npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- When protecting Google Cloud applications (App Engine, Cloud Run, GKE, Compute Engine) with identity-based access
- When implementing context-aware access requiring device posture and location verification
- When providing secure access to internal tools without VPN or public IP exposure
- When needing per-request authentication and authorization for web applications and TCP services
- When configuring programmatic access to IAP-protected resources using service accounts
Do not use for non-HTTP applications that cannot be placed behind an HTTPS load balancer, for public-facing applications that need unauthenticated access, or when applications handle their own authentication and IAP would conflict with existing auth flows.
Prerequisites
- Google Cloud project with billing enabled
- IAP API enabled (
gcloud services enable iap.googleapis.com) - Application deployed behind HTTPS Load Balancer, App Engine, or Cloud Run
- Cloud Identity or Google Workspace for user management
- Access Context Manager API enabled for access levels
- OAuth consent screen configured for the project
Workflow
Step 1: Enable IAP on Backend Services
Configure IAP for different GCP compute platforms.
# Enable required APIs
gcloud services enable iap.googleapis.com
gcloud services enable accesscontextmanager.googleapis.com
# Create OAuth consent screen
gcloud iap oauth-brands create \
--application_title="Internal Applications" \
--support_email=security@company.com
# Create OAuth client
gcloud iap oauth-clients create \
projects/PROJECT_ID/brands/BRAND_ID \
--display_name="IAP Web Client"
# === Enable IAP on Compute Engine Backend Service ===
gcloud compute backend-services update my-backend-service \
--iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \
--global
# === Enable IAP on App Engine ===
gcloud iap web enable \
--resource-type=app-engine \
--oauth2-client-id=CLIENT_ID \
--oauth2-client-secret=CLIENT_SECRET
# === Enable IAP on Cloud Run ===
# First grant IAP service account the Cloud Run Invoker role
gcloud run services add-iam-policy-binding my-service \
--member="serviceAccount:service-PROJECT_NUM@gcp-sa-iap.iam.gserviceaccount.com" \
--role="roles/run.invoker" \
--region=us-central1
# Enable IAP on the Cloud Run backend service
gcloud compute backend-services update my-cloud-run-backend \
--iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \
--global
# === Enable IAP TCP Forwarding for SSH/RDP ===
# No load balancer needed - uses IAP tunnel
gcloud compute instances add-iam-policy-binding my-vm \
--member="group:developers@company.com" \
--role="roles/iap.tunnelResourceAccessor" \
--zone=us-central1-a
# SSH through IAP tunnel
gcloud compute ssh my-vm --zone=us-central1-a --tunnel-through-iap
# RDP through IAP tunnel
gcloud compute start-iap-tunnel my-windows-vm 3389 \
--local-host-port=localhost:3390 \
--zone=us-central1-aStep 2: Configure IAM Bindings for Access Control
Grant access to specific users and groups with optional access level conditions.
# Grant basic access to a group
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=my-backend-service \
--member="group:engineering@company.com" \
--role="roles/iap.httpsResourceAccessor"
# Grant access with access level condition
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=finance-app \
--member="group:finance@company.com" \
--role="roles/iap.httpsResourceAccessor" \
--condition='expression=request.auth.access_levels.exists(x, x == "accessPolicies/POLICY_ID/accessLevels/corporate-device"),title=RequireCorporateDevice,description=Requires managed corporate device'
# Grant access only during business hours
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=admin-console \
--member="group:admins@company.com" \
--role="roles/iap.httpsResourceAccessor" \
--condition='expression=request.time.getHours("America/New_York") >= 8 && request.time.getHours("America/New_York") <= 18 && request.time.getDayOfWeek("America/New_York") >= 1 && request.time.getDayOfWeek("America/New_York") <= 5,title=BusinessHoursOnly'
# Grant access to a specific URL path
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=internal-api \
--member="group:api-consumers@company.com" \
--role="roles/iap.httpsResourceAccessor" \
--condition='expression=request.path.startsWith("/api/v2/"),title=APIv2Access'Step 3: Create Access Levels with Access Context Manager
Define context-based access requirements using device attributes and network conditions.
# Create access level requiring encrypted corporate device
cat > managed-device.yaml << 'EOF'
- devicePolicy:
allowedEncryptionStatuses:
- ENCRYPTED
osConstraints:
- osType: DESKTOP_WINDOWS
minimumVersion: "10.0.19045"
- osType: DESKTOP_MAC
minimumVersion: "14.0"
- osType: DESKTOP_CHROME_OS
requireScreenlock: true
requireAdminApproval: true
allowedDeviceManagementLevels:
- ADVANCED
EOF
gcloud access-context-manager levels create managed-device \
--policy=POLICY_ID \
--title="Managed Device" \
--basic-level-spec=managed-device.yaml
# Create access level for corporate network
cat > corp-network.yaml << 'EOF'
- ipSubnetworks:
- "203.0.113.0/24"
- "198.51.100.0/24"
regions:
- US
- GB
EOF
gcloud access-context-manager levels create corp-network \
--policy=POLICY_ID \
--title="Corporate Network" \
--basic-level-spec=corp-network.yaml
# Create custom access level using CEL for complex logic
cat > high-trust.yaml << 'EOF'
expression: >
device.encryption_status == DeviceEncryptionStatus.ENCRYPTED &&
device.is_admin_approved_device == true &&
(
origin.ip in ["203.0.113.0/24"] ||
device.os_type == OsType.DESKTOP_CHROME_OS
) &&
request.auth.claims.hd == "company.com"
EOF
gcloud access-context-manager levels create high-trust \
--policy=POLICY_ID \
--title="High Trust" \
--custom-level-spec=high-trust.yamlStep 4: Configure Session Settings and Re-authentication
Set session duration and re-authentication policies per application.
# Configure re-authentication for a backend service
# Requires login every 4 hours for sensitive apps
gcloud iap settings set \
--project=PROJECT_ID \
--resource-type=compute \
--service=finance-app \
reauthSettings.method=LOGIN \
reauthSettings.maxAge=14400s \
reauthSettings.policyType=MINIMUM
# Configure session settings for App Engine
gcloud iap settings set \
--project=PROJECT_ID \
--resource-type=app-engine \
reauthSettings.method=SECURE_KEY \
reauthSettings.maxAge=3600s \
reauthSettings.policyType=MINIMUM
# View current IAP settings
gcloud iap settings get \
--project=PROJECT_ID \
--resource-type=compute \
--service=finance-appStep 5: Configure Programmatic Access for Service Accounts
Enable service-to-service communication through IAP-protected endpoints.
#!/usr/bin/env python3
"""Access IAP-protected resource using service account credentials."""
import google.auth
import google.auth.transport.requests
from google.auth import impersonated_credentials
import requests as req
IAP_CLIENT_ID = "YOUR_IAP_OAUTH_CLIENT_ID.apps.googleusercontent.com"
IAP_URL = "https://my-app.company.com/api/data"
def access_iap_resource():
# Get default credentials (works with service account key or workload identity)
credentials, project = google.auth.default()
# Create IAP-authenticated request
authed_session = google.auth.transport.requests.AuthorizedSession(
credentials,
target_audience=IAP_CLIENT_ID
)
# Make request to IAP-protected resource
response = authed_session.get(IAP_URL)
print(f"Status: {response.status_code}")
print(f"Response: {response.text[:500]}")
return response
if __name__ == "__main__":
access_iap_resource()Step 6: Set Up Audit Logging and Monitoring
Configure logging for all IAP access decisions.
