Cloud Security Capstone project

## Cloud Security Capstone project ### Context A recent analysis of the cloud infrastructure of Cymbal Fintech company showed that the system was vulnerable and non compliant to some PCI-DSS access policies. This has led to a major breach in the infrastructure, where a malicious actor was able to exploit vulnerabilities in Cymbal Retail's cloud resources, including an insecurely configured firewall, bucket, and virtual machine (VM). ![Screenshot 2025-10-11 191935](https://hackmd.io/_uploads/BkCCIDtaee.png) Though the Security Command Center, we are able to get an overview of the vulnerable aspects of the sytem. ### Identification In our case, the risk assessment helped us to discover various access and controls misconfigurations vulnerabilities that were affecting three assets of the infrastructure including a Cloud storage bucket, Compute Instance virtual machine (VM), and firewall. ![Screenshot 2025-10-11 192023](https://hackmd.io/_uploads/S1iTvvK6lg.png) The active vulnerabilities detected on the assets showed a critical vulnerability with the Public access set by default to the Cloud storage bucket and 3 Medium vulnerabilities affecting the secure access to the VM instance cc-app-01 as we will see it soon. By checking the PCI-DSS compliance report, we remark the compliances issues on the Firewall, the VM and the storage bucket. ![Screenshot 2025-10-11 194013](https://hackmd.io/_uploads/S1XxoDKpel.png) ### Identification To fix these compliances issues, we first identify the vulnerable assets and the related misconfiguration concerned. In this case: - Public IP address (VMs should not be assigned public IP addresses) - Compute secure boot disabled - Default service account used - Full API access (Instances should not be congured to use -the default service account with full access to all Cloud APIs ) - Malware: bad domain ![Screenshot 2025-10-11 194754](https://hackmd.io/_uploads/ryQLjDKpll.png) #### Process: The Security Command Center (SCC) offers a various ranges of functionalies that enables you not only to scan your infrastructure for vulnreabilities, but to filter the findings to get all the relevant information to the scope of the vulnerable assets and the severity of the vuln. By going to the **Google Cloud Console**, **Security>Findings** you have access to the dashboard shown previously and a whole list of other dashboard features for Risks, Threats, etc. By applying another filter for the active vulnerabilities, we were able to identify the vulnerable VM. ![Screenshot 2025-10-11 194830](https://hackmd.io/_uploads/BJ96sKFTle.png) ### Containment & Eradication To contain the incident and make sure that any possible exploitation of the vulnerable VM doesn't implies damage to the whole infrastructure, we are going to delete the vulnerable one and recover the old system by its backup on a new machine. ![Screenshot 2025-10-11 195448](https://hackmd.io/_uploads/HJKu2KKpxg.png) ![Screenshot 2025-10-11 201013](https://hackmd.io/_uploads/H19O4qtalg.png) Now we will make sure that the access policies set are secured and compliant to PCI-DSS. ### Recovery The first step of this phase, is to fix the permissions policies on the Cloud storage bucket. To do that, we navigate to **Storage>Buckets** and then to **Permnissions** in the tab bar of the Buckets interface. Once we got the dashboard, we then restrict the Public access on the ACL, remove *allusers*'s access to the bucket and change the access control mode to Uniform which means that ACL has been disabled. ![Screenshot 2025-10-11 201226](https://hackmd.io/_uploads/H1MgPctpel.png) ![Screenshot 2025-10-11 201254](https://hackmd.io/_uploads/ry-zPcKTee.png) ![Screenshot 2025-10-11 202027](https://hackmd.io/_uploads/rkbfDcFTex.png) ![Screenshot 2025-10-11 202106](https://hackmd.io/_uploads/rkRr2756ge.png) Once the permissions is fixed. We will now fix the firewall policies. To do so, the first thing, we create a firewall rule to restrict the access to SSH on the infrastructure by creating a new rewall rule named limit-ports that restricts SSH (TCP port 22) access to only authorized IP addresses from the source network **35.235.240.0/20** to Compute Engine VM instances with the target tag cc. ![Screenshot 2025-10-11 203522](https://hackmd.io/_uploads/H1ftn796xg.png) ![Screenshot 2025-10-11 203625](https://hackmd.io/_uploads/HyTsnX96xx.png) We then delete some conflicting rules. And enable logging on these rules to monitor the access events that might be suspicious. ![Screenshot 2025-10-11 203857](https://hackmd.io/_uploads/BkYUz49Tlx.png) #### Process: To configure the firewall policies through the Google Cloud console, 1. In the Navigation menu ( ), we select **Network Security > Firewall policies**. The Firewall policies page opens. 2. In the VPC rewall rules section, select the checkboxes for the following VPC rewall rules: * default-allow-icmp * default-allow-rdp * default-allow-ssh 3. Click **Delete**. ### Post-Incident Response After ensuring that all the misconfigurations were fixed, we now head to the PCI-DSS compliance report to check if everything was indeed corrected. ![image](https://hackmd.io/_uploads/S1xhfVqTlg.png) ![Screenshot 2025-10-11 204156](https://hackmd.io/_uploads/Hk7PzVcpgl.png) ### Conclusion This project was a very effective way to show how a Cloud Security Analyst use standards and security frameworks alongside Cloud tools like the Security Command Center, Cloud Logging and other tools to ensure that the Cloud is safe for organizations and users. **References** G. C. S. Boost, \uc0\u8216{}The capstone project - Solution guide: Respond and recover from a data breach\uc0\u8217{}, Google Cloud Skills Boost. Accessed: Oct. 13, 2025. [Online]. Available: https://www.cloudskillsboost.google/paths/419/course_templates/1305/documents/580238