Security is a core feature of the Google Cloud Platform, but there are still steps you should take to identify vulnerabilities and protect your App Engine app.
Use the following features to ensure that your App Engine app is secure. To learn more about the Google Security Model and the available steps that you can take to secure your Cloud Platform projects, see Google Cloud Platform Security.
Identity and access management
You can set access control using Identity and Access Management (IAM) roles at the Cloud Platform project level. Assign a role to a Cloud Platform project member or service account to determine the level of access to your Cloud Platform project and its resources. For details see, Access Control.
The Google Cloud Security Scanner discovers vulnerabilities by crawling your App Engine app, following all that links within the scope of your starting URLs, and attempting to exercise as many user inputs and event handlers as possible.
In order to use the security scanner, you must be an owner of the Cloud Platform project. For more information on assigning roles, see Granting Project Access.
You can run security scans from the Google Cloud Platform Console to identify security vulnerabilities in your App Engine app. For details about running the Security Scanner, see the Security Scanner Quickstart.
App Engine firewall
The App Engine firewall enables you to control access to your App Engine app through a set of rules that can either allow or deny requests from the specified ranges of IP addresses.
Create a firewall to:
- Allow only traffic from within a specific network
- Ensure that only a certain range of IP addresses from specific networks can access your app. For example, create rules to allow only the range of IP addresses from within your company's private network during your app's testing phase. You can then create and modify your firewall rules to control the scope of access throughout your release process, allowing only certain organizations, either within your company or externally, to access your app as it makes it's way to public availability.
- Allow only traffic from a specific service
- Ensure that all the traffic to your App Engine app is first proxied through a specific service. For example, if you use a third-party Web Application Firewall (WAF) to proxy requests directed at your app, you can create firewall rules to deny all requests except those that are forwarded from your WAF.
- Block abusive IP addresses
- While Google Cloud Platform has many mechanisms in place to prevent the various attacks, you can use the App Engine firewall as another mechanism to block traffic to your app from IP addresses that present malicious intent.
You should use the App Engine firewall as your primary option for shielding your app from denial of service attacks or similar forms of abuse. You can blacklist IP addresses or subnets so that requests routed from those addresses and subnets are denied before it reaches your App Engine app.
For details about creating rules and configuring your firewall, see Controlling App Access with Firewalls.
Denial of service (DoS) protection service
The App Engine denial of service (DoS) protection service enables you to protect your App Engine app from running out of quota when subjected to denial of service attacks or similar forms of abuse. You can blacklist IP addresses or subnets, and requests routed from those addresses or subnets will be dropped before your App Engine app code is called. No resource allocations, billed or otherwise, are consumed for these requests.
The DoS protection service is designed for quantitative abuse prevention, such as preventing DoS attacks. Therefore, it's important to note that requests from blacklisted users might still get through to your App Engine app, so you cannot depend on this service for general security.
By default, App Engine serves a generic error page to blacklisted
addresses but you are able create and server a custom response instead. For
details, see error handlers in the
The DoS protection service is configured by defining which networks to block in
dos.yaml file. For more
information, see the