Use VPC Service Controls for Filestore Instances

01 Sign in to the Google Cloud Management Console using your organization management account credentials.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar. Make sure to choose the GCP project containing the Filestore instances you want to protect.

03 Navigate to Security console available at https://console.cloud.google.com/security.

04 In the left navigation panel, under Zero Trust, select VPC Service Controls to access the list with all the VPC Service Perimeters defined for the selected GCP project. VPC Service Perimeters act as firewalls for GCP APIs, establishing security boundaries that control data flow between your cloud resources.

05 Select the ENFORCED MODE tab and click on the name (link) of the service perimeter that you want to examine, listed in the Title column. If there are no service perimeters listed on the ENFORCED MODE panel, VPC Service Controls are not used to protect the Filestore instances within the selected GCP project and the Audit process ends here. Otherwise, you can continue the Audit process with the next step.

06 On the service perimeter configuration page, ensure that your GCP project is listed for Projects under Resources to protect and Cloud Filestore API is listed under Restricted Services. If your project is not available under Resources to protect, and/or Cloud Filestore API is not listed under Restricted Services, the Google Cloud Filestore instances deployed to the selected GCP project are not protected by the selected VPC Service Perimeter. Therefore, VPC Service Controls are not used to safeguard your sensitive data from unauthorized access and exfiltration.

07 Repeat steps no. 5 and 6 for each VPC Service Perimeter created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed for your Google Cloud organization.

01 Run projects list command (Windows/macOS/Linux) with your organization management account credentials, to list the ID of each project available in your Google Cloud organization:

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

cc-project5-123123
cc-ai-project-123123

03 Run access-context-manager perimeters list command (Windows/macOS/Linux) with the ID of the GCP project that contains your Filestore instances as the identifier parameter, to list all the VPC Service Perimeters defined for the selected project. VPC Service Perimeters act as firewalls for GCP APIs, establishing security boundaries that control data flow between your cloud resources:

gcloud access-context-manager perimeters list
	--project cc-project5-123123
	--format="default(name)"

04 The command request should return the requested service perimeter IDs (i.e., fully qualified identifiers):

name: accessPolicies/123412341234/servicePerimeters/cc_project5_perimeter
name: accessPolicies/123412341234/servicePerimeters/cc_gke_secure_perimeter

05 Run access-context-manager perimeters describe command (Windows/macOS/Linux) with the ID of the VPC Service Perimeter that you want to examine as the identifier parameter, to list the Google Cloud services protected by the selected perimeter:

gcloud access-context-manager perimeters describe "accessPolicies/123412341234/servicePerimeters/cc_filestore_perimeter"
	--format="yaml(status.restrictedServices)"

06 The command request should return the name of each protected Google Cloud service (API):

status:
	restrictedServices:
	- storage.googleapis.com
	- cloudfunctions.googleapis.com

07 Repeat steps no. 5 and 6 for each VPC Service Perimeter deployed for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project available within your Google Cloud organization.

01 Sign in to the Google Cloud Management Console using your organization management account credentials.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar. Make sure to choose the GCP project containing the Filestore instances you want to protect.

03 Navigate to Security console available at https://console.cloud.google.com/security.

04 In the left navigation panel, under Zero Trust, select VPC Service Controls.

05 Select the ENFORCED MODE tab, choose NEW PERIMETER, and perform the following actions to create a VPC Service Perimeter that encompasses the resources you want to protect. This perimeter acts as a boundary for your cloud resources:

