GCP CSPM

Overview

Using this feature you can run CIS benchmark tests (v1.1.0) for your Google Cloud Platform. This includes CIS level 1 and level 2 checks for Google Cloud Platform as specified here: https://www.cisecurity.org/benchmark/google_cloud_computing_platform/. Pre-requisites Google Cloud SDK is required, please install it by following instructions mentioned here for your Operating System. The SDK provides tools (like gcloud, gsutil, bq, etc.) which are used. The following GCP APIs should be enabled for all projects that need to be checked:

  • cloudkms.googleapis.com
  • cloudresourcemanager.googleapis.com
  • compute.googleapis.com
  • dns.googleapis.com
  • iam.googleapis.com
  • logging.googleapis.com
  • monitoring.googleapis.com
  • sqladmin.googleapis.com
  • storage-api.googleapis.com

The following permissions are required to run the CIS benchmark:

On organization level:

  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.folders.get

On project level:

  • cloudkms.cryptoKeys.get
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.keyRings.list
  • cloudsql.instances.get
  • cloudsql.instances.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.instances.get
  • compute.instances.list
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.regions.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.zones.list
  • dns.managedZones.get
  • dns.managedZones.list
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.list
  • logging.logMetrics.list
  • logging.sinks.get
  • logging.sinks.list
  • monitoring.alertPolicies.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list

Steps involved

  • Open a new shell / terminal.
  • Check that twigs is installed and running properly by running below command:

twigs gcp_cis -h

  • Sign in into your Google Cloud Platform instance using gcloud CLI as described here on the box where you will be running twigs.
  • You can run the command below:

twigs gcp_cis --assetid UNIQUE_ASSET_ID  [--assetname NAME_LABEL_FOR_ASSET]   [--projects PROJECT_IDS] [--expanded] [--custom_ratings CUSTOM_RATINGS]

  • Asset id is not optional. Use a unique identifier for your Google Cloud Platform instance as an asset.
  • Use –projects to specify an optional comma separated list of GCP project IDs to run the tests against.
  • By default there is a single issue reported for each CIS benchmark test. Use –expanded switch to create an issue for each violation (rather than each CIS benchmark test).
  • To override default ratings / severity for reported CIS issues, you can specify custom ratings / severity level for specific CIS benchmark tests in a custom JSON file. This JSON file will have rating as the key and a list of associated GCP CIS test identifiers in a dictionary. A sample format of the JSON file is provided here. This sample file also helps enumerate all test identifiers along with their default rating / severity.
  • After discovery is complete, you can login into ThreatWorx Console to view the newly discovered Google Cloud Platform instance as an asset as well as results of the CIS benchmark tests.
  • Twigs will automatically mark/resolve any fixed issues that were discovered as part of a previous run.