be mitigated with improved configuration and security practices.
  • Low: When no public data exposures are found, indicating a generally secure configuration.
  • Info: Used for findings that do not necessarily indicate a vulnerability or breach but may suggest areas for improvement in data protection policies.

Example Findings:

  1. A publicly accessible Cloud Storage bucket named vigilguard-production-31337-public-assets was detected, which could expose sensitive files to unauthorized users.
  2. Potential data leaks were found in public code repositories associated with the project ID, indicating a need for more stringent access controls and secure coding practices.

GCP IAM Security

Section titled “GCP IAM Security”

Purpose: The GCP IAM Security Scanner is designed to analyze and assess the security posture of Google Cloud Platform (GCP) Identity and Access Management (IAM) configurations. It aims to identify potential risks associated with publicly exposed service account credentials, overly permissive roles, privilege escalation paths, and other misconfigurations that could lead to unauthorized access or project compromise.

What It Detects:

  • Public Credential Exposure: The scanner searches for leaked GCP service account key files on platforms like GitHub and Pastebin, checks public code repositories for patterns indicative of private keys, monitors certificate transparency logs for associated project IDs, and flags exposed service account email addresses.
  • IAM Policy Analysis: It detects the usage of overly permissive primitive roles such as roles/owner and roles/editor, identifies potential privilege escalation paths through public code, and checks for wildcard permissions on sensitive resources in committed Terraform or deployment files.
  • Credential Hygiene: The scanner identifies potentially unused service account keys based on public commit history and detects mentions of unrotated keys.

Inputs Required:

  • domain (string): Primary domain for context (e.g., vigilguard.io)
  • gcp_project_id (string): The GCP Project ID to analyze (e.g., vigilguard-production-31337)

Business Impact: GCP IAM misconfigurations create significant risks by granting excessive access through overly permissive roles and exposing private keys, which can lead to unauthorized access and project compromise. This poses a critical threat to enterprise security.

Risk Levels:

  • Critical: Overly permissive primitive roles (roles/owner, roles/editor) in leaked configurations or publicly exposed service account credentials.
  • High: Public exposure of GCP service account keys, mentions of unrotated keys, and potential privilege escalation paths identified through public code.
  • Medium: Exposed service account email addresses and potentially unused service account keys based on commit history.
  • Low: None specified; however, the scanner aims to provide informational findings about IAM hygiene practices.

Example Findings: The scanner might flag a configuration where an overly permissive role is assigned to roles/owner, or identify a public repository containing patterns indicative of private keys.

GCP Logging Monitoring

Section titled “GCP Logging Monitoring”

Purpose: The GCP Logging & Monitoring Scanner is designed to identify publicly exposed logging and monitoring infrastructure within Google Cloud Platform (GCP) projects. This includes searching for public Grafana, Kibana, and Prometheus dashboards, scanning for public Google Cloud Storage buckets configured as log sinks, and detecting leaked configuration files that reveal internal monitoring architecture or sensitive operational data.

What It Detects:

  • Exposed Monitoring Dashboards: The scanner uses search engine dorking to find public Grafana, Kibana, and Prometheus dashboards associated with a domain. It checks for default titles, login pages, and common URL paths like /graph, /explore.
  • Public Log Sinks and Endpoints: The scanner searches for public Google Cloud Storage buckets configured as log sinks and looks for public code or documentation referencing log forwarding endpoints.
  • Leaked Monitoring Configurations: The scanner searches GitHub for monitoring-as-code files (e.g., .tf, .yaml) associated with the GCP project ID or domain, looking for keywords that may indicate sensitive configurations or credentials.

Inputs Required:

  • domain (string): The primary domain for dashboard searches (e.g., “google.com”).
  • gcp_project_id (string): The GCP Project ID to analyze (e.g., vigilguard-production-31337).

Business Impact: While essential for security, logging and monitoring systems can become a major risk if exposed publicly. Leaked information can lead to highly targeted attacks, exposing detailed infrastructure maps, application performance metrics, user activity, and potentially sensitive operational data directly to attackers.

Risk Levels:

  • Critical: Exposed dashboards that do not require authentication, public log sinks configured with direct access, and leaked configuration files containing sensitive information.
  • High: Publicly accessible monitoring infrastructure without proper authentication mechanisms or configurations committed to public repositories.
  • Medium: Presence of default titles, login pages, or common paths in exposed dashboards and potential leakage through GitHub searches for monitoring configurations.
  • Low: Minimal exposure with no significant risk identified.
  • Info: Non-critical findings such as the presence of unauthenticated Grafana or Kibana instances without sensitive information disclosed.

Example Findings:

  1. A public Grafana dashboard is discovered at http://grafana.google.com/login, accessible with default credentials.
  2. Public Google Cloud Storage buckets configured to log data directly, exposing aggregated logs and potential security gaps within the monitoring infrastructure.

