A comprehensive Google Cloud Platform (GCP) infrastructure auditing tool
_______ __ ________
/ ____(_) /________ _______ / _/ __ \
/ / / / __/ ___/ / / / ___/ / // / / /
/ /___/ / /_/ / / /_/ (__ ) _/ // /_/ /
\____/_/\__/_/ \__,_|____/ /___/\____/
- 🚀 Auto-discovery: Automatically finds all accessible GCP projects
- 🔍 Comprehensive auditing: Covers IAM, compute, storage, networking, and more
- 📊 Detailed reporting: Generates JSON reports with timestamped data
- 📁 Organized output: Creates structured audit reports directory
- ✅ Enabled APIs and services
- ✅ IAM policies and bindings
- ✅ Service accounts and configurations
- ✅ Virtual Machine instances
- ✅ Instance metadata and configurations
- ✅ Compute zones and regions
- ✅ Cloud Storage buckets
- ✅ Cloud SQL instances
- ✅ Storage policies and permissions
- ✅ VPC networks and subnetworks
- ✅ Firewall rules and priorities
- ✅ Network routing configurations
- ✅ Google Kubernetes Engine (GKE) clusters
- ✅ Node pools and configurations
- Python 3.7+
- Google Cloud SDK (gcloud)
- GCP project access with appropriate permissions
-
Clone the repository:
git clone <your-repo-url> cd GCP_audit
-
Install dependencies:
pip install -r requirements.txt
-
Authenticate with GCP:
gcloud auth application-default login
Audit all accessible projects:
python gcp_audit_script.pyAudit specific projects:
python gcp_audit_script.py --projects project-1 project-2Use service account credentials:
python gcp_audit_script.py --credentials /path/to/service-account-key.json[19:10:39] 🚀 Initializing GCP Auditor...
[19:10:39] 🔐 Using Application Default Credentials
[19:10:39] 🔧 Initializing GCP clients...
[19:10:51] ✅ All clients initialized successfully
_______ __ ________
/ ____(_) /________ _______ / _/ __ \
/ / / / __/ ___/ / / / ___/ / // / / /
/ /___/ / /_/ / / /_/ (__ ) _/ // /_/ /
\____/_/\__/_/ \__,_|____/ /___/\____/
[19:10:51] 🚀 Starting GCP Infrastructure Audit...
[19:10:51] 📋 Will audit 3 projects
[19:10:51] 📊 [1/3] Processing project: production-app
[19:10:51] 🔍 Auditing project: production-app
[19:10:51] 🔌 Getting enabled APIs for production-app
[19:10:51] ✅ Found 25 enabled APIs
[19:10:51] 🔐 Getting IAM policy for production-app
[19:10:52] ✅ Found 12 IAM bindings
[19:10:52] 💻 Getting compute instances for production-app
[19:10:53] ✅ Found 5 compute instances
The tool requires the following IAM roles:
roles/viewer
roles/iam.securityReviewer
roles/serviceusage.serviceUsageViewerroles/resourcemanager.organizationViewer
roles/resourcemanager.folderViewerReports are saved in the audit_reports/ directory:
audit_reports/
└── gcp_audit_report_20241227_191051.json
{
"audit_metadata": {
"timestamp": "2024-12-27T19:10:51",
"auditor_version": "1.0.0",
"projects_audited": 3
},
"projects": {
"project-id": {
"project_id": "project-id",
"enabled_apis": [...],
"iam_policy": {...},
"service_accounts": [...],
"compute_instances": [...],
"storage_buckets": [...],
"network_info": {...}
}
}
}- Credential Protection: Never logs or stores credentials
- Safe Defaults: Read-only operations by default
- Error Handling: Graceful handling of permission errors
- Audit Trail: Comprehensive logging of all operations
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.json
export GOOGLE_CLOUD_PROJECT=default-project-idpython gcp_audit_script.py --help
optional arguments:
--credentials PATH Path to service account JSON file
--projects [PROJECT_IDS ...] Specific project IDs to audit
--output FILENAME Output file name (default: timestamped)- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
--