GCP Security Best Practices: Complete Hardening Guide 2024

Google Cloud Platform offers robust security controls, but misconfiguration remains the leading cause of cloud breaches. This guide covers essential GCP security best practices for hardening your cloud infrastructure, with practical commands and configurations you can implement immediately.

Identity and Access Management (IAM) Hardening

Implement Least Privilege Access

Start by auditing existing IAM policies and removing excessive permissions. Use predefined roles instead of primitive roles whenever possible:

# List all IAM policies for a project
gcloud projects get-iam-policy PROJECT_ID

# Remove primitive roles and replace with specific roles
gcloud projects remove-iam-policy-binding PROJECT_ID \
  --member="user:user@example.com" \
  --role="roles/editor"

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="user:user@example.com" \
  --role="roles/compute.instanceAdmin.v1"

Enable Multi-Factor Authentication

Enforce MFA for all users with administrative access. Configure security keys for high-privilege accounts:

• Navigate to Google Admin Console → Security → 2-Step Verification
• Enable "Allow users to turn on 2-Step Verification"
• For admin accounts, enforce security key requirements
• Implement conditional access policies based on device trust and location

Service Account Security

Service accounts are critical attack vectors. Follow these GCP security best practices:

# Create service account with minimal permissions
gcloud iam service-accounts create sa-name \
  --description="Service account for specific function" \
  --display-name="Descriptive Name"

# Generate and download key (store securely)
gcloud iam service-accounts keys create ~/key.json \
  --iam-account=sa-name@PROJECT_ID.iam.gserviceaccount.com

# Rotate keys regularly
gcloud iam service-accounts keys list \
  --iam-account=sa-name@PROJECT_ID.iam.gserviceaccount.com

gcloud iam service-accounts keys delete KEY_ID \
  --iam-account=sa-name@PROJECT_ID.iam.gserviceaccount.com

Critical: Never commit service account keys to version control. Use Google's Application Default Credentials or Workload Identity for GKE workloads.

Network Security Configuration

VPC Security Hardening

Implement network segmentation and secure VPC configurations:

# Create VPC with custom subnets (avoid default VPC)
gcloud compute networks create secure-vpc \
  --subnet-mode=custom \
  --bgp-routing-mode=regional

# Create private subnet
gcloud compute networks subnets create private-subnet \
  --network=secure-vpc \
  --range=10.0.1.0/24 \
  --region=us-central1 \
  --enable-private-ip-google-access

Firewall Rules Best Practices

Implement defense-in-depth with restrictive firewall rules:

# Deny all ingress by default (implicit, but be explicit)
gcloud compute firewall-rules create deny-all-ingress \
  --network=secure-vpc \
  --action=deny \
  --rules=all \
  --source-ranges=0.0.0.0/0 \
  --priority=65534

# Allow specific services only
gcloud compute firewall-rules create allow-https \
  --network=secure-vpc \
  --allow=tcp:443 \
  --source-ranges=0.0.0.0/0 \
  --target-tags=web-server

# Internal communication only
gcloud compute firewall-rules create allow-internal \
  --network=secure-vpc \
  --allow=tcp:3306 \
  --source-tags=app-server \
  --target-tags=database

Enable VPC Flow Logs

Monitor network traffic for security analysis:

# Enable flow logs on subnet
gcloud compute networks subnets update private-subnet \
  --region=us-central1 \
  --enable-flow-logs \
  --logging-flow-sampling=0.1 \
  --logging-aggregation-interval=interval-5-sec

Compute Engine Security

Instance Hardening

Secure your compute instances with these configurations:

# Create hardened instance
gcloud compute instances create secure-instance \
  --zone=us-central1-a \
  --machine-type=e2-medium \
  --subnet=private-subnet \
  --no-address \
  --maintenance-policy=MIGRATE \
  --scopes=https://www.googleapis.com/auth/logging.write \
  --tags=secured-instance \
  --image-family=ubuntu-2004-lts \
  --image-project=ubuntu-os-cloud \
  --boot-disk-size=20GB \
  --boot-disk-type=pd-ssd \
  --boot-disk-device-name=boot-disk \
  --shielded-secure-boot \
  --shielded-vtpm \
  --shielded-integrity-monitoring

Disable Serial Console Access

Prevent unauthorized access through serial console:

# Disable at project level
gcloud compute project-info add-metadata \
  --metadata serial-port-enable=FALSE

# Disable for specific instance
gcloud compute instances add-metadata INSTANCE_NAME \
  --zone=ZONE \
  --metadata serial-port-enable=FALSE

Storage Security

Cloud Storage Bucket Hardening

Implement bucket-level security controls:

# Create bucket with uniform access control
gsutil mb -p PROJECT_ID -l us-central1 gs://secure-bucket-name
gsutil uniformbucketlevelaccess set on gs://secure-bucket-name

# Enable versioning and lifecycle policies
gsutil versioning set on gs://secure-bucket-name

# Block public access
gsutil iam ch -d allUsers gs://secure-bucket-name
gsutil iam ch -d allAuthenticatedUsers gs://secure-bucket-name

Encryption Configuration

Always use customer-managed encryption keys (CMEK) for sensitive data:

# Create KMS keyring and key
gcloud kms keyrings create secure-keyring \
  --location=global

gcloud kms keys create secure-key \
  --location=global \
  --keyring=secure-keyring \
  --purpose=encryption

# Use CMEK for Cloud Storage
gsutil kms encryption -k projects/PROJECT_ID/locations/global/keyRings/secure-keyring/cryptoKeys/secure-key gs://secure-bucket-name

Logging and Monitoring

Enable Audit Logging

Configure comprehensive audit logging for security monitoring:

# Enable audit logs for all services
cat > audit-policy.yaml << EOF
auditConfigs:
- service: allServices
  auditLogConfigs:
  - logType: ADMIN_READ
  - logType: DATA_READ
  - logType: DATA_WRITE
EOF

gcloud logging sinks create security-sink \
  bigquery.googleapis.com/projects/PROJECT_ID/datasets/security_logs \
  --log-filter='protoPayload.serviceName="compute.googleapis.com" OR protoPayload.serviceName="storage.googleapis.com"'

Set Up Security Monitoring

Create alerting policies for suspicious activities:

# Alert on admin activity
gcloud alpha monitoring policies create \
  --policy-from-file=admin-activity-policy.yaml

Example policy configuration for detecting privilege escalation:

{
  "displayName": "IAM Policy Changes",
  "conditions": [{
    "displayName": "IAM modifications",
    "conditionThreshold": {
      "filter": "resource.type=\"project\" AND protoPayload.methodName=\"SetIamPolicy\"",
      "comparison": "COMPARISON_GT",
      "thresholdValue": 0
    }
  }]
}

Security Command Center Integration

Enable Security Command Center for centralized security management:

• Activate Security Command Center Standard (free tier)
• Enable Security Health Analytics
• Configure Event Threat Detection
• Set up notification channels for critical findings

For organizations requiring continuous security scanning beyond native GCP tools, platforms like FixMyCloud provide automated compliance monitoring across multiple cloud environments, including detailed GCP security posture assessments and remediation guidance.

Container and GKE Security

GKE Cluster Hardening

Create security-focused GKE clusters:

# Create hardened GKE cluster
gcloud container clusters create secure-cluster \
  --zone=us-central1-a \
  --num-nodes=3 \
  --enable-autorepair \
  --enable-autoupgrade \
  --enable-network-policy \
  --enable-private-nodes \
  --master-ipv4-cidr=172.16.0.0/28 \
  --enable-ip-alias \
  --enable-shielded-nodes \
  --enable-binauthz \
  --workload-pool=PROJECT_ID.svc.id.goog

Workload Identity Configuration

Implement Workload Identity instead of service account keys:

# Enable Workload Identity
gcloud container clusters update secure-cluster \
  --zone=us-central1-a \
  --workload-pool=PROJECT_ID.svc.id.goog

# Create Kubernetes service account
kubectl create serviceaccount workload-sa

# Bind to Google service account
gcloud iam service-accounts add-iam-policy-binding \
  gsa-name@PROJECT_ID.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/workload-sa]"

Continuous Security Validation

Regular security assessments are crucial for maintaining strong security posture. Implement these practices:

• Schedule regular IAM access reviews and cleanup
• Automate security scanning in CI/CD pipelines
• Conduct quarterly firewall rule audits
• Monitor and rotate service account keys
• Review Cloud Storage bucket permissions monthly

Automated Compliance Checking

Use tools for continuous compliance monitoring:

# Example using gcloud for basic checks
#!/bin/bash
echo "Checking for public buckets..."
gsutil ls -L -b gs://* | grep -B 10 "allUsers\|allAuthenticatedUsers"

echo "Checking for instances without private IPs..."
gcloud compute instances list --filter="networkInterfaces.accessConfigs:*" --format="table(name,zone)"

These GCP security best practices form the foundation of a robust cloud security posture. Regular implementation and monitoring of these controls, combined with automated security scanning solutions, help ensure your GCP environment remains secure against evolving threats.

Remember that security is an ongoing process, not a one-time configuration. Stay updated with Google Cloud's security announcements and regularly review your security configurations to address new vulnerabilities and compliance requirements.