Google Cloud Platform offers robust security features, but like all cloud providers, security is a shared responsibility. This guide covers essential practices for securing your GCP infrastructure, from identity management to data protection.
Understanding GCP's Shared Responsibility Model
Google secures the underlying infrastructure, but you're responsible for:
- Your data: Classification, encryption, and access controls
- Identity and access: IAM policies, service accounts, and authentication
- Application security: Code, dependencies, and runtime configuration
- Network security: Firewall rules, VPC configuration, and traffic management
1. Identity and Access Management (IAM)
Implement Least Privilege Access
GCP's IAM uses a role-based model. Always grant the minimum permissions required:
# Grant specific role instead of broad permissions
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="user:developer@company.com" \
--role="roles/storage.objectViewer" \
--condition='expression=resource.name.startsWith("projects/_/buckets/dev-"),title=dev-buckets-only'Use Service Accounts Properly
- Create dedicated service accounts for each application/service
- Never use default service accounts in production
- Use Workload Identity for GKE instead of service account keys
- Rotate service account keys regularly if you must use them
# Create a dedicated service account
gcloud iam service-accounts create my-app-sa \
--display-name="My Application Service Account"
# Grant minimal permissions
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:my-app-sa@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/cloudsql.client"Enable Organization Policies
Use organization policies to enforce security guardrails across all projects:
# Disable service account key creation
gcloud resource-manager org-policies enable-enforce \
constraints/iam.disableServiceAccountKeyCreation \
--organization=ORGANIZATION_ID
# Restrict VM external IPs
gcloud resource-manager org-policies enable-enforce \
constraints/compute.vmExternalIpAccess \
--organization=ORGANIZATION_ID2. Network Security
VPC Design Best Practices
- Use Shared VPC: Centralize network management across projects
- Implement Private Google Access: Access Google APIs without public IPs
- Use VPC Service Controls: Create security perimeters around sensitive data
- Enable VPC Flow Logs: Monitor and analyze network traffic
Firewall Rules
# Create a restrictive firewall rule
gcloud compute firewall-rules create allow-internal-only \
--network=my-vpc \
--allow=tcp:443,tcp:80 \
--source-ranges=10.0.0.0/8 \
--target-tags=internal-servers \
--priority=1000
# Deny all ingress by default
gcloud compute firewall-rules create deny-all-ingress \
--network=my-vpc \
--action=DENY \
--rules=all \
--direction=INGRESS \
--priority=65535VPC Service Controls
Create security perimeters to prevent data exfiltration:
# Create an access policy
gcloud access-context-manager policies create \
--organization=ORGANIZATION_ID \
--title="Security Policy"
# Create a service perimeter
gcloud access-context-manager perimeters create secure-perimeter \
--policy=POLICY_ID \
--title="Secure Data Perimeter" \
--resources=projects/PROJECT_NUMBER \
--restricted-services=storage.googleapis.com,bigquery.googleapis.com3. Compute Security
Compute Engine Hardening
- Use Shielded VMs for verified boot and vTPM
- Enable OS Login for SSH key management
- Use Confidential VMs for sensitive workloads
- Disable serial port access
# Create a Shielded VM
gcloud compute instances create secure-vm \
--shielded-secure-boot \
--shielded-vtpm \
--shielded-integrity-monitoring \
--no-service-account \
--no-scopes \
--metadata=enable-oslogin=TRUEGKE Security
- Use private clusters with no public endpoint
- Enable Workload Identity instead of node service accounts
- Implement Pod Security Standards
- Use Binary Authorization for image verification
- Enable GKE Autopilot for managed security
# Create a secure private GKE cluster
gcloud container clusters create secure-cluster \
--enable-private-nodes \
--enable-private-endpoint \
--master-ipv4-cidr=172.16.0.0/28 \
--enable-master-authorized-networks \
--master-authorized-networks=10.0.0.0/8 \
--workload-pool=PROJECT_ID.svc.id.goog \
--enable-shielded-nodes \
--enable-binary-authorization4. Data Protection
Encryption at Rest
GCP encrypts all data at rest by default, but you can use Customer-Managed Encryption Keys (CMEK) for additional control:
# Create a Cloud KMS key
gcloud kms keys create my-key \
--location=us-central1 \
--keyring=my-keyring \
--purpose=encryption
# Create a Cloud Storage bucket with CMEK
gcloud storage buckets create gs://my-secure-bucket \
--location=us-central1 \
--default-encryption-key=projects/PROJECT_ID/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-keyBigQuery Security
- Use column-level security for sensitive data
- Implement row-level access policies
- Enable audit logging for all queries
- Use authorized views for data sharing
-- Create a policy tag for sensitive data
-- Then apply column-level security
ALTER TABLE project.dataset.users
ALTER COLUMN ssn SET POLICY TAG 'projects/PROJECT_ID/locations/us/taxonomies/TAX_ID/policyTags/PII';Cloud Storage Security
# Enable uniform bucket-level access
gcloud storage buckets update gs://my-bucket --uniform-bucket-level-access
# Disable public access
gcloud storage buckets update gs://my-bucket --no-public-access-prevention
# Enable versioning for data protection
gcloud storage buckets update gs://my-bucket --versioning5. Logging and Monitoring
Enable Cloud Audit Logs
Ensure comprehensive audit logging is enabled:
- Admin Activity logs: Enabled by default, cannot be disabled
- Data Access logs: Must be explicitly enabled
- System Event logs: Enabled by default
- Policy Denied logs: Must be explicitly enabled
Security Command Center
Enable Security Command Center Premium for:
- Security Health Analytics
- Web Security Scanner
- Event Threat Detection
- Container Threat Detection
- Virtual Machine Threat Detection
Set Up Alerts
# Create an alert policy for IAM changes
gcloud alpha monitoring policies create \
--display-name="IAM Policy Changes" \
--condition-display-name="IAM changes detected" \
--condition-filter='resource.type="project" AND protoPayload.methodName:"SetIamPolicy"'6. Secret Management
Use Secret Manager for all sensitive configuration:
# Create a secret
echo -n "my-database-password" | gcloud secrets create db-password --data-file=-
# Grant access to a service account
gcloud secrets add-iam-policy-binding db-password \
--member="serviceAccount:my-app@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
# Access secret in application
from google.cloud import secretmanager
client = secretmanager.SecretManagerServiceClient()
response = client.access_secret_version(name="projects/PROJECT_ID/secrets/db-password/versions/latest")
password = response.payload.data.decode("UTF-8")Quick Wins Checklist
- Enable 2-Step Verification for all Cloud Identity users
- Enable Security Command Center
- Review and remove unused service accounts
- Enable VPC Flow Logs on all subnets
- Enable Cloud Audit Logs for data access
- Use organization policies to enforce security baselines
- Enable uniform bucket-level access on Cloud Storage
- Use Workload Identity for all GKE workloads
Next Steps
GCP provides powerful security tools, but they require proper configuration. Regularly review your Security Command Center findings, implement CIS benchmarks, and stay updated on new GCP security features.
Need help securing your GCP infrastructure? Contact us for a comprehensive security assessment.