└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # Awesome GCP Security 2 | 3 | ## Reference Guides / Frameworks / Docs 4 | [Security Foundations Blueprint](https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf) - Official Google security best practices guide 5 | 6 | [CIS Google Cloud Platform Foundation Benchmark](https://api.lacework.net/ui/documents/GCP_CIS_Foundation_Benchmark_v1.2.0.pdf) - Framework for secure GCP configuration published by the Center for Internet Security 7 | 8 | [Terraform Example Foundation](https://github.com/terraform-google-modules/terraform-example-foundation) - Example repo showing how the CFT Terraform modules can be composed to build a secure GCP foundation, following the Google Cloud security foundations guide. 9 | 10 | [Container Scanning Overview](https://cloud.google.com/container-analysis/docs/container-scanning-overview) - Documentation for container scanning on GCP 11 | 12 | [GKE PCI-DSS Blueprint](https://cloud.google.com/architecture/gke-pci-dss-blueprint) - Guide and Terraform that "demonstrate how to bootstrap a PCI environment in Google Cloud" 13 | 14 | [Community Security Analytics](https://github.com/GoogleCloudPlatform/security-analytics) - Library of BigQuery and Chronicle queries for common security analytics use cases 15 | 16 | [GCP Comics](https://gcpcomics.com/) - Collection of comics mainly explaining GCP security concepts. 17 | 18 | ## Feeds / Blogs 19 | 20 | [Google Cloud - Security Bulletins](https://cloud.google.com/support/bulletins/index) - Official security bulletins 21 | 22 | [Cloud IAM - Permissions Change Log](https://cloud.google.com/iam/docs/permissions-change-log) - Public release notes and changes to GCP IAM permissions 23 | 24 | [Identity & Security Blog](https://cloud.google.com/blog/products/identity-security) - Official GCP Identity and Security Cloud Blog 25 | 26 | [GCP API Change Log](https://gcpapichanges.com/) - Change log of GCP APIs 27 | 28 | ## Tools 29 | [Forseti Security](https://forsetisecurity.org) - Resource monitoring and policy enforcement 30 | 31 | [Domain Protect GCP](https://github.com/ovotech/domain-protect-gcp) - Scans Google Cloud DNS across a GCP Organization for domain records vulnerable to takeover 32 | 33 | [GCP Compliance Mod](https://hub.steampipe.io/mods/turbot/gcp_compliance)- Steampipe mod to "run individual configuration, compliance and security controls or full compliance benchmarks for CIS, Forseti Security and CFT Scorecard for all your GCP projects." 34 | 35 | [Cloudspoit](https://github.com/aquasecurity/cloudsploit) - Compliance and security scanner with GCP support 36 | 37 | [Project Lockdown](https://github.com/ScaleSec/project_lockdown) - Collection of "Cloud Functions designed to react to unsecure resource creations or configurations" 38 | 39 | [Simple CSPM](https://simplecspm.com/) - A security audit tool for GCP using Google Sheets. 40 | 41 | [Firebase Scanner](https://github.com/arxenix/firebase-scanner) - Tools for scanning firebase projects 42 | 43 | [Serverless Container Registry Proxy](https://github.com/ahmetb/serverless-registry-proxy) - Serverless reverse proxy to expose public or private container registries under a custom domain 44 | 45 | [ScoutSuite](https://github.com/nccgroup/ScoutSuite) - Multi-cloud security-auditing tool, with GCP support 46 | 47 | [IAM Privilege Escalation in GCP](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation) - Enumeration and exploit scripts for IAM privilege escalation 48 | 49 | [GCP Lateral Movement Detector](https://github.com/orcasecurity/orca-toolbox/tree/main/GCP-Lateral-Movement-Detector) - Script to map out which GCP instances are able to access to each other 50 | 51 | [IAM Analyzer](https://github.com/jdyke/gcp-iam-analyzer) - Compare and analyze two IAM roles 52 | 53 | [Starbase](https://github.com/JupiterOne/starbase) - Tool for building a GraphDB of your cloud infrastructure. Supports GCP. 54 | 55 | [GCP Scanner](https://github.com/google/gcp_scanner) - Resource scanner to evaluate access levels of known credentials 56 | --------------------------------------------------------------------------------