- Scans Google Cloud DNS across a GCP Organization for domain records vulnerable to takeover
- Amazon Route53 vulnerable domains can be detected by Domain Protect
Scans Google Cloud DNS for:
- Subdomain NS delegations vulnerable to takeover
- CNAME records for missing Google Cloud Storage buckets
- A records for Google Cloud Load Balancer with missing storage bucket backend
- Vulnerable CNAME records for Azure resources
- Vulnerable CNAME records for AWS resources
- CNAME for Amazon CloudFront distributions with missing S3 origin
- CNAME for Amazon S3 website
- scheduled Google Cloud Functions with Slack alerts, across a GCP Organization, deployed using Terraform
- manual scans run from your laptop or Cloud Shell
- Slack channel notification per vulnerability type, listing account names and vulnerable domains
- Storage bucket for Terraform state file
- Terraform 1.0.x
- Service Usage API enabled on Google Cloud project
The Terraform service account requires the following roles at the Project level:
App Engine Creator
Cloud Functions Developer
Cloud Scheduler Admin
Create Service Accounts
Project IAM Admin
Pub/Sub Admin
Secret Manager Admin
Service Account Admin
Service Account User
Service Usage Admin
Storage Admin
- replace the Terraform state Google Cloud Storage bucket fields in the command below as appropriate
- for local testing, duplicate terraform.tfvars.example, rename without the .example suffix
- enter details appropriate to your organization and save
- alternatively enter Terraform variables within your CI/CD pipeline
- check whether App Engine has been created in the infrastructure project
- add Terraform variables
create_app_engineandapp_service_regionif different from default
terraform init -backend-config=bucket=TERRAFORM_STATE_BUCKET -backend-config=prefix="terraform/state/domain-protect-gcp"
terraform workspace new dev
terraform plan
terraform apply
- At the organisation level, IAM, apply the following permissions to the domain-protect service account:
DNS Reader (roles/dns.reader)
Folder Viewer (roles/resourcemanager.folderViewer)
Organization Viewer (roles/resourcemanager.organizationViewer)
- This step is performed manually to avoid giving org wide IAM permisssions to the Terraform service account
- Functions v2 requires an additional permission on two Google managed service accounts
- These are GCP Project level settings
- Role required:
roles/iam.serviceAccountTokenCreator - Google managed service accounts:
service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com
service-${PROJECT_NUMBER}@gcf-admin-robot.iam.gserviceaccount.com
- They may need to be added using the console or
gcloud - In GCP console for the security project select IAM
- tick the box
Include Google provided role grants - select the Google Pub/Sub service account
- if it's not present, that means you need to grant access
- select the Google functions robot service account
- if required, add the Service Account Token Creator role to both service accounts
- this can be done via the GCP console or using gcloud:
export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"
gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
--member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
--role='roles/iam.serviceAccountTokenCreator'
gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
--member="serviceAccount:service-${PROJECT_NUMBER}@gcf-admin-robot.iam.gserviceaccount.com" \
--role='roles/iam.serviceAccountTokenCreator'
- add an extra channel to your slack_channels variable list
- add an extra webhook URL or repeat the same webhook URL to your slack_webhook_urls variable list
- apply Terraform
- infrastructure deployed using GitHub Actions
- use separate deployment repository domain-protect-gcp-deploy
- use OpenID Connect, service account keys not required
- configuration details provided at domain-protect-gcp-deploy
| GITHUB ACTIONS SECRETS | EXAMPLE |
|---|---|
| PROJECT | mygcpprojectid |
| APP_SERVICE_REGION | europe-west2 |
| GCP_WORKLOAD_IDENTITY_PROVIDER | projects/123456789/locations/global/workloadIdentityPools/github-actions/providers/domain-protect-gcp-github |
| GCP_SERVICE_ACCOUNT | my-service-account@my-project.iam.gserviceaccount.com |
| TERRAFORM_STATE_BUCKET | tfstate48903 |
| TERRAFORM_STATE_PREFIX | terraform/state/domain-protect-gcp |
| SLACK_CHANNELS | ["security-alerts"] |
| SLACK_CHANNELS_DEV | ["security-alerts-dev"] |
| SLACK_WEBHOOK_URLS | ["https://hooks.slack.com/services/XXX/XXX/XXX"] |
- Python and Terraform local tests:
black --check --line-length 120 .
prospector --max-line-length 120 --profile tests/prospector/profile.yaml
bandit --ini .config/sast_python_bandit_cli.yml manual-scans terraform-modules
terraform fmt -check -recursive
checkov --config-file .config/sast_terraform_checkov_cli.yml --directory
- this tool cannot guarantee 100% protection against subdomain takeover
- it only scans Google Cloud DNS, and only checks a limited number of takeover types
- for detection of Amazon Route53 vulnerable domains use Domain Protect