Google Cloud Platform Auditing & Hardening Script ~

Well, I had a hard time finding a unique name, honestly. "Hayat" is a Turkish word which means "Life" in English and also my niece's name. Are you ready to meet her?

😍 😍 😍

Hayat is a auditing & hardening script for Google Cloud Platform services such as:

• Identity & Access Management
• Logging and monitoring
• Networking
• Virtual Machines
• Storage
• Cloud SQL Instances
• Kubernetes Clusters

for now.

• Ensure that corporate login credentials are used instead of Gmail accounts.
• Ensure that there are only GCP-managed service account keys for each service account.
• Ensure that ServiceAccount has no Admin privileges.
• Ensure that IAM users are not assigned Service Account User role at project level.

• Ensure that sinks are configured for all Log entries.

• Ensure the default network does not exist in a project.
• Ensure legacy networks does not exists for a project.
• Ensure that DNSSEC is enabled for Cloud DNS.
• Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC.
• Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC.
• Ensure that RDP access is restricted from the Internet.
• Ensure Private Google Access is enabled for all subnetwork in VPC Network.
• Ensure VPC Flow logs is enabled for every subnet in VPC Network.

• Ensure that instances are not configured to use the default service account with full access to all Cloud APIs.
• Ensure "Block Project-wide SSH keys" enabled for VM instances.
• Ensure oslogin is enabled for a Project.
• Ensure 'Enable connecting to serial ports' is not enabled for VM Instance.
• Ensure that IP forwarding is not enabled on Instances.

• Ensure that Cloud Storage bucket is not anonymously or publicly accessible.
• Ensure that logging is enabled for Cloud storage bucket.

• Ensure that Cloud SQL database instance requires all incoming connections to use SSL.
• Ensure that Cloud SQL database Instances are not open to the world.
• Ensure that MySql database instance does not allow anyone to connect with administrative privileges.
• Ensure that MySQL Database Instance does not allows root login from any host.

• Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.
• Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters.
• Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters.
• Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters.
• Ensure Kubernetes Clusters are configured with Labels.
• Ensure Kubernetes web UI / Dashboard is disabled.
• Ensure Automatic node repair is enabled for Kubernetes Clusters.
• Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes.
• Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image.
• Ensure Basic Authentication is disabled on Kubernetes Engine Clusters.

Hayat has been written in bash script using gcloud and it's compatible with Linux and OSX.

git clone https://github.com/DenizParlak/Hayat.git && cd Hayat && chmod +x hayat.sh && ./hayat.sh

You can use with specific functions, e.g if you want to scan just Kubernetes Cluster:

./hayat.sh --only-k8s