How to set up GCP CIS 1.2.0 Benchmark Inspec Profile tool for conducting CIS assessment

Priyam Singh

~ 2 min read

This post covers an introduction and instructions to set up the Inspec tool for learning.

Introduction

This tool is created to help the users to assess their security posture on the Google Cloud against the CIS Benchmark. In this article we will go through the steps to setup AWS Inspec tool using Cloud Shell and Using the CLI in detail.

Using Cloud Shell

Go to the Cloud Shell and clone the inspec repohttps://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark&page=editor&tutorial=walkthrough.md

clone-inspec-repo.png

inspec getting started

  1. Once you click on start button, you will see the introduction to inspec and click on Next inspec intro

  2. After this install inspec, then click on next. inspec install

  3. Select the cloud project on which you want to scan inspec select project

  4. After this run the inspec scan inspec scan project

Authorize the cloud shell to make the API call inspec authorization

After authorization the scan will be complete

inspec scan

Using CLI

Prerequisites

  1. Install and do the configuration of the Google cloud SDK.

Download and install the SDK using the command below:

./google-cloud-sdk/install.sh

Steps for installation of Inspec

Let’s create the credentials file using the below command

gcloud auth application-default login

If successful it will open the window, and the credentials will be saved.

credentials file

authentication window

Google Cloud documentation recommends using of service accounts. InSpec can use user accounts for authentication.

Create the json credential file for a service account and save in your system. After this set the ENV variable before running the Inspec tool.

export GOOGLE_APPLICATION_CREDENTIALS='path/<json credential file name>.json'

To use the GCP resources in your tests follow the following steps

  1. Create a profile for GCP
inspec init profile --platform gcp my-profile

inspec profile

  1. Update inputs.yml to point to the project to on which you want to run the tool.

input yml

  1. After this run inspec tool and get the output
inspec exec . -t gcp:// --input-file inputs.yml
;