Securing Your GCP Account Using Forseti Security Controls

Forseti Security is a collection of open-source, community-supported tools designed to help teams maintain secure GCP environments. This collection was launched in 2017 through a collaboration between Google and the music service Spotify. 

By tracking metrics like memory use, network traffic, and storage capacity in your GCP environment, these tools make it easier to spot issues like risky misconfigurations and address them immediately.

In this guide, we’ll explain a few of the Forseti Security controls and how you can use Blink to validate them in your GCP environment.

Understanding Forseti Security Controls for GCP

The Forseti Security project combines a policy library bundle of security best practices with open source tooling to check compliance and notify users about gaps.

In this policy bundle, there is a list of various constraints that GCP accounts should have enforced with controls. Here are some examples:

Constraint: The CMEK rotation policy must be in place and is less than 100 days. 

Failing to rotate your encryption keys can make it easier for attackers to get hold of them. If that happens, they can infiltrate your GCP servers. Regular rotation prevents them from being compromised. If an incident occurs, initiating rotation can reduce your recovery time and minimize the attack's impacts.

Constraint: Public users cannot access GCP resources using IAM.

Allowing unfettered access to your GCP resources also makes it hard to track the activities happening within the environment. You also increase your risk of exposing sensitive data.

Constraint: There shouldn’t be open firewall rules allowing ingress from the internet.

Open firewall rules that allow SSH or TCP/UPD traffic from the internet can increase the attack surface of your GCP environment. Users can gain unauthorized access to your instances, unleash malware attacks, or commit other security breaches.

Automating Forseti Security Compliance Checks with Blink

While you could install the Forseti open source modules and navigate the implementation, the project is unfortunately being archived and won’t be supported moving forward. There’s an easier way to check that all of these security controls are enabled.

Blink is a powerful automation platform that enables you to seamlessly connect the dots between open source scripts, commercial tools, and your team members.

For example, with this automation, you can check weekly whether your GCP account adheres to all of the Forseti Security constraints.

When this automation runs, it executes the following steps:

1. Checks CMEK rotation policy is in place and is sufficiently short
2. Checks if public Users are prevented from having access to resources via IAM
3. Checks if service account keys are older than 100 days
4. Checks if only members from your GCP domain can be added to IAM roles
5. Checks if BigQuery datasets are publicly readable.
6. Checks for open firewall rules allowing ingress from the internet.
7. Checks for open firewalls rules allowing TCP/UDP from the internet.
8. Checks if gmail.com addresses are banned from accessing BigQuery datasets.
9. Checks if googlegroups.com addresses are banned from accessing BigQuery datasets.
10. Checks if Cloud SQL instances are world readable.
11. Sends a report with the results via email.

You can easily configure this automation to run on a daily or weekly basis, or send the results instead to a security Slack or Teams channel.

Because it’s so easy to run security checks like this, you can also run automations using other best practices frameworks, like the CIS benchmarks.

There are over 7K automations in the Blink library for common SecOps and DevOps use cases that you can use right away. Get started with Blink today.