# Enable data access audit logs for IAP
gcloud projects get-iam-policy PROJECT_ID --format=json > policy.json
# Add IAP audit config to policy.json:
# {
# "service": "iap.googleapis.com",
# "auditLogConfigs": [
# {"logType": "ADMIN_READ"},
# {"logType": "DATA_READ"},
# {"logType": "DATA_WRITE"}
# ]
# }
gcloud projects set-iam-policy PROJECT_ID policy.json
# Create log-based metric for denied access
gcloud logging metrics create iap-denied-access \
--description="Count of IAP access denials" \
--log-filter='resource.type="gce_backend_service" AND protoPayload.status.code=16'
# Create alerting policy for high denial rates
gcloud alpha monitoring policies create \
--display-name="IAP High Denial Rate" \
--condition-display-name="Denied access > 50 in 5 min" \
--condition-filter='metric.type="logging.googleapis.com/user/iap-denied-access"' \
--condition-threshold-value=50 \
--condition-threshold-duration=300s \
--notification-channels=projects/PROJECT_ID/notificationChannels/CHANNEL_ID
# Query IAP access logs
gcloud logging read '
resource.type="gce_backend_service"
protoPayload.serviceName="iap.googleapis.com"
timestamp >= "2026-02-22T00:00:00Z"
' --project=PROJECT_ID --format='table(timestamp,protoPayload.authenticationInfo.principalEmail,protoPayload.status.code,resource.labels.backend_service_name)' --limit=50Key Concepts
| Term | Definition |
|---|---|
| Identity-Aware Proxy | GCP service that intercepts web requests and TCP connections, authenticating users and evaluating access policies before proxying to backend services |
| Backend Service | GCP load balancer component that IAP protects; can serve Compute Engine instances, GKE pods, Cloud Run services, or App Engine |
| IAP Tunnel | Secure TCP tunnel through IAP allowing SSH, RDP, and other TCP access to VMs without public IPs or VPN |
| OAuth Consent Screen | GCP configuration specifying the application name and support email shown to users during IAP authentication |
| Access Level | Named condition in Access Context Manager evaluated during IAP authorization (device posture, IP, geography) |
| Re-authentication | IAP feature requiring users to prove their identity again after a configurable session duration |
Tools & Systems
- Google Cloud IAP: Identity-aware reverse proxy for GCP applications and TCP services
- Access Context Manager: Defines access levels based on device, network, and geographic attributes
- gcloud CLI: Command-line tool for configuring IAP, access levels, and IAM bindings
- IAP TCP Forwarding: Tunnel-based access to VMs for SSH/RDP without public IPs
- Cloud Audit Logs: Immutable records of all IAP access decisions for compliance
- Endpoint Verification: Chrome extension collecting device attributes for access level evaluation
Common Scenarios
Scenario: Securing 15 Internal GCP Services with IAP
Context: An e-commerce company runs 15 internal services on GKE and Cloud Run (admin dashboards, internal APIs, monitoring tools). Currently, these services are protected only by VPN and firewall rules, creating excessive network-level access.
Approach:
- Deploy all services behind an HTTPS Load Balancer with managed SSL certificates
- Enable IAP on each backend service with per-service OAuth clients
- Create IAM bindings mapping Google Groups to specific services (admin group -> admin dashboard, engineering -> monitoring)
- Define access levels: managed-device (encryption + screen lock), corp-network (office IP ranges)
- Apply managed-device access level to admin dashboard and financial tools
- Configure IAP TCP tunneling for SSH access to GKE nodes (replacing SSH bastion host)
- Set re-authentication to 4 hours for admin tools, 8 hours for monitoring
- Configure Cloud Audit Logs and create alerting for repeated denials
Pitfalls: IAP adds 10-50ms latency per request; test application performance. WebSocket connections through IAP require specific backend service configuration. Service-to-service calls within GKE should bypass IAP using internal service mesh, not external IAP endpoints. Break-glass access should use a separate IAM binding without access level conditions.
Output Format
Google Cloud IAP Configuration Report
==================================================
Project: ecommerce-internal
Report Date: 2026-02-23
IAP-PROTECTED SERVICES:
Backend Services: 12
App Engine: 1
Cloud Run: 2
IAP TCP Tunnels: 4 (SSH access)
Total: 19
ACCESS CONTROL:
IAM Bindings: 34
With Access Levels: 18 (52.9%)
Access Levels: 3 (managed-device, corp-network, high-trust)
SESSION POLICIES:
Admin tools: 4h re-auth (SECURE_KEY)
Sensitive apps: 4h re-auth (LOGIN)
General tools: 8h re-auth (LOGIN)
ACCESS LOGS (last 24h):
Total requests: 23,456
Authenticated: 23,289 (99.3%)
Denied by IAM: 112
Denied by access level: 55
Unique users: 134References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.6 KB
Google Identity-Aware Proxy (IAP) — API Reference
Libraries
| Library | Install | Purpose |
|---|---|---|
| google-cloud-iap | pip install google-cloud-iap |
IAP admin and settings management |
| google-cloud-resource-manager | pip install google-cloud-resource-manager |
GCP project enumeration |
Key IAP Client Methods
| Method | Description |
|---|---|
IdentityAwareProxyAdminServiceClient() |
Create IAP admin client |
get_iap_settings(name=) |
Get IAP configuration for a resource |
update_iap_settings(iap_settings=, update_mask=) |
Update IAP settings |
get_iam_policy(resource=) |
Get IAP IAM bindings |
set_iam_policy(resource=, policy=) |
Set IAP IAM bindings |
list_tunnel_dest_groups(parent=) |
List TCP forwarding tunnel groups |
IAP IAM Roles
| Role | Description |
|---|---|
roles/iap.httpsResourceAccessor |
Access IAP-protected web resources |
roles/iap.tunnelResourceAccessor |
Access IAP TCP forwarding tunnels |
roles/iap.admin |
Full IAP administration |
gcloud CLI Commands
gcloud iap web enable --resource-type=app-engine
gcloud iap tcp enable --resource-type=compute --dest-group=GROUP
gcloud iap web get-iam-policy --project=PROJECT
gcloud compute ssh INSTANCE --tunnel-through-iapExternal References
standards.md1.7 KB
Google Cloud IAP - Standards & References
NIST SP 800-207: Zero Trust Architecture
- Section 3.1: Policy Engine - IAP evaluates identity and context per request
- Section 3.2: Trust Algorithm - Access Levels compute trust score
- Section 4.2: SDP Gateway Model - IAP acts as application-layer gateway
- URL: https://csrc.nist.gov/publications/detail/sp/800-207/final
CISA Zero Trust Maturity Model v2.0
- Identity Pillar: Per-request identity verification via IAP
- Application Pillar: Application-level access controls
- URL: https://www.cisa.gov/zero-trust-maturity-model
Google Cloud Documentation
- IAP Overview: https://cloud.google.com/iap/docs/concepts-overview
- Enabling IAP for Compute Engine: https://cloud.google.com/iap/docs/enabling-compute-howto
- Enabling IAP for App Engine: https://cloud.google.com/iap/docs/app-engine-quickstart
- Enabling IAP for Cloud Run: https://cloud.google.com/iap/docs/enabling-cloud-run
- IAP TCP Forwarding: https://cloud.google.com/iap/docs/using-tcp-forwarding
- Context-Aware Access: https://cloud.google.com/iap/docs/cloud-iap-context-aware-access-howto
- Managing Access: https://cloud.google.com/iap/docs/managing-access
- Access Context Manager: https://cloud.google.com/access-context-manager/docs
- Programmatic Authentication: https://cloud.google.com/iap/docs/authentication-howto
Google BeyondCorp Papers
- BeyondCorp: A New Approach to Enterprise Security (2014): https://research.google/pubs/pub43231/
- BeyondCorp: The Access Proxy (2017): https://research.google/pubs/pub45728/
FedRAMP
- Google Cloud IAP operates within FedRAMP High boundary
- URL: https://cloud.google.com/security/compliance/fedramp
workflows.md2.4 KB
Google IAP Configuration Workflow
Phase 1: Prerequisites (Day 1)
- Enable IAP API:
gcloud services enable iap.googleapis.com - Enable Access Context Manager API
- Configure OAuth consent screen with organization branding
- Create OAuth client credentials for IAP
- Verify applications are behind HTTPS Load Balancer or Cloud Run/App Engine
Phase 2: IAP Enablement (Day 2-3)
Compute Engine / GKE Backend Services
- Enable IAP on each backend service with OAuth credentials
- Configure health checks to work through IAP
- Verify backend service firewall rules allow only load balancer and IAP ranges
- Block direct access to backend instances (remove external IPs, restrict firewall)
App Engine
- Enable IAP on App Engine with OAuth credentials
- Verify no App Engine firewall rules bypass IAP
- Test authentication flow with pilot users
Cloud Run
- Grant IAP service account Cloud Run Invoker role
- Configure Cloud Run service with
--no-allow-unauthenticated - Enable IAP on the backend service fronting Cloud Run
- Test end-to-end request flow
TCP Forwarding (SSH/RDP)
- Grant IAP Tunnel Resource Accessor role to user groups
- Remove public IP addresses from VMs
- Configure firewall rules to allow only IAP tunnel IP ranges (35.235.240.0/20)
- Test SSH/RDP access through IAP tunnel
Phase 3: Access Control (Day 4-5)
- Create IAM bindings mapping Google Groups to backend services
- Add access level conditions for sensitive applications
- Configure time-based conditions for admin access
- Set up path-based conditions for API access
- Test each binding with authorized and unauthorized users
Phase 4: Access Levels (Day 6-7)
- Create basic access levels for device posture (encryption, OS, screen lock)
- Create IP-based access levels for corporate network
- Create custom access levels with CEL for complex conditions
- Apply access levels as conditions on IAM bindings
- Validate with compliant and non-compliant devices
Phase 5: Session and Re-auth (Day 8)
- Configure session duration per application tier
- Set re-authentication method (LOGIN or SECURE_KEY)
- Test session expiry and re-authentication flow
- Document expected user experience
Phase 6: Audit and Monitoring (Day 9-10)
- Enable data access audit logs for IAP
- Create log-based metrics for access denials
- Set up alerting for anomalous patterns
- Build dashboard for IAP access analytics
- Test break-glass access procedures
Scripts 2
agent.py4.4 KB
#!/usr/bin/env python3
"""Google Identity-Aware Proxy (IAP) configuration agent using google-cloud-iap."""
import json
import sys
import argparse
from datetime import datetime
try:
from google.cloud import iap_v1
except ImportError:
print("Install: pip install google-cloud-iap google-cloud-resource-manager")
sys.exit(1)
def list_iap_tunnels(project_id):
"""List IAP TCP forwarding tunnels."""
client = iap_v1.IdentityAwareProxyAdminServiceClient()
parent = f"projects/{project_id}"
tunnels = []
try:
request = iap_v1.ListTunnelDestGroupsRequest(parent=f"{parent}/iap_tunnel/locations/-")
for group in client.list_tunnel_dest_groups(request=request):
tunnels.append({
"name": group.name,
"cidrs": list(group.cidrs),
"fqdns": list(group.fqdns),
})
except Exception as e:
tunnels.append({"error": str(e)})
return tunnels
def get_iap_settings(project_id, resource_type="web"):
"""Get IAP settings for web resources."""
client = iap_v1.IdentityAwareProxyAdminServiceClient()
resource_name = f"projects/{project_id}/iap_web"
try:
request = iap_v1.GetIapSettingsRequest(name=resource_name)
settings = client.get_iap_settings(request=request)
return {
"name": settings.name,
"access_settings": {
"cors_settings": str(settings.access_settings.cors_settings) if settings.access_settings else "",
},
}
except Exception as e:
return {"error": str(e)}
def audit_iap_iam_policy(project_id):
"""Audit IAM bindings for IAP-secured resources."""
client = iap_v1.IdentityAwareProxyAdminServiceClient()
resource = f"projects/{project_id}/iap_web"
try:
policy = client.get_iam_policy(request={"resource": resource})
bindings = []
for binding in policy.bindings:
bindings.append({
"role": binding.role,
"members": list(binding.members),
"condition": str(binding.condition) if binding.condition else None,
})
return bindings
except Exception as e:
return [{"error": str(e)}]
def check_oauth_consent(project_id):
"""Verify OAuth consent screen configuration."""
return {
"check": "OAuth consent screen",
"project": project_id,
"requirements": [
"Application type: Internal (for organization apps)",
"Support email: Valid group email",
"Authorized domains: Company domains only",
"Scopes: Minimal required (email, profile)",
],
"verification_url": f"https://console.cloud.google.com/apis/credentials/consent?project={project_id}",
}
def run_audit(project_id):
"""Execute IAP configuration audit."""
print(f"\n{'='*60}")
print(f" GOOGLE IAP CONFIGURATION AUDIT")
print(f" Project: {project_id}")
print(f" Generated: {datetime.utcnow().isoformat()} UTC")
print(f"{'='*60}\n")
settings = get_iap_settings(project_id)
print(f"--- IAP SETTINGS ---")
print(f" {json.dumps(settings, indent=2)}")
bindings = audit_iap_iam_policy(project_id)
print(f"\n--- IAM BINDINGS ({len(bindings)}) ---")
for b in bindings:
if "error" not in b:
print(f" {b['role']}: {', '.join(b['members'][:3])}")
tunnels = list_iap_tunnels(project_id)
print(f"\n--- TCP TUNNELS ({len(tunnels)}) ---")
for t in tunnels:
if "error" not in t:
print(f" {t['name']}: CIDRs={t['cidrs']}")
consent = check_oauth_consent(project_id)
print(f"\n--- OAUTH CONSENT ---")
for req in consent["requirements"]:
print(f" - {req}")
return {"settings": settings, "bindings": bindings, "tunnels": tunnels, "consent": consent}
def main():
parser = argparse.ArgumentParser(description="Google IAP Audit Agent")
parser.add_argument("--project", required=True, help="GCP project ID")
parser.add_argument("--audit", action="store_true", help="Run full audit")
parser.add_argument("--output", help="Save report to JSON file")
args = parser.parse_args()
if args.audit:
report = run_audit(args.project)
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[+] Report saved to {args.output}")
else:
parser.print_help()
if __name__ == "__main__":
main()
process.py7.7 KB
#!/usr/bin/env python3
"""
Google Cloud IAP - Configuration Audit Tool
Audits IAP-enabled backend services, IAM bindings, access levels,
session settings, and access logs for compliance validation.
Requirements:
pip install google-cloud-compute google-auth requests
"""
import json
import subprocess
import sys
from datetime import datetime, timedelta, timezone
from typing import Any
def run_gcloud(args: list[str]) -> Any:
"""Execute gcloud command and return JSON output."""
cmd = ["gcloud"] + args + ["--format=json"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
if result.returncode != 0:
return []
try:
return json.loads(result.stdout) if result.stdout.strip() else []
except json.JSONDecodeError:
return []
def audit_iap_backends(project_id: str) -> list[dict]:
"""Audit all backend services for IAP configuration."""
print("\n[1/5] Auditing IAP-enabled backend services...")
backends = run_gcloud(["compute", "backend-services", "list", "--project", project_id])
if not isinstance(backends, list):
return []
results = []
for backend in backends:
name = backend.get("name", "unknown")
iap = backend.get("iap", {})
enabled = iap.get("enabled", False)
info = {"name": name, "iap_enabled": enabled, "bindings": [], "has_conditions": False}
if enabled:
policy = run_gcloud([
"iap", "web", "get-iam-policy",
"--resource-type=backend-services",
"--service", name, "--project", project_id
])
bindings = policy.get("bindings", []) if isinstance(policy, dict) else []
info["bindings"] = bindings
info["bindings_count"] = len(bindings)
info["has_conditions"] = any(b.get("condition") for b in bindings)
print(f" [IAP ON] {name}: {len(bindings)} bindings, conditions: {info['has_conditions']}")
else:
print(f" [IAP OFF] {name}")
results.append(info)
return results
def audit_access_levels(policy_id: str) -> list[dict]:
"""Audit Access Context Manager levels."""
print("\n[2/5] Auditing access levels...")
if not policy_id:
print(" Skipped - no policy ID provided")
return []
levels = run_gcloud(["access-context-manager", "levels", "list", "--policy", policy_id])
if not isinstance(levels, list):
return []
results = []
for level in levels:
name = level.get("name", "").split("/")[-1]
title = level.get("title", "")
basic = level.get("basic", {})
has_device = any(
c.get("devicePolicy") for c in basic.get("conditions", [])
)
has_ip = any(
c.get("ipSubnetworks") for c in basic.get("conditions", [])
)
results.append({"name": name, "title": title, "has_device": has_device, "has_ip": has_ip})
print(f" {title}: device_policy={has_device}, ip_restriction={has_ip}")
return results
def audit_iap_tunnel_access(project_id: str) -> dict:
"""Audit IAP TCP tunnel permissions."""
print("\n[3/5] Auditing IAP tunnel access...")
