Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use VPC Service Controls for Cloud Storage Buckets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

To prevent data exfiltration, ensure that VPC Service Controls are used to configure a security perimeter around your Google Cloud Storage buckets. This feature helps to enhance the security posture of your cloud environment.

Security

VPC Service Controls is a powerful security tool in Google Cloud that allows you to restrict access to your cloud resources, including Cloud Storage buckets, to specific networks and clients. Enabling VPC Service Controls for Google Cloud Storage buckets enhances security by restricting data access to trusted entities, preventing unauthorized data exfiltration, and ensuring compliance with organizational policies.

Audit

To determine if VPC Service Controls are used to protect your Google Cloud Storage buckets, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console using your organization management account credentials.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar. Make sure to choose the GCP project containing the storage buckets you want to protect.

03 Navigate to Security console available at https://console.cloud.google.com/security.

04 In the left navigation panel, under Zero Trust, select VPC Service Controls to access the list with all the VPC Service Perimeters defined for the selected GCP project. VPC Service Perimeters act as firewalls for GCP APIs, establishing security boundaries that control data flow between your cloud resources.

05 Select the ENFORCED MODE tab and click on the name (link) of the service perimeter that you want to examine, listed in the Title column. If there are no service perimeters listed on the ENFORCED MODE panel, VPC Service Controls are not used to protect the storage buckets within the selected GCP project and the Audit process ends here. Otherwise, you can continue the Audit process with the next step.

06 On the service perimeter configuration page, ensure that your GCP project is listed for Projects under Resources to protect and Cloud Storage API is listed under Restricted Services. If your project is not available under Resources to protect, and/or Cloud Storage API is not listed under Restricted Services, the Google Cloud Storage buckets within the selected GCP project are not protected by the selected VPC Service Perimeter. Therefore, VPC Service Controls are not used to safeguard your sensitive data from unauthorized access and exfiltration.

07 Repeat steps no. 5 and 6 for each VPC Service Perimeter created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed for your Google Cloud organization.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with your organization management account credentials, to list the ID of each project available in your Google Cloud organization: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run access-context-manager perimeters list command (Windows/macOS/Linux) with the ID of the GCP project that contains your storage buckets as the identifier parameter, to list all the VPC Service Perimeters defined for the selected project. VPC Service Perimeters act as firewalls for GCP APIs, establishing security boundaries that control data flow between your cloud resources: 

gcloud access-context-manager perimeters list
	--project cc-project5-123123
	--format="value(name)"

04 The command request should return the requested perimeter names (i.e., fully qualified identifiers): 

cc_project5_perimeter
cc_cloud_vpc_perimeter

If the access-context-manager perimeters list command does not produce an output, VPC Service Controls are not used to protect the storage buckets within the selected GCP project and the Audit process ends here. If the command output returns one or more perimeter names, as shown in the example above, you can continue the Audit process with the next step.

05 Run access-context-manager perimeters describe command (Windows/macOS/Linux) with the ID of the VPC Service Perimeter that you want to examine as the identifier parameter, to list the Google Cloud services protected by the selected perimeter: 

gcloud access-context-manager perimeters describe "cc_project5_perimeter"
	--format="yaml(status.restrictedServices)"

06 The command request should return the name of each protected Google Cloud service (API): 

status:
	restrictedServices:
	- cloudfunctions.googleapis.com
	- compute.googleapis.com

If the restrictedServices list returned by the command output does not include storage.googleapis.com, the Google Cloud Storage buckets within the selected GCP project are not protected by the selected VPC Service Perimeter. As a result, VPC Service Controls are not employed to protect your sensitive data from unauthorized access or exfiltration.

07 Repeat steps no. 5 and 6 for each VPC Service Perimeter deployed for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project available within your Google Cloud organization.

Remediation / Resolution

To ensure that VPC Service Controls are used to protect your Google Cloud Storage buckets, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console using your organization management account credentials.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar. Make sure to choose the GCP project containing the storage buckets you want to protect.

03 Navigate to Security console available at https://console.cloud.google.com/security.

04 In the left navigation panel, under Zero Trust, select VPC Service Controls.

05 Select the ENFORCED MODE tab, choose NEW PERIMETER, and perform the following actions to create a VPC Service Perimeter that encompasses the resources you want to protect. This perimeter acts as a boundary for your cloud resources:

  1. For Details, provide a unique name for your perimeter in the Perimeter Title box and set the Perimeter Type to Regular perimeter (default). A regular perimeter protects services on the projects it contains.
  2. For Resources to protect, choose ADD RESOURCES, select the ADD PROJECT tab, and choose which GCP project(s) you wish to be part of the perimeter. Once your GCP projects are selected, choose ADD SELECTED RESOURCES to save the changes.
  3. For Restricted Services, specify which Google Cloud services must be protected by the perimeter. To select the Cloud Storage service, choose ADD SERVICES, find the Cloud Storage API service, and choose ADD CLOUD STORAGE API. You can also choose ADD ALL SERVICES to protect all the Google Cloud services supported by VPC Service Controls.
  4. For VPC accessible services, specify which services are accessible inside the perimeter. To include all the restricted services that the perimeter protects to the list of accessible services, check the Include all restricted services setting checkbox. This option lets you include separate services in addition to restricted services. Choose ADD VPC ACCESSIBLE SERVICES if you want to select individual services that will be accessible inside the service perimeter. Make sure to select the Cloud Storage API service, then choose ADD CLOUD STORAGE API to save the changes.
  5. By default, access from the Internet to cloud resources within a service perimeter is denied. However, you can allow access based on the context of the request. This can be achieved by creating ingress rules that permit access based on attributes such as the source IP address, identity, or originating GCP project. If requests from the Internet fail to meet the criteria specified in the ingress rule, they will be denied. For Ingress Policy, perform the following actions to create an ingress rule for your perimeter:
    1. In the From attributes of the API client section, specify the identities and sources from outside the perimeter that require access.
    2. In the TO attributes of GCP services/resources section, specify the resources within the perimeter that identities and sources can access. For Services choose Selected services and select the Cloud Storage API service.
    3. For the complete list of ingress rule attributes, see the Ingress rules reference section.
  6. For Egress Policy, configure the required attributes to create an egress rule for your perimeter. For the complete list of egress rule attributes, see the Egress rules reference section. To configure a functional egress rule, add at least an identity attribute, a resource, and a service attribute.
  7. Choose CREATE PERIMETER to deploy your new VPC Service Perimeter. This will protect the Google Cloud Storage buckets within the selected GCP project from data exfiltration.

06 Repeat steps no. 2 – 5 for each GCP project deployed for your Google Cloud organization.

Using GCP CLI

01 By default, access from the Internet to cloud resources within a service perimeter is denied. However, you can allow access based on the context of the request. This can be achieved by creating ingress rules that permit access based on attributes such as the source IP address, identity, or originating GCP project. If requests from the Internet fail to meet the criteria specified in the ingress rule, they will be denied. Create an ingress rule for your VPC Service Perimeter and save the configuration document to an YAML file named ingress-rule-config.yaml. As an example, the following ingress rule allows the user account specified by the identities attribute to access any Cloud Storage resources within the perimeter. For the complete list of ingress rule attributes, see the Ingress rules reference section: 

- ingressFrom:
	identities:
	- user:username@domain.com
	sources:
	- accessLevel: '*'
ingressTo:
	operations:
	- serviceName: storage.googleapis.com
		methodSelectors:
		- method: '*'
	resources:
	- '*'

02 Run organizations list command (Windows/macOS/Linux) with your organization management account credentials to describe the ID of your Google Cloud organization: 

gcloud organizations list
	--format="value(name)"

03 The command output should return the requested organization identifier: 

112233441122

04 Run access-context-manager policies list command (Windows/macOS/Linux) to describe the access policy associated with your Google Cloud organization: 

gcloud access-context-manager policies list
	--organization 112233441122

05 The command output should return the requested access policy. The information returned includes the numeric name of the access policy and the ID(s) of the associated GCP project(s): 

NAME: 123412341234
ORGANIZATION: 112233441122
SCOPES: projects/111122223333
TITLE: cc-org-access-policy
ETAG: abcd1234abcd1234abcd

06 Run access-context-manager perimeters create command (Windows/macOS/Linux) to create a VPC Service Perimeter that will protect the Google Cloud Storage buckets within the specified GCP project from data exfiltration. For --resources, specify the GCP project you wish to be part of the perimeter. For --restricted-services, specify which Google Cloud services must be protected by the perimeter (in this case, the Cloud Storage service). For --policy, specify the numeric name of the access policy associated with your organization. And for --ingress-policies, specify the filename of the ingress rule defined at step no. 1 (i.e., ingress-rule-config.yaml): 

gcloud access-context-manager perimeters create "cc_project5_perimeter"
	--title="project5_cloud_storage_perimeter"
	--resources="projects/111122223333"
	--restricted-services=storage.googleapis.com
	--policy=123412341234
	--ingress-policies=ingress-rule-config.yaml

07 The command output should return the request status: 

Create request issued for: [cc_project5_perimeter]
Created perimeter [cc_project5_perimeter].

08 Repeat steps no. 1 - 7 for each GCP project available within your Google Cloud organization.

References

Publication date Dec 17, 2024

Related CloudStorage rules