How to set up GCP CIS 1.2.0 Benchmark Inspec Profile tool for conducting CIS assessment

Introduction

This tool is created to help the users to assess their security posture on the Google Cloud against the CIS Benchmark. In this article we will go through the steps to setup AWS Inspec tool using Cloud Shell and Using the CLI in detail.

Using Cloud Shell

Go to the Cloud Shell and clone the inspec repohttps://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark&page=editor&tutorial=walkthrough.md

1. Once you click on start button, you will see the introduction to inspec and click on Next

2. After this install inspec, then click on next.

3. Select the cloud project on which you want to scan

4. After this run the inspec scan

Authorize the cloud shell to make the API call

After authorization the scan will be complete

Using CLI

Prerequisites

1. Install and do the configuration of the Google cloud SDK.

Download and install the SDK using the command below:

./google-cloud-sdk/install.sh

Steps for installation of Inspec

Let’s create the credentials file using the below command

gcloud auth application-default login

If successful it will open the window, and the credentials will be saved.

Google Cloud documentation recommends using of service accounts. InSpec can use user accounts for authentication.

Create the json credential file for a service account and save in your system. After this set the ENV variable before running the Inspec tool.

export GOOGLE_APPLICATION_CREDENTIALS='path/<json credential file name>.json'

To use the GCP resources in your tests follow the following steps

1. Create a profile for GCP

inspec init profile --platform gcp my-profile

2. Update inputs.yml to point to the project to on which you want to run the tool.

3. After this run inspec tool and get the output

inspec exec . -t gcp:// --input-file inputs.yml