Google cloud checklist #4
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Google Cloud Run Security | ||
|
|
||
| ## Cloud Run Container Security | ||
|
|
||
| 1. Container Base Image | ||
| - What is the source of your base image? | ||
| - Is the docker image signed one? Do you use Docker Content Trust feature ? | ||
| - Do you have a lean base image? | ||
| 2. How are vulnerabilities found at Non-OS level (Python, npm, ruby gems, etc.)? | ||
| 3. Does your container follow [CIS benchmark](https://github.com/docker/docker-bench-security)? | ||
| 4. Are there any extra packages in containers that can be security vulnerabilities? | ||
| 5. Are containers running as a non-root user? | ||
| 6. How image ensures to avoid privilege escalation and how it deals with Linux capabilities. | ||
|
|
||
|
|
||
| ## Cloud Run Authentication | ||
|
|
||
| 1. Do you have Identity provider access control in place? Is it both for the user and other service? | ||
| 1. Do you have the service account for cloud run service? If so, what permissions are provided? | ||
|
There was a problem hiding this comment. Perhaps this is obvious if one understands Cloud Run better than I do, but how else, besides a Service Account, would one use Cloud Run? And could you link to a resource that would say what the minimal or otherwise reasonable set of permissions it ought to have? |
||
| 1. How access tokens are used to authenticate when calling Google Cloud APIs? | ||
|
There was a problem hiding this comment. Fix grammar. And how else than via access tokens would one call the APIs? |
||
| 1. How are the secrets manage in Cloud Run? Are secrets managed by the Secret Manager? | ||
|
There was a problem hiding this comment. "managed" Since Google Cloud Secret Manager is just one of many options for secrets, should the question perhaps be "How are secrets managed in Cloud Run, e.g., are they managed via Google Cloud Secret Manager?" |
||
| 1. Do you have customer managed encrytion keys? | ||
|
There was a problem hiding this comment. Clarify in what service this question relates to. |
||
| 1. Is Cloud Run integrated with Binarization autherization? Or is code binarized and then deployed? | ||
|
There was a problem hiding this comment. Spell check and grammar check the document, please. And this question felt like it was on a significantly deeper level, technology wise, than the others. Please provide a link, because what even is binarization? Is it really an either-or type of question, that it is either integrated with binarization or binarized and then deployed? |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please clarify this question. Seems to conflate topics (Identity Provider and Access Control) and it is unclear what the second question means. Perhaps unpack it a bit. How would you like access control etc. to be handled for users and across services?