Infrastructure guidelines

Turn off serial port access by setting the compute.disableSerialPortAccess organization policy constraint. Disable serial port access on your Compute Engine VMs to help eliminate an access channel that bypasses your firewall rules and other network security controls. The interactive serial console is primarily intended for emergency troubleshooting, but, when you leave it enabled, you can create a persistent backdoor that can be targeted by attackers.

Disabling serial port access helps enforces a defense-in-depth security posture by forcing all administrative access through standard, audited pathways like SSH, which you can protect by enabling Identity and Access Management (IAM) and Identity-Aware Proxy (IAP).

Disable IPv6 external subnet creation unless specifically required. To reduce your attack surface, consider disabling IPv6 on systems and networks where it's not actively managed or required. Many organizations have mature security controls and monitoring for IPv4, but their tools and policies might not fully extend to IPv6, which can create a significant blind spot for threats. Running a dual-stack network also introduces operational complexity, requiring specific configurations and expertise to manage and troubleshoot effectively. Therefore, if you don't have a clear business driver for IPv6, disabling it can simplify your environment and ensure all traffic is consistently filtered through your established IPv4 security posture.

Turn on the virtual trusted platform module (vTPM) and integrity monitoring attributes of Shielded VM for your instances. vTPM and integrity monitoring attributes are part of the default VM instance creation process. Use the vTPM and integrity monitoring attributes of Shielded VM to help ensure that your VMs boot only with trusted, unmodified code.

The vTPM provides a secure, virtual cryptoprocessor that generates and stores cryptographic measurements of the entire boot sequence, from the UEFI firmware to the kernel drivers. Integrity monitoring then continuously compares these runtime measurements against a known-good baseline established when the VM was first created.

These features provide a verifiable chain of trust and automatically alert you or take action if they detect any malicious modifications, like those from a bootkit or rootkit. Shielded VM features help to maintain your workload's integrity from the moment that the instance powers on.

Use Google Kubernetes Engine (GKE) Autopilot clusters. Autopilot clusters offer robust security measures, with many security best practices for container or GKE enabled by default.

Use least-privilege Identity and Access Management (IAM) service accounts for Google Kubernetes Engine (GKE) clusters and nodes. Access to the GKE control plane is restricted a single DNS-based endpoint. Implementing least privilege significantly reduces the attack surface without the need for additional firewall rules or bastion hosts.

Restrict network access to the control plane using a DNS-based endpoint. The control plane is the management center for a Kubernetes cluster, and exposing it to the internet makes it a prime target for attackers. This setting makes the control plan private and removes it from the internet.

Restricting control plane access helps ensure that only trusted devices within your organization's private network can manage the cluster, drastically reducing the risk of an external attack.

Use Container-Optimized OS to implement a hardened and managed container OS. General-purpose operating systems include many extra programs that aren't needed to run containers and therefore create a larger, unnecessary target for attackers. Container-Optimized OS is a minimal, locked-down operating system that significantly reduces this attack surface by including only what is necessary. As a managed OS, Container-Optimized OS also has security patches that are automatically applied by Google, which help ensure critical vulnerabilities are fixed and reduces your operational workload.

If you let developers access Compute Engine resources using SSH, configure OS Login with 2-step verification. Use OS Login to manage SSH keys with Identity and Access Management (IAM) policies by setting the compute.requireOsLogin organization policy constraint. OS Login centralizes VM access by tying SSH permissions to a user's Google identity and IAM roles, eliminating the need to manage individual SSH keys on each machine.

Tying SSH permissions to a user's identity is crucial for security because removing a user's IAM role instantly revokes their access across all instances, protecting against unauthorized entry from stale accounts. The system simplifies key management to help prevent key sprawl and provides a clear, centralized audit trail for all login events in Cloud Audit Logs. OS Login also lets you enforce two-factor authentication, adding a critical layer of protection against stolen SSH keys and credentials. An attacker with compromised OAuth tokens but no password or security key is blocked by this feature.

Unless needed, prevent the creation of Compute Engine instances with public IP addresses. The compute.vmExternalIpAccess list constraint defines the set of Compute Engine VM instances that can have external IP addresses.

Prevent Compute Engine instances from having external IP addresses to drastically reduce their exposure to the internet. Any instance with an external IP address is immediately discoverable and becomes a direct target for automated scans, brute-force attacks, and attempts to exploit vulnerabilities. Instead, require instances to use private IP addresses and manage access through controlled, authenticated, and logged pathways like the Identity-Aware Proxy (IAP) tunnel or a bastion host.

Adopting this deny-by-default posture is a foundational security best practice that helps minimize your attack surface and enforces a zero-trust approach to your network. This constraint isn't retroactive.

Use Workload Identity Federation for GKE to authenticate to Google Cloud APIs from Google Kubernetes Engine (GKE) workloads. Workload Identity Federation for GKE provides a simpler and safer way to obtain identities to call Google Cloud APIs than service account keys.

Create private nodes to reduce internet exposure. Private Google Kubernetes Engine (GKE) nodes help reduce internet exposure by ensuring GKE nodes don't have a public IP address.

Use Google Groups for role-based access control (RBAC), which also lets you integrate with your existing user account management practices, such as revoking access when someone leaves your organization. Google Groups for RBAC helps provide efficient management of cluster access using Identity and Access Management (IAM) and Google Groups, which is suitable for most organizations that use Google Groups.

Use GKE Sandbox to provide an extra layer of security to help prevent untrusted code from affecting the host kernel on your Google Kubernetes Engine (GKE) cluster nodes. GKE Sandbox enhances workload isolation for untrusted or sensitive workloads, providing an additional layer of protection against container escape attacks.

Use Binary Authorization to make sure trusted images are deployed to Google Kubernetes Engine (GKE). Binary Authorization helps ensure that only verified and trusted container images can be deployed in your clusters, strengthening software supply chain security.

Use Confidential GKE Nodes to enforce encryption of data in-use in your nodes and workloads. Confidential GKE Nodes help secure highly sensitive workloads by encrypting data in use through confidential computing.

Run your own certificate authorities to manage keys within Google Kubernetes Engine (GKE). Using your own certificate authorities offers greater control over cryptographic operations. To request access to this feature, contact your Google Cloud account team.

Encrypt Kubernetes Secrets at rest using Cloud Key Management Service (Cloud KMS) managed keys. Cloud KMS provides an additional layer of security for etcd data by letting you encrypt Kubernetes Secrets with a key that you own and manage.

Use customer-managed encryption keys (CMEK) for node boot disk encryption. CMEK lets you encrypt a Kubernetes node's boot disk with a key that you own and manage.