Overview

Gemini for Google Cloud is an always-on AI collaborator that provides help to users of all skill levels where they need it. In this lab, you will learn how to identify and remediate security misconfigurations in your Google Cloud environment using Security Command Center's Gemini features.

Note: Duet AI was renamed to Gemini, our next-generation model. This lab has been updated to reflect this change. Any references to Duet AI in the user interface or documentation should be treated as equivalent to Gemini while following the lab instructions. Note: As an early-stage technology, Gemini can generate output that seems plausible but is factually incorrect. We recommend that you validate all output from Gemini before you use it. For more information, see Gemini for Google Cloud and responsible AI.

Objectives

In this lab, you will learn how to perform the following tasks:

• Enable Gemini in a Google Cloud project
• Deploy example workloads into an environment in Google Cloud
• Identify security misconfigurations with Gemini
• Remediate security misconfigurations with Gemini

Scenario

As you monitor your infrastructure for ways to improve your security posture, Gemini can help identify infrastructure or configuration changes that will prevent issues in the future.

In this example, consider that you are a security engineer at an ecommerce company where managed Kubernetes clusters are regularly deployed. You need a way to see if there are any misconfigurations, and you want quick instructions to help fix those issues in your cloud environment.

Setup and requirements

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

1. Sign in to Qwiklabs using an incognito window.

2. Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time.
   There is no pause feature. You can restart if needed, but you have to start at the beginning.

3. When ready, click Start lab.

4. Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.

5. Click Open Google Console.

6. Click Use another account and copy/paste credentials for this lab into the prompts.
   If you use other credentials, you'll receive errors or incur charges.

7. Accept the terms and skip the recovery resource page.

Task 1. Enable Gemini

You will first enable Gemini in your Google Cloud project and configure the necessary permissions for your Google Cloud Qwiklabs user account.

1. Click on the Cloud Shell icon () in the top-right corner of the Google Cloud console toolbar.

2. To set your project ID and region environment variables, run the following commands:

PROJECT_ID=$(gcloud config get-value project) REGION={{{project_0.default_region|lab region}}} echo "PROJECT_ID=${PROJECT_ID}" echo "REGION=${REGION}"

3. To store the signed-in Google user account in an environment variable, run the following command:

USER=$(gcloud config get-value account 2> /dev/null) echo "USER=${USER}"

4. Click Authorize if prompted.

5. Enable the Cloud AI Companion API for Gemini:

gcloud services enable cloudaicompanion.googleapis.com --project ${PROJECT_ID}

6. To use Gemini, grant the necessary IAM roles to your Google Cloud Qwiklabs user account:

gcloud projects add-iam-policy-binding ${PROJECT_ID} --member user:${USER} --role=roles/cloudaicompanion.user gcloud projects add-iam-policy-binding ${PROJECT_ID} --member user:${USER} --role=roles/serviceusage.serviceUsageViewer

Adding these roles lets the user use Gemini assistance.

Click Check my progress to verify your performed task. Enable Gemini

Task 2. Create a GKE cluster and deploy a web app

You will now be creating a Google Kubernetes Engine (GKE) cluster running a handful of microservices.

1. Run the following command to create a GKE cluster named test:

gcloud container clusters create test --region={{{project_0.default_region|lab region}}} --num-nodes=1

This should take a few minutes. Upon completion, you should see a result similar to the following:

Creating cluster test in {{{project_0.default_region|lab region}}}... Cluster is being health-checked (master is healthy)...done. Created [https://container.googleapis.com/v1/projects/agmsb-gke-lab/zones/us-central1/clusters/test]. To inspect the contents of your cluster, go to: https://console.cloud.google.com/kubernetes/workload_/gcloud/us-central1/test?project=agmsb-gke-lab kubeconfig entry generated for test. NAME: test LOCATION: {{{project_0.default_region|lab region}}} MASTER_VERSION: 1.27.3-gke.100 MASTER_IP: 34.66.224.143 MACHINE_TYPE: e2-medium NODE_VERSION: 1.27.3-gke.100 NUM_NODES: 3 STATUS: RUNNING

2. Now, clone a repository that contains code for a web app:

git clone https://github.com/GoogleCloudPlatform/microservices-demo && cd microservices-demo

3. Use kubectl to deploy a set of microservices to the GKE cluster:

kubectl apply -f ./release/kubernetes-manifests.yaml

4. After a couple minutes, run the following command to get the public IP address to access your web app in a browser:

kubectl get service frontend-external | awk '{print $4}'

5. Copy the IP address from the output of the above command and paste it into a new browser tab.

You should see a web app similar to the following:

Click Check my progress to verify your performed task. Create a GKE cluster and deploy a web app

Task 3. Identify security misconfigurations with Gemini

Now that you have an existing GKE cluster running an ecommerce app, you will identify areas where you can improve your security posture with Gemini.

1. Return to your tab with the Google Cloud console.

2. Refresh the Google Cloud console page.

3. Minimize the Cloud Shell pane.

4. Click on the Gemini icon () in the top-right corner of the Google Cloud console toolbar.

5. Click Start Chatting.

6. Enter the following prompt:

What services in Google Cloud can help me identify areas to improve security for a set of microservices running in a GKE cluster?

Gemini should respond with something similar to the following:

There are a number of services in Google Cloud that can help you identify areas to improve security for a set of microservices running in a GKE cluster. These include:

• Security Command Center can help you identify and prioritize security risks across your Google Cloud environment, including GKE clusters.
• Cloud Asset Inventory can help you track and manage your Google Cloud resources, including GKE clusters.
• Cloud Logging can help you collect and analyze logs from your GKE clusters.
• Cloud Monitoring can help you monitor the performance and health of your GKE clusters.

