Implement Google Cloud Organization Restrictions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker
No ratings

mmclimans_1-1680296188803.png

 

 

Introduction

Security administrators can use Google Cloud IAM to control who can access resources within a Google Cloud organization.  However, companies  may require the ability to restrict access to resources and APIs that reside in different Google Cloud organizations. 


The combination of Palo Alto Networks URL filtering and Google Cloud organization restrictions, enables security teams to restrict employee access to sanctioned Google Cloud organizations.  The capability provides a variety of security benefits including, preventing insider attacks and also stopping data exfiltration. 

 

Use-Cases

There are many use-cases for organization restrictions, for example: 

 

 

How it works

The diagram below shows the required components to enforce organization restrictions.  When a managed device accesses a Google Cloud resource, the URL Filtering profile defined within the security policy, inserts the value for the organization restrictions header, X-Goog-Allowed-Resources

 
mmclimans_4-1680296396713.png

 

  1. Managed device: Any device that adheres to the organizational policies of the company and is connected to, or routed through, a Palo Alto Networks enforcement point with URL Filtering enabled.  For example, the managed device can be a remote user connected with GlobalProtect, a datacenter server protected by a PA-Series NGFW, or cloud resources protected by VM-Series NGFW. 
  2. Palo Alto Networks URL Filtering: A URL Filtering profile is created and attached to the security policy.  The profile inserts the organization restriction as a custom header for any requests originating from the managed device.  This configuration prevents users and devices from accessing any Google Cloud resources that reside in unsanctioned Google Cloud organizations.  
  3. Google Cloud: The organization restrictions feature in Google Cloud inspects all requests for organization restrictions header, and allows or denies the requests based on the organization being accessed.

 

Example Scenario

The network security administrator of Organization A, wants to allow employee access to resources hosted in their Google Cloud organization.  All employee access to cloud resources hosted in all other Google Cloud organizations should be denied. 

 

Configuration

A cloud and network security administrator for Organization A perform the following steps to implement organization restrictions.

 

  1. Retrieve the Google Cloud organization ID for Organization A.
    gcloud organizations list
    (output)
    DISPLAY_NAME: Organization A
    ID: 0123456
    DIRECTORY_CUSTOMER_ID: a1b2c3d4

  1. Create a JSON representation for the value that will be assigned to the organization restriction header, X-Goog-Allowed-Resources, and save it to a file named authorized_orgs.json.  Please see configure organization restrictions for complete information on constructing the value for the header.
    {
       "resources": ["organizations/0123456"],
       "options": "strict"
    }

  1. Encode the header value in base64 format.  Below is an example using  basenc.   The URL Filtering profile will insert the base64 string as the value for the X-Goog-Allowed-Resources header.
    cat authorized_orgs.json | basenc --base64url -w0
    (output)
    fdsasdfInJlc291cmNlasjdfaJnYW5pemF0ay8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo​

  1. If there are no upstream devices decrypting HTTPS traffic, configure SSL Forward Proxy
  1. On the Palo Alto Networks device, edit or create a URL Filtering profile.  In the profile, click HTTP Header Insertion → Add to create a new entry.  Configure the entry as follows:
    • Header: X-Goog-Allowed-Resources
    • Value: Add the base64 encoded value from the previous step.
      mmclimans_0-1680297275872.png
  1. Apply the URL Filtering profile to your security policy that inspects the managed device’s internet traffic.
  1. Commit the changes.

Verify Configuration

The organization restrictions are applied for access to the Google Cloud APIs and Google Cloud console. On a managed device that has access to both Organization A and Organization B, perform the following to test the organization restrictions feature. 

 

  1. On the managed device, log into the Google Cloud Console with an account that has access to Organization A and Organization B.

  1. In the Console, click the Organization drop down menu.  

     

    Even though the user account on the managed device has access to Organization A and Organization B, only Organization A appears in the Google Cloud Console.  This is because the URL Filtering profile inserts the organization restriction header to enable Google Cloud to block the user from accessing other organizations.
    mmclimans_1-1680297558320.png

  1. From the same managed device, attempt to reach the logging API of a Google Project (i.e.org-a-project) that belongs to Organization A.

     

    The request should show a successful return of the log entries within the Google Cloud project belonging to Organization A.

    TOKEN=$(gcloud auth print-access-token)
    
    curl -X POST -d '{"projectIds": ["org-a-project"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list"
          
    (output)
    {
       [
          <..redacted..>
       ]
       nextPageToken": "EAB<..redacted..>RsAB"
    }

  1. Attempt to reach the logging API of a Google Cloud project (i.e. org-b-project) that does not belong to Organization A.

     

    The request should show a failed return to the Google Cloud project that does not belong to Organization A.  This is because the URL filtering profile inserted the organization restriction header into the request of the managed device.

    curl -X POST -d '{"projectIds": ["org-b-project"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list"
    (output)
    {
       "error": {
          "code": 403,
          "message": "Access denied by organization restriction. Please contact your 
                      administrator for additional information.",
          "status": "PERMISSION_DENIED",
          "details": [{
             "@type": "type.googleapis.com/google.rpc.ErrorInfo",
             "reason": "ORG_RESTRICTION_VIOLATION",
             "domain": "googleapis.com",
             "metadata": {
                "consumer": "projects/01234567890",
                "service": "logging.googleapis.com"
             }
          }]
       }
    }     

 

Additional Materials

Rate this article:
  • 6357 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎05-03-2023 05:07 PM
Updated by: