Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-perimeter
Overview
3Dashboards
33Benchmarks
0Queries
6Variables
GitHub

GCP Perimeter Mod

Run security controls across all your Google Cloud Platform projects to look for resources that are publicly accessible, have insecure network configurations, and check IAM policies for untrusted access.

Documentation

Getting Started

Installation

Install Powerpipe (https://powerpipe.io/downloads), or use Brew:

brew install turbot/tap/powerpipe

This mod also requires Steampipe with the GCP plugin as the data source. Install Steampipe (https://steampipe.io/downloads), or use Brew:

brew install turbot/tap/steampipe
steampipe plugin install gcp

Steampipe will automatically use your default GCP credentials. Optionally, you can setup multiple projects or customize GCP credentials.

Finally, install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-gcp-perimeter

Browsing Dashboards

Start Steampipe as the data source:

steampipe service start

Start the dashboard server:

powerpipe server

Browse and view your dashboards at http://localhost:9033.

Running Checks in Your Terminal

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the powerpipe benchmark command:

List available benchmarks:

powerpipe benchmark list

Run a benchmark:

powerpipe benchmark run gcp_perimeter.benchmark.iam_policy_shared_access

Run a specific control:

powerpipe control run gcp_perimeter.control.compute_disk_policy_shared_access

Different output formats are also available, for more information please see Output Formats.

Configure Variables

The benchmarks have input variables that can be configured to better match your environment and requirements. Each variable has a default defined in its source file, e.g., perimeter/iam_policy_shared_access.pp, but these can be overwritten in several ways:

It's easiest to setup your vars file, starting with the sample:

cp powerpipe.ppvars.example powerpipe.ppvars
vi powerpipe.ppvars

Alternatively you can pass variables on the command line:

powerpipe benchmark run gcp_perimeter.benchmark.iam_policy_shared_access --var='gcp_perimeter.trusted_users=["user1@example.com", "user2@example.com"]' --var='gcp_perimeter.trusted_groups=["group1@example.com", "group2@example.com"]' --var='gcp_perimeter.trusted_domains=["domain1.com", "domain2.com"]' --var='gcp_perimeter.trusted_service_accounts=["service-account1@example.com", "service-account2@example.com"]'

Or through environment variables:

export PP_VAR_trusted_users='["user1@example.com", "user2@example.com"]'
export PP_VAR_trusted_groups='["group1@example.com", "group2@example.com"]'
export PP_VAR_trusted_domains='["domain1.com", "domain2.com"]'
export PP_VAR_trusted_service_accounts='["service-account1@example.com", "service-account2@example.com"]'
powerpipe control run gcp_perimeter.control.compute_disk_policy_shared_access

These are only some of the ways you can set variables. For a full list, please see Passing Input Variables.

Common and Tag Dimensions

The benchmark queries use common properties (like project and location) and labels that are defined in the form of a default list of strings in the variables.pp file. These properties can be overwritten in several ways:

It's easiest to setup your vars file, starting with the sample:

cp powerpipe.ppvars.example powerpipe.ppvars
vi powerpipe.ppvars

Alternatively you can pass variables on the command line:

powerpipe benchmark run gcp_perimeter.benchmark.iam_policy_public_access --var 'gcp_perimeter.common_dimensions=["project", "location"]'

Or through environment variables:

export PP_VAR_common_dimensions='["project", "location"]'
powerpipe control run gcp_perimeter.control.bigquery_dataset_policy_prohibit_public_access

Open Source & Contributing

This repository is published under the Apache 2.0 license. Please see our code of conduct. We look forward to collaborating with you!

Steampipe and Powerpipe are products produced from this open source software, exclusively by Turbot HQ, Inc. They are distributed under our commercial terms. Others are allowed to make their own distribution of the software, but cannot use any of the Turbot trademarks, cloud services, etc. You can learn more in our Open Source FAQ.

Get Involved

Join #powerpipe on Slack →

Want to help but don't know where to start? Pick up one of the help wanted issues: