name: gcp-security-scanner description: 使用安全指挥中心、Forseti和ScoutSuite进行GCP安全配置扫描与加固 allowed-tools:
- Bash
- Read
- Write
- Glob
- Grep
- WebFetch
GCP安全扫描器技能
目的
自动化的Google云平台安全配置扫描与加固,用于识别GCP项目和组织的错误配置、合规违规和安全风险。
能力
安全指挥中心集成
- 利用GCP安全指挥中心发现
- 审查漏洞和威胁发现
- 检查安全健康分析结果
- 监控事件威胁检测警报
- 跟踪容器威胁检测发现
- 生成合规报告
IAM安全分析
- 分析IAM策略是否存在过度许可访问
- 检查服务账户密钥使用和轮换
- 识别过度权限
- 审查组织策略约束
- 检测跨项目访问
- 审计IAM推荐器建议
VPC防火墙分析
- 审查防火墙规则是否存在过度许可访问
- 检查开放的管理端口
- 验证VPC服务控制
- 审查共享VPC配置
- 检查私有Google访问设置
- 分析VPC流日志配置
云存储安全
- 识别公开可访问的存储桶
- 检查存储桶IAM策略
- 验证统一存储桶级访问
- 审查存储桶加密设置
- 检查访问日志配置
- 验证保留策略
云KMS配置
- 审查密钥环和密钥配置
- 检查密钥轮换策略
- 验证密钥上的IAM策略
- 审查HSM密钥保护级别
- 检查外部密钥管理器使用情况
- 审计密钥访问模式
审计日志验证
- 验证云审计日志配置
- 检查数据访问日志
- 审查管理员活动日志
- 验证日志导出配置
- 检查云日志记录保留
- 验证警报策略
组织策略评估
- 审查组织策略约束
- 检查服务限制策略
- 验证资源位置约束
- 审查VM外部IP限制
- 检查服务账户创建策略
覆盖的GCP服务
| 类别 | 服务 |
|---|---|
| 身份 | IAM, Cloud Identity, Workforce Identity |
| 计算 | Compute Engine, GKE, Cloud Run, Functions |
| 存储 | Cloud Storage, Persistent Disks |
| 数据库 | Cloud SQL, Spanner, BigQuery, Firestore |
| 网络 | VPC, Firewall, Cloud Armor, Cloud CDN |
| 安全 | Security Command Center, Cloud KMS, BeyondCorp |
| 监控 | Cloud Logging, Cloud Monitoring, Cloud Audit Logs |
集成
- 安全指挥中心: GCP原生CSPM
- Forseti Security: 开源GCP安全工具包
- ScoutSuite: 多云安全审计
- 云资产清单: 资源可见性
- IAM推荐器: 权限优化
目标流程
- 云安全架构审查
- 合规监控
- GCP项目加固
- 安全态势评估
输入模式
{
"type": "object",
"properties": {
"scanType": {
"type": "string",
"enum": ["full", "cis", "pci", "hipaa", "iso27001", "custom"],
"description": "安全扫描类型"
},
"projects": {
"type": "array",
"items": { "type": "string" },
"description": "要扫描的GCP项目ID"
},
"organization": {
"type": "string",
"description": "用于组织范围扫描的GCP组织ID"
},
"services": {
"type": "array",
"items": { "type": "string" },
"description": "要扫描的特定服务"
},
"severityThreshold": {
"type": "string",
"enum": ["critical", "high", "medium", "low"]
},
"complianceFrameworks": {
"type": "array",
"items": {
"type": "string",
"enum": ["CIS", "PCI-DSS", "HIPAA", "ISO27001", "SOC2", "NIST"]
}
},
"includeSCC": {
"type": "boolean",
"description": "包含安全指挥中心发现"
}
},
"required": ["scanType"]
}
输出模式
{
"type": "object",
"properties": {
"scanId": {
"type": "string"
},
"scanTimestamp": {
"type": "string",
"format": "date-time"
},
"projectsScanned": {
"type": "array"
},
"organizationId": {
"type": "string"
},
"summary": {
"type": "object",
"properties": {
"totalChecks": { "type": "integer" },
"passed": { "type": "integer" },
"failed": { "type": "integer" },
"warnings": { "type": "integer" }
}
},
"findingsBySeverity": {
"type": "object",
"properties": {
"critical": { "type": "integer" },
"high": { "type": "integer" },
"medium": { "type": "integer" },
"low": { "type": "integer" }
}
},
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"checkId": { "type": "string" },
"severity": { "type": "string" },
"service": { "type": "string" },
"project": { "type": "string" },
"resourceName": { "type": "string" },
"description": { "type": "string" },
"remediation": { "type": "string" },
"complianceMapping": { "type": "array" }
}
}
},
"sccFindings": {
"type": "array"
},
"organizationPolicyStatus": {
"type": "object"
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
}
}
}
使用示例
skill: {
name: 'gcp-security-scanner',
context: {
scanType: 'cis',
projects: ['my-project-id'],
complianceFrameworks: ['CIS', 'SOC2'],
includeSCC: true,
severityThreshold: 'medium'
}
}