Hayat - Auditing & Hardening Script For Google Cloud Platform
Hayat is a auditing & hardening script for Google Cloud Platform services such as:
- Identity & Access Management
- Networking
- Virtual Machines
- Storage
- Cloud SQL Instances
- Kubernetes Clusters
Identity & Access Management
- Ensure that corporate login credentials are used instead of Gmail accounts.
- Ensure that at that spot are entirely GCP-managed service trouble concern human relationship keys for each service account.
- Ensure that ServiceAccount has no Admin privileges.
- Ensure that IAM users are non assigned Service Account User role at projection level.
Networking
- Ensure the default network does non be inward a project.
- Ensure legacy networks does non exists for a project.
- Ensure that DNSSEC is enabled for Cloud DNS.
- Ensure that RSASHA1 is non used for key-signing cardinal inward Cloud DNS DNSSEC.
- Ensure that RSASHA1 is non used for zone-signing cardinal inward Cloud DNS DNSSEC.
- Ensure that RDP access is restricted from the Internet.
Ensure Private Google Access is enabled for all subnetwork inward VPC Network.- Ensure VPC Flow logs is enabled for every subnet inward VPC Network.
Virtual Machines
- Ensure that instances are non configured to usage the default service trouble concern human relationship amongst sum access to all Cloud APIs.
- Ensure "Block Project-wide SSH keys" enabled for VM instances.
- Ensure oslogin is enabled for a Project.
- Ensure 'Enable connecting to series ports' is non enabled for VM Instance.
- Ensure that IP forwarding is non enabled on Instances.
Storage
- Ensure that Cloud Storage bucket is non anonymously or publicly accessible.
- Ensure that logging is enabled for Cloud storage bucket.
Cloud SQL Database Services
- Ensure that Cloud SQL database illustration requires all incoming connections to usage SSL.
- Ensure that Cloud SQL database Instances are non opened upward to the world.
- Ensure that MySql database illustration does non let anyone to connect amongst administrative privileges.
- Ensure that MySQL Database Instance does non allows root login from whatever host.
Kubernetes Engine
- Ensure Stackdriver Logging is laid upward to Enabled on Kubernetes Engine Clusters.
- Ensure Stackdriver Monitoring is laid upward to Enabled on Kubernetes Engine Clusters.
- Ensure Legacy Authorization is laid upward to Disabled on Kubernetes Engine Clusters.
- Ensure Master authorized networks is laid upward to Enabled on Kubernetes Engine Clusters.
- Ensure Kubernetes Clusters are configured amongst Labels.
- Ensure Kubernetes spider web UI / Dashboard is disabled.
- Ensure
Automatic node repair
is enabled for Kubernetes Clusters. - Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes.
Requirements
Hayat has been written inward bash script using gcloud together with it's compatible amongst Linux together with OSX.
Usage
git clone https://github.com/DenizParlak/Hayat.git && cd Hayat && chmod +x hayat.sh && ./hayat.sh
You tin forcefulness out usage amongst specific functions, e.g if yous desire to scan simply Kubernetes Cluster:
./hayat.sh --only-kubernetes
Screenshots