1. For Details, provide a unique name for your perimeter in the Perimeter Title box and set the Perimeter Type to Regular perimeter (default). A regular perimeter protects services on the projects it contains.
2. For Resources to protect, choose ADD RESOURCES, select the ADD PROJECT tab, and choose which GCP project(s) you wish to be part of the perimeter. Once your GCP projects are selected, choose ADD SELECTED RESOURCES to save the changes.
3. For Restricted Services, specify which Google Cloud services must be protected by the perimeter. To select the Filestore service, choose ADD SERVICES, find the Cloud Filestore API service, and choose ADD CLOUD FILESTORE API. (Optional) You can also choose ADD ALL SERVICES to protect all the Google Cloud services supported by VPC Service Controls.
4. For VPC accessible services, specify which services are accessible inside the perimeter. To include all the restricted services that the perimeter protects to the list of accessible services, choose Selected services, and check the Include all restricted services checkbox. Choose ADD VPC ACCESSIBLE SERVICES if you want to select individual services that will be accessible inside the service perimeter. Make sure to select the Cloud Filestore API service, then choose ADD CLOUD FILESTORE API to save the changes.
5. By default, access from the Internet to cloud resources within a service perimeter is denied. However, you can allow access based on the context of the request. This can be achieved by creating ingress rules that permit access based on attributes such as the source IP address, identity, or originating GCP project. If requests from the Internet fail to meet the criteria specified in the ingress rule, they will be denied. For Ingress Policy, choose ADD RULE, and perform the following actions to create an ingress rule for your perimeter:
   1. In the From attributes of the API client section, specify the identities and sources from outside the perimeter that require access.
   2. In the TO attributes of GCP services/resources section, specify the resources within the perimeter that identities and sources can access. For Services, choose Selected services, select the Cloud Filestore API service, and choose All methods.
   3. For the complete list of ingress rule attributes, see the Ingress rules reference page.
6. For Egress Policy, choose ADD RULE, and configure the required attributes to create an egress rule for your new perimeter based on your use case. To create a functional egress rule, add at least an identity attribute, a resource, and a service attribute. For the complete list of egress rule attributes, see the Egress rules reference page. To configure a functional egress rule, add at least an identity attribute, a resource, and a service attribute.
7. Choose CREATE PERIMETER to deploy your new VPC Service Perimeter. This will protect the Google Cloud Filestore instances within the selected GCP project from data exfiltration.

06 Repeat steps no. 2 – 5 for each GCP project deployed for your Google Cloud organization.

01 By default, access from the Internet to cloud resources within a service perimeter is denied. However, you can allow access based on the context of the request. This can be achieved by creating ingress rules that permit access based on attributes such as the source IP address, identity, or originating GCP project. If requests from the Internet fail to meet the criteria specified in the ingress rule, they will be denied. Create an ingress rule for your VPC Service Perimeter and save the configuration document to an YAML file named ingress-rule-config.yaml. As an example, the following ingress rule allows the user account specified by the identities attribute to access any Google Cloud Filestore resources within the perimeter. For the complete list of ingress rule attributes, see the Ingress rules reference page:

- ingressFrom:
	identities:
	- user:username@domain.com
	sources:
	- accessLevel: '*'
	ingressTo:
	operations:
	- serviceName: file.googleapis.com
		methodSelectors:
		- method: '*'
	resources:
	- '*'

02 Run organizations list command (Windows/macOS/Linux) with your organization management account credentials to describe the ID of your Google Cloud organization:

gcloud organizations list
	--format="value(name)"

03 The command output should return the requested organization identifier:

112233441122

04 Run access-context-manager policies list command (Windows/macOS/Linux) to describe the access policy associated with your Google Cloud organization:

gcloud access-context-manager policies list
	--organization 112233441122

05 The command output should return the requested access policy. The information returned includes the numeric name of the access policy and the ID(s) of the associated GCP project(s):

NAME: 123412341234
ORGANIZATION: 112233441122
SCOPES: projects/111122223333
TITLE: cc-org-access-policy
ETAG: abcd1234abcd1234abcd

06 Run access-context-manager perimeters create command (Windows/macOS/Linux) to create a VPC Service Perimeter that will protect the Google Cloud Filestore instances within the specified GCP project from data exfiltration. For --resources, specify the GCP project you wish to be part of the perimeter. For --restricted-services, specify which Google Cloud services must be protected by the perimeter (in this case, Google Cloud Filestore). For --policy, specify the numeric name of the access policy associated with your organization. And for --ingress-policies, specify the filename of the ingress rule defined at step no. 1 (i.e., ingress-rule-config.yaml):

gcloud access-context-manager perimeters create "cc_filestore_perimeter"
	--title="project5_filestore_perimeter"
	--resources="projects/111122223333"
	--restricted-services=file.googleapis.com
	--policy=123412341234
	--ingress-policies=ingress-rule-config.yaml

07 The command output should return the request status:

Create request issued for: [cc_filestore_perimeter]
Created perimeter [cc_filestore_perimeter].

08 Repeat steps no. 1 - 7 for each GCP project available within your Google Cloud organization.