instances = run_gcloud(["compute", "instances", "list", "--project", project_id])
if not isinstance(instances, list):
return {"total_vms": 0}
stats = {"total_vms": len(instances), "with_external_ip": 0, "tunnel_accessible": 0}
for vm in instances:
name = vm.get("name", "unknown")
interfaces = vm.get("networkInterfaces", [])
has_ext_ip = any(
iface.get("accessConfigs") for iface in interfaces
)
if has_ext_ip:
stats["with_external_ip"] += 1
print(f" Total VMs: {stats['total_vms']}, With external IP: {stats['with_external_ip']}")
if stats["with_external_ip"] > 0:
print(f" [WARN] {stats['with_external_ip']} VMs have external IPs - consider removing for IAP-only access")
return stats
def audit_iap_logs(project_id: str) -> dict:
"""Analyze recent IAP access logs."""
print("\n[4/5] Analyzing IAP access logs (24h)...")
start = (datetime.now(timezone.utc) - timedelta(hours=24)).strftime("%Y-%m-%dT%H:%M:%SZ")
logs = run_gcloud([
"logging", "read",
f'resource.type="gce_backend_service" AND protoPayload.serviceName="iap.googleapis.com" AND timestamp>="{start}"',
"--project", project_id, "--limit=500"
])
if not isinstance(logs, list):
return {"total": 0, "allowed": 0, "denied": 0}
stats = {"total": len(logs), "allowed": 0, "denied": 0, "users": set()}
for entry in logs:
payload = entry.get("protoPayload", {})
status = payload.get("status", {}).get("code", 0)
user = payload.get("authenticationInfo", {}).get("principalEmail", "")
if status == 0:
stats["allowed"] += 1
else:
stats["denied"] += 1
if user:
stats["users"].add(user)
stats["unique_users"] = len(stats["users"])
del stats["users"]
print(f" Requests: {stats['total']}, Allowed: {stats['allowed']}, Denied: {stats['denied']}")
return stats
def generate_report(project_id: str, backends: list, levels: list,
tunnels: dict, logs: dict) -> str:
"""Generate IAP audit report."""
print("\n[5/5] Generating report...")
now = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M UTC")
iap_on = [b for b in backends if b["iap_enabled"]]
iap_off = [b for b in backends if not b["iap_enabled"]]
with_conditions = [b for b in iap_on if b.get("has_conditions")]
report = f"""
Google Cloud IAP Audit Report
{'=' * 55}
Project: {project_id}
Generated: {now}
1. BACKEND SERVICES
Total backend services: {len(backends)}
IAP enabled: {len(iap_on)}
IAP disabled: {len(iap_off)}
With access level conditions: {len(with_conditions)} / {len(iap_on)}
2. ACCESS LEVELS
Total defined: {len(levels)}
With device policy: {sum(1 for l in levels if l['has_device'])}
With IP restrictions: {sum(1 for l in levels if l['has_ip'])}
3. VM ACCESS
Total VMs: {tunnels['total_vms']}
With external IP: {tunnels['with_external_ip']}
4. ACCESS LOGS (24h)
Total requests: {logs['total']}
Allowed: {logs['allowed']}
Denied: {logs['denied']}
Unique users: {logs.get('unique_users', 0)}
5. RECOMMENDATIONS
"""
recs = []
if iap_off:
recs.append(f" - Enable IAP on {len(iap_off)} unprotected backend service(s)")
if len(with_conditions) < len(iap_on):
recs.append(f" - Add access level conditions to {len(iap_on) - len(with_conditions)} IAP service(s)")
if tunnels["with_external_ip"] > 0:
recs.append(f" - Remove external IPs from {tunnels['with_external_ip']} VM(s) for IAP-only access")
if not recs:
recs.append(" - Configuration meets best practices")
report += "\n".join(recs)
return report
def main():
if len(sys.argv) < 2:
print("Usage: python process.py <project-id> [access-policy-id]")
sys.exit(1)
project_id = sys.argv[1]
policy_id = sys.argv[2] if len(sys.argv) > 2 else None
backends = audit_iap_backends(project_id)
levels = audit_access_levels(policy_id)
tunnels = audit_iap_tunnel_access(project_id)
logs = audit_iap_logs(project_id)
report = generate_report(project_id, backends, levels, tunnels, logs)
print(report)
filename = f"iap_audit_{project_id}_{datetime.now().strftime('%Y%m%d')}.txt"
with open(filename, "w") as f:
f.write(report)
print(f"\nReport saved to: {filename}")
if __name__ == "__main__":
main()