Introduction

While companies increasingly adopt cloud-based solutions, one of the key challenges they face is safeguarding their data from potential threats. Google Cloud Platform (GCP) offers a powerful solution to this challenge through its Virtual Private Cloud (VPC) Service Controls. Empowering your organization to enhance its security and compliance measures effectively.

Understanding GCP VPC Service Controls ๐Ÿ‘จโ€๐ŸŽ“

GCP's VPC Service Controls provide a robust framework for securing data within your cloud environment. It allows you to define folders or a project to protect. Afterward, you can assign service perimeters around specific resources, granting granular access controls for GCP APIs. VPC Service Perimeters function like a firewall for GCP APIs.

Key Benefits of GCP VPC Service Controls ๐Ÿ’ผ

1. Strengthened Data Security

With GCP VPC Service Controls, you can establish security perimeters around sensitive data, applications, and resources. This segmentation ensures that only authorized entities can access and interact with the protected resources, reducing the chances of data breaches and unauthorized access attempts.

2. Compliance with Regulatory Standards

Achieving compliance with various industry-specific regulations can be a complex and challenging task. However, GCP VPC Service Controls offer a solution by enabling you to enforce data access and usage policies consistently.

3. Prevention of Data Exfiltration

Data exfiltration is a critical concern for anyone dealing with sensitive information. GCP VPC Service Controls provide an added layer of protection against data exfiltration attempts. By implementing these controls, you can monitor data movement and establish alerts for any suspicious activities. Therefore mitigating potential data breaches and ensuring early detection.

Implementing GCP VPC Service Controls ๐Ÿ”จ

Create VPC Service Control access policy

First, you need to navigate to our Organization account.

๐Ÿšจ
You can't create access policies in projects, but only the organization account.

Choose Security in the sidebar and navigate to VPC Service Controls. From there you can create your first policy. You can either select a single project or a folder. All resources within the project or folder will adhere to the policy.

GCP Access Policy creation

Create VPC Service Perimeters

Now you can navigate to any of the projects in the scope of the previously created Access Policy and create the VPC Service Perimeters. I always recommend trying the permiteres in the dry run mode first, before changing it to enforcement. In the creation process, you can choose between two perimeter types. The regular type protects services in the perimeter and the bridge type facilitates access between different service perimeters.

VPC Service Perimeter

In the next step, you can choose which resources to protect. You can either choose a project within our VPC Service Policy or any VPC network.

VPC Service Perimeter Resources to protect

Define the services that you want to protect within the perimeter. One of the main reasons for VPC Service Perimertes is data exfiltration. Therefore I would advise you to restrict all storage services like the Cloud Storage API.

VPC Service Perimeter restricted services

Next, choose the services that should be accessible through Private Google Access. Keep in mind that this only considers Private Google Access. This list does not restrict calls between GCP services.

VPC Service Perimeter accessible services

Access levels are limited to external requests targeting protected resources within the service perimeter. You can choose geographic locations or IP subnetworks for example. This can be configured via the Access Context Manager, a separate GCP service. You can find all information in my separate guide:

Secure Projects with GCP Access Context Manager: The Expert Guide
Introduction Previously, we dived into the world of GCP VPC Service Controls, gaining insights into how they enhance the security of our cloud infrastructure. How To Enhance Security And Compliance With GCP VPC Service ControlsIntroduction While companies increasingly adopt cloud-based solutions, one of the key challenges they face is safeguarding
VPC Service Perimeter access levels

The ingress and egress rules define the direction of allowed access between different identities and resources.

In our case, you want to restrict the Cloud Storage API to Any identities from the default-alexanderhose project. The target is all projects in our previously defined VPC Service Control access policy.

VPC Service Perimeter ingress rules

Afterward, you create the service perimeter and will be presented with the configuration. Make sure to hit the enforce button, once you are happy with your configuration and your GCP APIs are protected.

// Projects (project id)
security-alexanderhose (1234567890)

// VPC Networks


// Services
Cloud Storage API

Ingress Rule 1
  From: 
    Identities:  ANY_IDENTITY
    Projects:
      default-alexanderhose

  To: 
    Projects: All projects
    Services = 
      Services name: All services 


// No egress policy 


// VPC Accessible Services
All services allowed

// Access levels

Testing the setup ๐Ÿงช

You have restricted access to the Cloud Storage API with the above configuration to identities in your default-alexanderhose project.

Now let's try to list all files in our bucket, from your local computer or any other GCP project. You will receive an error message hinting at an issue with service controls and a unique ID vpcServiceControlsUniqueIdentifier. As expected the call to the GCP API was not successful.

$ gcloud storage ls gs://bucket-alexanderhose/
ERROR: (gcloud.storage.ls) User [[email protected]] does not have permission to access b instance [bucket-alexanderhose] (or it may not exist): Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: bhPfWOMbDqjXm5DjHlaEJnXnEVFheifu67FeobggxnwPoIBOZ41tKQ

Next, we try to run the same command from the default-alexanderhose project. This time we are presented with the content of our bucket. You have successfully protected the Cloud Storage API in your project ๐ŸŽ‰

$ gcloud storage ls gs://bucket-alexanderhose/
gs://bucket-alexanderhose/secret.json

Debug access ๐Ÿšง

Debugging the implementation of GCP VPC Service Controls is crucial to ensure the security and functionality of your GCP environment. When encountering issues, you can leverage the GCP Logs Explorer. This feature allows you to examine and analyze logs generated by various GCP services, aiding in the identification of potential misconfigurations or access violations within the VPC Service Controls. When investigating problems, focus on filtering logs based on relevant parameters such as time range and the vpcServiceControlsUniqueIdentifier in the error message.

VPC Service Perimeter Logs Explorer

Alternatively, you can also use the VPC Service Controls Troubleshooter. It is accessible from the VPC Service Controls dashboard.

VPC Service Perimeter Dashboard

Here we can deep-dive into the request and get a nice overview of the findings of the logs.

VPC Service Perimeter Troubleshooter

Conclusion ๐ŸŽ“

In conclusion, GCP VPC Service Controls offer a robust and efficient means of enhancing security and compliance in the cloud. By strategically implementing these controls, you can improve your data protection strategies, meet regulatory requirements, and safeguard sensitive information.

One consideration you need to take into account is, that you have an additional policy taking care of the authorization of services in your GCP projects.

Share this post