zero trust

Implementing Zero Trust with BeyondCorp

Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications.

beyondcorpcontext-aware-accessdevice-trustgoogle-cloudiapidentityzero-trust
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Google BeyondCorp Enterprise implements the zero trust security model by eliminating the concept of a trusted network perimeter. Instead of relying on VPNs and network location, BeyondCorp authenticates and authorizes every request based on user identity, device posture, and contextual attributes. Identity-Aware Proxy (IAP) serves as the enforcement point, intercepting all requests to protected resources and evaluating them against Access Context Manager policies. This skill covers configuring IAP for web applications, defining access levels based on device trust and network attributes, and auditing access policies for compliance.

When to Use

  • When deploying or configuring implementing zero trust with beyondcorp capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Google Cloud project with BeyondCorp Enterprise license
  • IAP API enabled (iap.googleapis.com)
  • Access Context Manager API enabled (accesscontextmanager.googleapis.com)
  • GCP resources to protect (Compute Engine, App Engine, or GKE services)
  • Endpoint Verification deployed on managed devices
  • Python 3.9+ with google-cloud-iap library

Steps

Step 1: Enable IAP on Target Resources

Configure Identity-Aware Proxy on Compute Engine, App Engine, or HTTPS load balancer backends.

Step 2: Define Access Levels

Create Access Context Manager access levels based on IP ranges, device attributes (OS version, encryption, screen lock), and geographic location.

Step 3: Bind Access Policies

Apply access levels as IAP conditions to enforce context-aware access decisions on protected resources.

Step 4: Audit and Monitor

Query IAP audit logs, verify policy enforcement, and identify gaps in zero trust coverage.

Expected Output

JSON report containing IAP-protected resources, access level definitions, policy binding audit results, and zero trust coverage metrics.

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.6 KB

API Reference: Implementing Zero Trust with BeyondCorp

gcloud IAP Commands

# Enable IAP on backend service
gcloud iap web enable --resource-type=backend-services \
  --service=my-backend --project=my-project
 
# Get IAP IAM policy
gcloud iap web get-iam-policy --project=my-project
 
# Grant IAP access with access level condition
gcloud iap web add-iam-policy-binding --project=my-project \
  --member="group:team@example.com" \
  --role="roles/iap.httpsResourceAccessor" \
  --condition="expression=accessPolicies/123/accessLevels/corp_device,title=CorpDevice"
 
# Enable required APIs
gcloud services enable iap.googleapis.com
gcloud services enable accesscontextmanager.googleapis.com
gcloud services enable beyondcorp.googleapis.com

Access Context Manager Commands

# Create access policy
gcloud access-context-manager policies create --organization=ORG_ID --title="Corp Policy"
 
# Create access level (device + IP)
gcloud access-context-manager levels create corp_trusted \
  --policy=POLICY_ID --title="Corporate Trusted" \
  --basic-level-spec=level_spec.yaml
 
# List access levels
gcloud access-context-manager levels list --policy=POLICY_ID --format=json

Access Level Spec (YAML)

conditions:
  - ipSubnetworks:
      - "10.0.0.0/8"
      - "172.16.0.0/12"
    devicePolicy:
      requireScreenlock: true
      osConstraints:
        - osType: DESKTOP_WINDOWS
          minimumVersion: "10.0.19041"
        - osType: DESKTOP_MAC
          minimumVersion: "12.0.0"
      allowedEncryptionStatuses:
        - ENCRYPTED
    regions:
      - "US"
      - "GB"

IAP Roles

Role Description
roles/iap.httpsResourceAccessor Access IAP-protected resources
roles/iap.admin Full IAP administration
roles/iap.settingsAdmin Modify IAP settings
roles/iap.tunnelResourceAccessor Access via IAP TCP tunneling

Python SDK

from google.cloud import iap_v1
client = iap_v1.IdentityAwareProxyAdminServiceClient()
# List tunnel destinations
request = iap_v1.ListTunnelDestGroupsRequest(parent=f"projects/{project}/iap_tunnel/locations/-")

Audit Log Query (Cloud Logging)

resource.type="gce_backend_service"
logName="projects/PROJECT/logs/cloudaudit.googleapis.com%2Fdata_access"
protoPayload.methodName="AuthorizeUser"
protoPayload.authenticationInfo.principalEmail!=""

References

Scripts 1

agent.py6.9 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""BeyondCorp Zero Trust Agent - audits IAP configuration, access levels, and policy bindings."""

import json
import argparse
import logging
import subprocess
from datetime import datetime

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)


def gcloud_json(args_list):
    """Execute gcloud command and return JSON output."""
    cmd = ["gcloud"] + args_list + ["--format=json"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
    return json.loads(result.stdout) if result.returncode == 0 and result.stdout else []


def list_iap_protected_resources(project):
    """List resources protected by Identity-Aware Proxy."""
    backends = gcloud_json(["compute", "backend-services", "list", "--project", project])
    protected = []
    for backend in backends:
        iap = backend.get("iap", {})
        protected.append({
            "name": backend.get("name", ""),
            "iap_enabled": iap.get("enabled", False),
            "oauth2_client_id": bool(iap.get("oauth2ClientId", "")),
        })
    return protected


def get_access_levels(policy_name):
    """Retrieve Access Context Manager access levels."""
    levels = gcloud_json(["access-context-manager", "levels", "list", "--policy", policy_name])
    parsed = []
    for level in levels:
        basic = level.get("basic", {})
        conditions = basic.get("conditions", [])
        parsed.append({
            "name": level.get("name", "").split("/")[-1],
            "title": level.get("title", ""),
            "combining_function": basic.get("combiningFunction", "AND"),
            "condition_count": len(conditions),
            "has_ip_restriction": any(c.get("ipSubnetworks") for c in conditions),
            "has_device_policy": any(c.get("devicePolicy") for c in conditions),
            "has_region_restriction": any(c.get("regions") for c in conditions),
        })
    return parsed


def audit_iap_iam_bindings(project):
    """Audit IAM bindings on IAP-protected resources."""
    findings = []
    cmd = ["gcloud", "iap", "web", "get-iam-policy", "--project", project, "--format=json"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
    if result.returncode != 0:
        return [{"issue": "Cannot retrieve IAP IAM policy", "severity": "high"}]
    policy = json.loads(result.stdout) if result.stdout else {}
    for binding in policy.get("bindings", []):
        role = binding.get("role", "")
        members = binding.get("members", [])
        condition = binding.get("condition")
        if role == "roles/iap.httpsResourceAccessor":
            if "allUsers" in members or "allAuthenticatedUsers" in members:
                findings.append({
                    "role": role, "issue": "Public access via allUsers/allAuthenticatedUsers",
                    "severity": "critical",
                    "recommendation": "Restrict to specific user/group identities",
                })
            if not condition:
                findings.append({
                    "role": role, "members": members[:5],
                    "issue": "IAP binding without access level condition",
                    "severity": "high",
                    "recommendation": "Add access level condition for context-aware enforcement",
                })
    return findings


def audit_access_level_strength(access_levels):
    """Audit access levels for security strength."""
    findings = []
    for level in access_levels:
        if not level["has_device_policy"]:
            findings.append({
                "access_level": level["name"],
                "issue": "No device policy requirement",
                "severity": "medium",
                "recommendation": "Add device trust requirements (encryption, screen lock, OS version)",
            })
        if not level["has_ip_restriction"] and not level["has_region_restriction"]:
            findings.append({
                "access_level": level["name"],
                "issue": "No network or geographic restriction",
                "severity": "medium",
                "recommendation": "Consider adding corporate IP range or geo restrictions",
            })
        if level["condition_count"] == 0:
            findings.append({
                "access_level": level["name"],
                "issue": "Empty access level with no conditions",
                "severity": "high",
            })
    return findings


def check_endpoint_verification(project):
    """Check Endpoint Verification deployment status."""
    devices = gcloud_json(["endpoint-verification", "list", "--project", project])
    total = len(devices)
    compliant = sum(1 for d in devices if d.get("complianceState") == "COMPLIANT")
    return {
        "total_devices": total,
        "compliant": compliant,
        "non_compliant": total - compliant,
        "compliance_rate": round(compliant / max(total, 1) * 100, 1),
    }


def generate_report(protected, access_levels, iam_findings, level_findings, endpoint_status):
    iap_enabled = sum(1 for r in protected if r["iap_enabled"])
    all_findings = iam_findings + level_findings
    return {
        "timestamp": datetime.utcnow().isoformat(),
        "framework": "BeyondCorp Enterprise / Zero Trust",
        "iap_protected_resources": len(protected),
        "iap_enabled_count": iap_enabled,
        "iap_coverage": round(iap_enabled / max(len(protected), 1) * 100, 1),
        "access_levels_defined": len(access_levels),
        "access_level_details": access_levels,
        "endpoint_verification": endpoint_status,
        "iam_findings": iam_findings,
        "access_level_findings": level_findings,
        "total_findings": len(all_findings),
        "critical_findings": sum(1 for f in all_findings if f.get("severity") == "critical"),
    }


def main():
    parser = argparse.ArgumentParser(description="BeyondCorp Zero Trust Audit Agent")
    parser.add_argument("--project", required=True, help="GCP project ID")
    parser.add_argument("--access-policy", required=True, help="Access Context Manager policy ID")
    parser.add_argument("--output", default="beyondcorp_audit_report.json")
    args = parser.parse_args()

    protected = list_iap_protected_resources(args.project)
    access_levels = get_access_levels(args.access_policy)
    iam_findings = audit_iap_iam_bindings(args.project)
    level_findings = audit_access_level_strength(access_levels)
    endpoint_status = check_endpoint_verification(args.project)
    report = generate_report(protected, access_levels, iam_findings, level_findings, endpoint_status)
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    logger.info("BeyondCorp: %.1f%% IAP coverage, %d access levels, %d findings",
                report["iap_coverage"], report["access_levels_defined"], report["total_findings"])
    print(json.dumps(report, indent=2, default=str))


if __name__ == "__main__":
    main()
Keep exploring