GCP Service Specific Security

Section titled “GCP Service Specific Security”

Purpose: The GCP Service-Specific Security Scanner is designed to identify public exposure and misconfigurations in specific Google Cloud Platform (GCP) services such as Google Kubernetes Engine (GKE), Cloud Functions, and Cloud Run. It aims to uncover leaked deployment manifests, exposed service account bindings, and hardcoded secrets that could lead to unauthorized access or data breaches.

What It Detects:

  • GKE Misconfigurations: The scanner searches for publicly exposed deployment.yaml, pod.yaml, and Dockerfile files associated with the GCP project ID, indicating potential exposure of container images, environment variables, and service account names.
  • Cloud Functions Insecurity: It scans for source code files related to Cloud Functions that are publicly accessible, potentially revealing business logic and embedded credentials.
  • Cloud Run Vulnerabilities: The scanner looks for public references to container images or exposed configurations for Cloud Run services, which could be exploited to gain unauthorized access.
  • General Secret Leakage: It conducts broad searches across code repositories for common secret patterns alongside the project ID, identifying potential hardcoded secrets and service references in public code.

Inputs Required:

  • domain (string): The primary domain for context (e.g., google.com).
  • gcp_project_id (string): The GCP Project ID to analyze (e.g., vigilguard-production-31337).

Business Impact: This scanner is crucial as it helps organizations identify and mitigate potential security risks in their specific GCP services, preventing unauthorized access and data breaches that could lead to significant financial losses or legal repercussions.

Risk Levels:

  • Critical: A critical risk level indicates severe vulnerabilities with a high likelihood of exploitation, potentially leading to complete system compromise.
  • High: High-risk findings indicate substantial security issues that could be exploited by malicious actors, posing a significant threat to the integrity and confidentiality of data.
  • Medium: Medium-risk findings suggest potential weaknesses that might be exploited if not addressed promptly, but with lower severity compared to high risks.
  • Low: Low-risk findings are generally informational or minor issues that do not pose an immediate threat but should still be considered for improvement over time.
  • Info: Informational findings provide context on areas of potential interest without being classified as critical, high, medium, or low.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

  1. A publicly exposed deployment.yaml file in a GitHub repository revealed sensitive information about container images and service accounts used by Google Kubernetes Engine (GKE).
  2. An unsecured Cloud Function source code was found to contain hardcoded API keys, posing a risk of unauthorized data access and potential financial loss.

GCP Network Security

Section titled “GCP Network Security”

Purpose: The GCP Network Security Scanner is designed to identify and report publicly exposed network configurations within Google Cloud Platform (GCP) projects. It aims to detect potential vulnerabilities such as permissive firewall rules, leaked virtual machine instances, and misconfigured load balancers that could expose internal services to unauthorized access.

What It Detects:

  • Leaked Firewall Rules: The scanner searches public code repositories like GitHub for Terraform configuration files (.tf) or gcloud commands defining firewall rules with unrestricted source ranges (0.0.0.0/0), indicating potential exposure of sensitive ports such as 22 (SSH), 3389 (RDP), and 3306 (MySQL).
  • Exposed VM Instances & IPs: It utilizes search engines to find IP addresses and DNS names associated with the GCP project ID, potentially exposing internal services directly to the internet.
  • Load Balancer Weaknesses: The scanner flags public-facing load balancers lacking proper HTTPS redirection or using weak TLS ciphers, which could be abused by attackers.

Inputs Required:

  • domain (string): The primary domain associated with the GCP project for context and search scope.
  • gcp_project_id (string): The specific Google Cloud Platform Project ID to analyze, e.g., vigilguard-production-31337.

Business Impact: Network security misconfigurations can lead to immediate risks such as unauthorized access, data breaches, and service disruptions. This not only compromises the confidentiality of sensitive information but also exposes organizations to financial losses and regulatory penalties.

Risk Levels:

  • Critical: A firewall rule allowing unrestricted public access on common sensitive ports (e.g., 22, 3389) is identified in configuration files or command outputs.
  • High: The scanner detects multiple potential exposures such as leaked IPs and misconfigured load balancers that could lead to unauthorized access or data leakage.
  • Medium: The presence of at least one exposed service endpoint or IP address indicates a medium risk, signaling the need for immediate attention to secure network configurations.
  • Low: No significant public network exposures are found, indicating a low risk profile under normal operational conditions.
  • Info: Informational findings such as uncritical firewall rules not exposing sensitive ports might be flagged but considered less severe than lower risks.

Example Findings:

  1. A leaked firewall rule in the vigilguard-production-31337 project allows unrestricted access on port 22, posing a critical risk of immediate unauthorized SSH access to internal services.
  2. Public discussions and logs within the bigquery-public-data project reveal multiple IP addresses associated with GCP resources, indicating potential exposure that needs mitigation.