These are just a few of the many services in Google Cloud that can help you improve the security of your microservices. By using these services, you can help protect your data from unauthorized access, and you can also help improve your security posture over time.

In this scenario, you decide that Security Command Center sounds like the right place to start.

7. Open the Navigation menu and select Security > Risk Overview.

With multiple visualizations discussing vulnerabilities, you want to ask Gemini to help you quickly understand what is classified as a vulnerability in Security Command Center.

8. Enter the following prompt:

How does Security Command Center define a vulnerability?

Gemini's response should be similar to the following:

Security Command Center defines a vulnerability as a flaw or weakness in software programs that an attacker could use to gain access to or otherwise compromise your Google Cloud environment.

Source: https://cloud.google.com/security-command-center/docs/finding-classes

9. Click on the documentation link to better disambiguate between finding classes.

10. After reading about them, close the tab and return to the Google Cloud console.

11. Click Findings from the sidebar of the Google Cloud console.

12. To see the findings for your GKE cluster, find the "Quick Filters" section and select Google container cluster under Resource Type.

You should see a number of Medium severity findings.

13. Click on the Cluster secrets encryption disabled finding.

At the top of this finding panel, you should see a section titled "AI-Generated Summary" with a summary from Gemini, similar to the following:

Security Health Analytics in Security Command Center has identified a MEDIUM severity finding of type CLUSTER_SECRETS_ENCRYPTION_DISABLED in the google.container.Cluster named test...

This finding indicates that the cluster does not have application-layer secrets encryption enabled. This means that sensitive data, such as user-defined secrets and secrets required for the operation of the cluster, such as service account keys, are stored in etcd in plain text. This is a security risk, as an attacker who gains access to etcd could read these secrets.

To fix this finding, you need to enable application-layer secrets encryption for the cluster. You can do this by going to the Google Kubernetes Engine (GKE) console and clicking on the Security tab. Under Application-layer secrets encryption, click on Edit Application-layer Secrets Encryption. Select the Enable Application-layer Secrets Encryption checkbox and choose a database encryption key. Click Save Changes...

This summary from Gemini expanded upon the short description of the finding, providing a more detailed description of the issue with storing secrets in plaintext, along with instructions about one path you can take to remediate this finding.

14. Exit out of this information panel.

15. Next, click on the Over privileged account finding and view the summary provided by Gemini, similar to the following:

Security Health Analytics in Security Command Center has identified a MEDIUM severity finding of type OVER_PRIVILEGED_ACCOUNT in the google.container.Cluster named test...

The finding is caused by the fact that the GKE node uses the Compute Engine default service account, which has broad access by default and may be over privileged for running your Kubernetes Engine cluster.

This finding poses a risk because the Compute Engine default service account has access to all of the resources in the project, including the GKE cluster. If an attacker were to gain access to the service account, they would be able to access all of the resources in the project...

This summary provides specific documentation from Google about how to remediate the finding by creating a least-privilege Service Account to use for your GKE clusters.

16. Exit out of this information panel.

17. Finally, click on the Master authorized networks disabled finding. Gemini should provide a response in the panel, similar to the following:

Security Health Analytics in Security Command Center has identified a MEDIUM severity finding of type MASTER_AUTHORIZED_NETWORKS_DISABLED in the google.container.Cluster named test...

Control plane authorized networks improve security for your container cluster by blocking specified IP addresses from accessing your cluster's control plane.

To fix this finding, go to the Kubernetes cluster and click Edit. The edit button might be disabled if the cluster configuration recently changed. If you aren't able to edit the cluster settings, wait a few minutes and try again. On the Control plane authorized networks drop-down list, select Enabled. Click Add authorized network. Specify the authorized networks you want to use. Click Save....

18. Exit out of this information panel.

Now that you have an understanding of some of your environment's security misconfigurations, you will leverage Gemini's recommendations to remediate them.

Task 4. Remediate a security misconfiguration

Now that you have had the opportunity to review multiple areas to begin improving the security of your GKE cluster, you will remediate the "Master authorized networks disabled" finding using the instructions provided by Gemini's summary in Security Command Center.

1. Open the Navigation menu and select Kubernetes Engine > Clusters.

2. Click the name of the cluster you created earlier ("test").

3. Scroll down to the Networking section.

4. Click on the pencil icon next to Control plane authorized networks.

5. Check the box next to Enable control plane authorized networks.

6. Check the box underneath Allow access through Google Cloud public IP addresses.

7. Click Save changes.

8. Click Clusters in the sidebar.

You will see cluster being updated, shown by a spinning wheel icon in the Status section.

9. While the network policy updates for the control plane take place, open Gemini from the Google Cloud console toolbar.

10. Enter the following prompt:

How do control plane authorized networks work in GKE?

Gemini's response should be similar to the following:

Control plane authorized networks allow you to restrict access to the control plane of your GKE cluster. By default, the control plane is accessible from any address. However, you can add one or more authorized networks to restrict access to only those networks.

To add an authorized network, go to the Google Kubernetes Engine page in the Google Cloud console. Click the name of the cluster you want to modify. Under Networking, in the Control plane authorized networks field, click edit Edit control plane authorized networks...

Applying the updated control plane policy may take a few minutes to take effect.

11. Once you see a green checkmark in the Status column next to your cluster, you have successfully updated your cluster configuration.

Click Check my progress to verify your performed task. Remediate a security misconfiguration

End your lab

When you have completed your lab, click End Lab. Qwiklabs removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.