Introducing G-Scout

G-Scout is a tool to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data and analyzes this data to determine security risks. It produces HTML output, which allows for convenient browsing of results.

The audited data relates to:

IAM roles

Compute engine instances

Storage buckets

Firewall rules

SQL and noSQL databases

Service account keys

G-Scout also allows users to create and customize rulesets simply by creating Python functions.

Google Cloud Configuration Reviews

Conducting a thorough security review of a Google Cloud Platform configuration can be extremely difficult. Clicking through the console to review details on potentially hundreds of projects, VMs, buckets and other services just isn’t feasible. Some important information isn’t even visible in the console. Manually crafting API calls and receiving an unfiltered JSON dump of the results for so many entities isn’t much better.

G-Scout aims to make that process much easier and more reliable. You tell it which projects you want to audit, and it will quickly make dozens of API calls to gather all security relevant information in one location. Then you can view the results in your browser, sorted by project, category, and security rules.

Using G-Scout is Easy

There are two ways for the project owner to grant API permissions.

User Account:

Use an account with “Security Reviewer” role for the project (may require activating the Google Identity and Access Management API, which can be done in the console). Approve the Oauth2 authentication request when prompted in your browser.

Service Account:

Go to the console service accounts page at https://console.cloud.google.com/iam-admin/serviceaccounts/project?project=project and create a service account. Go to IAM management console at https://console.cloud.google.com/iam-admin/iam/project?project=project and add “Security Reviewer” and “Viewer” permissions to the service account created in step 1. Generate a Service Account key from https://console.cloud.google.com/apis/credentials?project=project. Place the JSON file (named keyfile.json) generated in step 3 into the application directory.

For the security reviewer, run the application with the following commands:

sudo pip install -r requirements.txt python gscout.py "project" "project name"

The HTML report output will be in the HTML folder.

When running the python command above, the first parameter is the literal string “project” or “organization.” The second parameter is the name of the project, or the ID of the organization. You can also use a wildcard to run G-Scout on multiple projects. For example: python gscout.py "project" "dev-*" .

To create a custom rule, add it to the rules.py file. A Rule object takes a name, a category, and a filter function. The function will be passed a json object corresponding to the category. To see an example for each category (some of which are altered from the standard API response), see the entity_samples.json file.

G-Scout is Open Source

You can find G-Scout at https://github.com/nccgroup/G-Scout. It’s free to use and modify.

Published date: 15 August 2017

Written by: Angelo Mellos