Cloud platforms and services are becoming increasingly popular among businesses. While this offers many advantages, it also introduces new security risks. In this blog post, we will discuss the security issues that businesses face when using Google Cloud Platform (GCP) and how to pentest GCP environments. We’ll also provide tips for preparing for a GCP pentest and describe the steps involved in conducting a pentest on GCP. Finally, we’ll recommend some tools that can be used for GCP penetration testing.
Google Cloud Platform (GCP) is a public cloud platform offered by Google. It provides useful computer resources such as storage and processing to anyone who needs it. GCP is a popular choice for businesses that are looking to move to the cloud. However, as with any other public cloud platform, businesses need to be aware of the security risks associated with using GCP.
Security issues with GCP:
One of the main reasons for this is that GCP is based on the same infrastructure as Google’s consumer products such as Gmail and YouTube. This means that businesses that use GCP are sharing the same infrastructure as millions of other users. As a result, it’s important to take steps to secure your GCP environment against attacks from both internal and external threats.
As with any other cloud platform, some common security risks are:
- insecure data storage
- mismanaged access controls
- security misconfigurations
- disabled firewall
- weak access credentials
Does GCP allow penetration testing?
Yes, GCP allows penetration testing. However, there are some restrictions and rules to follow especially if they directly target GCP resources. Before conducting the test, you’ll need to seek formal permission from Google. To do this, you’ll need to provide Google with information about your organisation and the pentest itself.
There are several types of services that cannot be accessed during a pentest, including Google-hosted APIs and other web services. You can learn more about testing restrictions from the GCP documentation.
What to test for during GCP pentests?
When doing a penetration test of your GCP environment, you must understand what types of attacks may occur and how they could impact your business. The following are some of the things that you should test for:
Access Level Controls:
Verify that access controls, such as permissions and roles, are properly set up and enforced to ensure that only authorised users have access to sensitive data and systems.
Misconfigured Inbound Ports:
Check that inbound ports are properly configured and not exposed to potential attacks.
Over Permissive Storage Buckets:
Make sure that storage buckets are not publicly accessible and that only authorised users have permission to access them.
Logging and Monitoring:
Verify that logs are being properly collected and monitored, and investigate any suspicious activity.
How to prepare for your GCP pentest?
Before conducting a penetration test on GCP, there are several things that you should do to prepare for the test. These include:
Develop a Penetration Testing Plan –
This document will outline the scope and objectives of the pentest, as well as the methods that will be used.
Create Staging Projects/Instances –
Use these projects or instances to simulate your production environment and test your systems without affecting live data.
Setup IAM for Pentest Team –
Provide team members with restricted access to only the resources they require to complete their pentesting tasks.
Authorise IP Addresses –
Only allow authorised IP addresses access to your GCP environment during the pentest.
Notify your Customers –
If you are conducting a pentest on behalf of another organisation, let them know in advance so that they can be prepared for any potential disruptions.
Steps to Perform a GCP Pentest:
Once you have gathered all the necessary information and prepared your environment, the next step is to perform the pentest. The following are the basic steps that you should follow:
- Discovery and Evaluation – Begin by identifying which systems and data sets will be targeted in the pentest. This phase also includes evaluating the security of these systems and assessing their risk level.
- Exploitation – Use various methods (including manual testing and automated tools) to attempt to exploit vulnerabilities and obtain access to sensitive data or systems.
- Reporting – Once the pentest is complete, produce a detailed report documenting all findings from the test, as well as any recommendations for remediation.
Tools for GCP Pentesting:
Many tools can be used for pentesting your GCP environment. Some of the most popular ones include:
- Astra Security’s Pentest Suite – Astra Security is a leading provider of penetration testing services and with their Pentest tool you get a complete security testing package. This tool tests for 3000+ known threats, while adhering to international security standards. It comes with a neat and interactive dashboard great for viewing scan results. You also get remediation tips for each vulnerability detected and expert support from the team of professionals.
- GCPBucketBrute – This is a python script that scans Google Storage buckets and determines whether or not you have access to them, as well as whether privileges can be escalated here.
- GCP Firewall Enum – The goal of this tool is to determine which instances have network ports exposed to the public Internet by analysing several Google Cloud commands and their outputs.
As with any other cloud platform, there are always potential security risks when using them and the Google Cloud Platform is no exception. However, by performing a penetration test on your GCP environment you can stay ahead of the latest threats and prevent any security incidents from ever taking place. A good security solution will include remediation tips and steps to mitigate all flaws detected. Following these should keep your GCP environment and your data safe.
Ankit Pahuja is the Marketing Lead & Evangelist at Astra Security. Ever since his adulthood (literally, he was 20 years old), he began finding vulnerabilities in websites & network infrastructures. Starting his professional career as a software engineer at one of the unicorns enables him in bringing “engineering in marketing” to reality. Working actively in the cybersecurity space for more than 2 years makes him the perfect T-shaped marketing professional. Ankit is an avid speaker in the security space and has delivered various talks in top companies, early-age startups, and online events.