๐จ GCP Security Baseline and Top Misconfigurations
Intro: GCP security often hinges on identity, organization policy, and data-perimeter thinking. Teams that only focus on firewall rules usually miss the more dangerous control failures.
What this page includes
- a practical GCP baseline
- top 10 GCP misconfigurations
- short remediation notes
- comments on attacker behavior in GCP
Recommended GCP baseline
Organization and identity
- define folders and project hierarchy intentionally
- use Cloud IAM with least privilege
- avoid primitive roles wherever possible
- use workload identity federation and service accounts carefully
- enforce org policies for high-risk behaviors
Visibility and posture
- enable Cloud Audit Logs appropriately
- activate Security Command Center at the right scope
- review IAM, storage, network, and service exposure regularly
- centralize monitoring and alerting
Network and data
- use VPC firewall rules carefully
- reduce public exposure
- understand the implications of default egress
- use VPC Service Controls for sensitive data perimeters where appropriate
- use Secret Manager and CMEK patterns where required
Top 10 GCP misconfigurations
| # | Misconfiguration | Why it is dangerous | Short fix |
|---|---|---|---|
| 1 | Use of primitive roles like Owner / Editor | Massive blast radius | Replace with scoped predefined or custom roles |
| 2 | Weak service account hygiene | Service account abuse enables persistence and lateral movement | Scope SA roles, reduce key usage, prefer federation |
| 3 | Service account keys left active | Key theft risk | Eliminate long-lived keys where possible |
| 4 | SCC not enabled or only partially enabled | Weak posture visibility | Activate and review findings centrally |
| 5 | Broad firewall rules or exposed services | Expanded network attack surface | Narrow source ranges and service exposure |
| 6 | Public buckets or weak storage policy | Data leakage path | Review IAM, ACLs, and public exposure controls |
| 7 | Missing org policy constraints | High-risk changes remain possible everywhere | Apply org policies for risky capabilities |
| 8 | Weak log coverage or retention | Harder investigation and weaker accountability | Centralize audit logs and protect sink targets |
| 9 | No data perimeter strategy for sensitive services | Easier exfiltration | Use VPC Service Controls where it fits |
| 10 | Poor project inventory and ownership | Findings go stale without action | Enforce labels, folders, and ownership maps |
Practical GCP checks
gcloud organizations list
gcloud projects list
gcloud asset search-all-iam-policies --scope=organizations/123456789
gcloud scc findings list organizations/123456789/sources/-
gcloud logging sinks list
gcloud compute firewall-rules list
Design comments
- Primitive roles are dangerous because they compress too much authority into a small number of grants.
- Security Command Center is more useful when activated at the right scope and tied to ownership.
- VPC Service Controls are not a generic firewall. They are a data perimeter tool and need careful scoping.
Official and primary references
- Google Cloud Security Command Center
- Cloud IAM
- Organization Policy
- Cloud Audit Logs
- CloudSecDocs Security Command Center and GCP VPC Security references