A comprehensive Google Cloud Platform (GCP) infrastructure auditing tool
_______ __ ________
/ ____(_) /________ _______ / _/ __ \
/ / / / __/ ___/ / / / ___/ / // / / /
/ /___/ / /_/ / / /_/ (__ ) _/ // /_/ /
\____/_/\__/_/ \__,_|____/ /___/\____/
- π Auto-discovery: Automatically finds all accessible GCP projects
- π Comprehensive auditing: Covers IAM, compute, storage, networking, and more
- π Detailed reporting: Generates JSON reports with timestamped data
- π Organized output: Creates structured audit reports directory
- β Enabled APIs and services
- β IAM policies and bindings
- β Service accounts and configurations
- β Virtual Machine instances
- β Instance metadata and configurations
- β Compute zones and regions
- β Cloud Storage buckets
- β Cloud SQL instances
- β Storage policies and permissions
- β VPC networks and subnetworks
- β Firewall rules and priorities
- β Network routing configurations
- β Google Kubernetes Engine (GKE) clusters
- β Node pools and configurations
- Python 3.7+
- Google Cloud SDK (gcloud)
- GCP project access with appropriate permissions
-
Clone the repository:
git clone <your-repo-url> cd GCP_audit
-
Install dependencies:
pip install -r requirements.txt
-
Authenticate with GCP:
gcloud auth application-default login
Audit all accessible projects:
python gcp_audit_script.pyAudit specific projects:
python gcp_audit_script.py --projects project-1 project-2Use service account credentials:
python gcp_audit_script.py --credentials /path/to/service-account-key.json[19:10:39] π Initializing GCP Auditor...
[19:10:39] π Using Application Default Credentials
[19:10:39] π§ Initializing GCP clients...
[19:10:51] β
All clients initialized successfully
_______ __ ________
/ ____(_) /________ _______ / _/ __ \
/ / / / __/ ___/ / / / ___/ / // / / /
/ /___/ / /_/ / / /_/ (__ ) _/ // /_/ /
\____/_/\__/_/ \__,_|____/ /___/\____/
[19:10:51] π Starting GCP Infrastructure Audit...
[19:10:51] π Will audit 3 projects
[19:10:51] π [1/3] Processing project: production-app
[19:10:51] π Auditing project: production-app
[19:10:51] π Getting enabled APIs for production-app
[19:10:51] β
Found 25 enabled APIs
[19:10:51] π Getting IAM policy for production-app
[19:10:52] β
Found 12 IAM bindings
[19:10:52] π» Getting compute instances for production-app
[19:10:53] β
Found 5 compute instances
The tool requires the following IAM roles:
roles/viewer
roles/iam.securityReviewer
roles/serviceusage.serviceUsageViewerroles/resourcemanager.organizationViewer
roles/resourcemanager.folderViewerReports are saved in the audit_reports/ directory:
audit_reports/
βββ gcp_audit_report_20241227_191051.json
{
"audit_metadata": {
"timestamp": "2024-12-27T19:10:51",
"auditor_version": "1.0.0",
"projects_audited": 3
},
"projects": {
"project-id": {
"project_id": "project-id",
"enabled_apis": [...],
"iam_policy": {...},
"service_accounts": [...],
"compute_instances": [...],
"storage_buckets": [...],
"network_info": {...}
}
}
}- Credential Protection: Never logs or stores credentials
- Safe Defaults: Read-only operations by default
- Error Handling: Graceful handling of permission errors
- Audit Trail: Comprehensive logging of all operations
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.json
export GOOGLE_CLOUD_PROJECT=default-project-idpython gcp_audit_script.py --help
optional arguments:
--credentials PATH Path to service account JSON file
--projects [PROJECT_IDS ...] Specific project IDs to audit
--output FILENAME Output file name (default: timestamped)- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
--