npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
Google BeyondCorp Enterprise implements the zero trust security model by eliminating the concept of a trusted network perimeter. Instead of relying on VPNs and network location, BeyondCorp authenticates and authorizes every request based on user identity, device posture, and contextual attributes. Identity-Aware Proxy (IAP) serves as the enforcement point, intercepting all requests to protected resources and evaluating them against Access Context Manager policies. This skill covers configuring IAP for web applications, defining access levels based on device trust and network attributes, and auditing access policies for compliance.
When to Use
- When deploying or configuring implementing zero trust with beyondcorp capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Google Cloud project with BeyondCorp Enterprise license
- IAP API enabled (iap.googleapis.com)
- Access Context Manager API enabled (accesscontextmanager.googleapis.com)
- GCP resources to protect (Compute Engine, App Engine, or GKE services)
- Endpoint Verification deployed on managed devices
- Python 3.9+ with google-cloud-iap library
Steps
Step 1: Enable IAP on Target Resources
Configure Identity-Aware Proxy on Compute Engine, App Engine, or HTTPS load balancer backends.
Step 2: Define Access Levels
Create Access Context Manager access levels based on IP ranges, device attributes (OS version, encryption, screen lock), and geographic location.
Step 3: Bind Access Policies
Apply access levels as IAP conditions to enforce context-aware access decisions on protected resources.
Step 4: Audit and Monitor
Query IAP audit logs, verify policy enforcement, and identify gaps in zero trust coverage.
Expected Output
JSON report containing IAP-protected resources, access level definitions, policy binding audit results, and zero trust coverage metrics.
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.6 KB
API Reference: Implementing Zero Trust with BeyondCorp
gcloud IAP Commands
# Enable IAP on backend service
gcloud iap web enable --resource-type=backend-services \
--service=my-backend --project=my-project
# Get IAP IAM policy
gcloud iap web get-iam-policy --project=my-project
# Grant IAP access with access level condition
gcloud iap web add-iam-policy-binding --project=my-project \
--member="group:team@example.com" \
--role="roles/iap.httpsResourceAccessor" \
--condition="expression=accessPolicies/123/accessLevels/corp_device,title=CorpDevice"
# Enable required APIs
gcloud services enable iap.googleapis.com
gcloud services enable accesscontextmanager.googleapis.com
gcloud services enable beyondcorp.googleapis.comAccess Context Manager Commands
# Create access policy
gcloud access-context-manager policies create --organization=ORG_ID --title="Corp Policy"
# Create access level (device + IP)
gcloud access-context-manager levels create corp_trusted \
--policy=POLICY_ID --title="Corporate Trusted" \
--basic-level-spec=level_spec.yaml
# List access levels
gcloud access-context-manager levels list --policy=POLICY_ID --format=jsonAccess Level Spec (YAML)
conditions:
- ipSubnetworks:
- "10.0.0.0/8"
- "172.16.0.0/12"
devicePolicy:
requireScreenlock: true
osConstraints:
- osType: DESKTOP_WINDOWS
minimumVersion: "10.0.19041"
- osType: DESKTOP_MAC
minimumVersion: "12.0.0"
allowedEncryptionStatuses:
- ENCRYPTED
regions:
- "US"
- "GB"IAP Roles
| Role | Description |
|---|---|
| roles/iap.httpsResourceAccessor | Access IAP-protected resources |
| roles/iap.admin | Full IAP administration |
| roles/iap.settingsAdmin | Modify IAP settings |
| roles/iap.tunnelResourceAccessor | Access via IAP TCP tunneling |
Python SDK
from google.cloud import iap_v1
client = iap_v1.IdentityAwareProxyAdminServiceClient()
# List tunnel destinations
request = iap_v1.ListTunnelDestGroupsRequest(parent=f"projects/{project}/iap_tunnel/locations/-")Audit Log Query (Cloud Logging)
resource.type="gce_backend_service"
logName="projects/PROJECT/logs/cloudaudit.googleapis.com%2Fdata_access"
protoPayload.methodName="AuthorizeUser"
protoPayload.authenticationInfo.principalEmail!=""References
- BeyondCorp Enterprise: https://cloud.google.com/beyondcorp
- IAP Concepts: https://cloud.google.com/iap/docs/concepts-overview
- Access Context Manager: https://cloud.google.com/access-context-manager/docs
Scripts 1
agent.py6.9 KB
#!/usr/bin/env python3
"""BeyondCorp Zero Trust Agent - audits IAP configuration, access levels, and policy bindings."""
import json
import argparse
import logging
import subprocess
from datetime import datetime
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def gcloud_json(args_list):
"""Execute gcloud command and return JSON output."""
cmd = ["gcloud"] + args_list + ["--format=json"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
return json.loads(result.stdout) if result.returncode == 0 and result.stdout else []
def list_iap_protected_resources(project):
"""List resources protected by Identity-Aware Proxy."""
backends = gcloud_json(["compute", "backend-services", "list", "--project", project])
protected = []
for backend in backends:
iap = backend.get("iap", {})
protected.append({
"name": backend.get("name", ""),
"iap_enabled": iap.get("enabled", False),
"oauth2_client_id": bool(iap.get("oauth2ClientId", "")),
})
return protected
def get_access_levels(policy_name):
"""Retrieve Access Context Manager access levels."""
levels = gcloud_json(["access-context-manager", "levels", "list", "--policy", policy_name])
parsed = []
for level in levels:
basic = level.get("basic", {})
conditions = basic.get("conditions", [])
parsed.append({
"name": level.get("name", "").split("/")[-1],
"title": level.get("title", ""),
"combining_function": basic.get("combiningFunction", "AND"),
"condition_count": len(conditions),
"has_ip_restriction": any(c.get("ipSubnetworks") for c in conditions),
"has_device_policy": any(c.get("devicePolicy") for c in conditions),
"has_region_restriction": any(c.get("regions") for c in conditions),
})
return parsed
def audit_iap_iam_bindings(project):
"""Audit IAM bindings on IAP-protected resources."""
findings = []
cmd = ["gcloud", "iap", "web", "get-iam-policy", "--project", project, "--format=json"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
if result.returncode != 0:
return [{"issue": "Cannot retrieve IAP IAM policy", "severity": "high"}]
policy = json.loads(result.stdout) if result.stdout else {}
for binding in policy.get("bindings", []):
role = binding.get("role", "")
members = binding.get("members", [])
condition = binding.get("condition")
if role == "roles/iap.httpsResourceAccessor":
if "allUsers" in members or "allAuthenticatedUsers" in members:
findings.append({
"role": role, "issue": "Public access via allUsers/allAuthenticatedUsers",
"severity": "critical",
"recommendation": "Restrict to specific user/group identities",
})
if not condition:
findings.append({
"role": role, "members": members[:5],
"issue": "IAP binding without access level condition",
"severity": "high",
"recommendation": "Add access level condition for context-aware enforcement",
})
return findings
def audit_access_level_strength(access_levels):
"""Audit access levels for security strength."""
findings = []
for level in access_levels:
if not level["has_device_policy"]:
findings.append({
"access_level": level["name"],
"issue": "No device policy requirement",
"severity": "medium",
"recommendation": "Add device trust requirements (encryption, screen lock, OS version)",
})
if not level["has_ip_restriction"] and not level["has_region_restriction"]:
findings.append({
"access_level": level["name"],
"issue": "No network or geographic restriction",
"severity": "medium",
"recommendation": "Consider adding corporate IP range or geo restrictions",
})
if level["condition_count"] == 0:
findings.append({
"access_level": level["name"],
"issue": "Empty access level with no conditions",
"severity": "high",
})
return findings
def check_endpoint_verification(project):
"""Check Endpoint Verification deployment status."""
devices = gcloud_json(["endpoint-verification", "list", "--project", project])
total = len(devices)
compliant = sum(1 for d in devices if d.get("complianceState") == "COMPLIANT")
return {
"total_devices": total,
"compliant": compliant,
"non_compliant": total - compliant,
"compliance_rate": round(compliant / max(total, 1) * 100, 1),
}
def generate_report(protected, access_levels, iam_findings, level_findings, endpoint_status):
iap_enabled = sum(1 for r in protected if r["iap_enabled"])
all_findings = iam_findings + level_findings
return {
"timestamp": datetime.utcnow().isoformat(),
"framework": "BeyondCorp Enterprise / Zero Trust",
"iap_protected_resources": len(protected),
"iap_enabled_count": iap_enabled,
"iap_coverage": round(iap_enabled / max(len(protected), 1) * 100, 1),
"access_levels_defined": len(access_levels),
"access_level_details": access_levels,
"endpoint_verification": endpoint_status,
"iam_findings": iam_findings,
"access_level_findings": level_findings,
"total_findings": len(all_findings),
"critical_findings": sum(1 for f in all_findings if f.get("severity") == "critical"),
}
def main():
parser = argparse.ArgumentParser(description="BeyondCorp Zero Trust Audit Agent")
parser.add_argument("--project", required=True, help="GCP project ID")
parser.add_argument("--access-policy", required=True, help="Access Context Manager policy ID")
parser.add_argument("--output", default="beyondcorp_audit_report.json")
args = parser.parse_args()
protected = list_iap_protected_resources(args.project)
access_levels = get_access_levels(args.access_policy)
iam_findings = audit_iap_iam_bindings(args.project)
level_findings = audit_access_level_strength(access_levels)
endpoint_status = check_endpoint_verification(args.project)
report = generate_report(protected, access_levels, iam_findings, level_findings, endpoint_status)
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
logger.info("BeyondCorp: %.1f%% IAP coverage, %d access levels, %d findings",
report["iap_coverage"], report["access_levels_defined"], report["total_findings"])
print(json.dumps(report, indent=2, default=str))
if __name__ == "__main__":
main()