Objectives
No publicly exposed attack surfaces beyond what is explicitly required
All secrets and API keys removed from code, images, and instances
Principle-of-least-privilege enforced across service accounts and IAM
Clear monitoring and alerting in place to detect abuse, cost spikes, or anomalous behavior
Implementing horizontal auto-scaling for Kubernetes containers for cost saving and resource utilization
Scope of Work
1. Compute & Network Hardening
Audit all GCE instances for:
Public IP exposure
Open ports and unnecessary services
Lock down ingress/egress using:
VPC firewall rules (explicit allow-lists only)
Removal of unused public IPs
Validate SSH access:
Disable password authentication
Ensure key-based access only
Confirm OS Login / IAP where appropriate
2. API Key & Secret Management
Identify exposed or improperly stored:
GCP service account keys
API keys (internal and third-party)
Rotate all relevant credentials
Ensure no secrets exist in:
Source code
Container images
Startup scripts
Plaintext environment variables
3. IAM & Service Account Review
Audit service accounts used by:
Compute instances
Kubernetes workloads
APIs and background jobs
Remove:
Over-permissive roles (e.g., Owner, Editor)
Unused or legacy service account
Apply least-privilege role bindings and document intent
4. Monitoring, Alerting & Abuse Prevention
Improve Grafana alerts for GCP workloads, including:
Compute (CPU, memory, disk, network)
Kubernetes cluster and pod-level metrics
Set up alerts for:
Unusual CPU/GPU utilization
Per day/week cost spikes
Sudden instance or pod creation
Network egress spikes
Cost anomalies
Review and tune:
GCP Security Command Center settings
Budget alerts and anomaly detection
Optional: lightweight preventive guardrails (e.g., policies to restrict crypto-mining–related images or workloads)
5. Kubernetes Scaling & Cost Controls
Review existing Kubernetes configuration and workloads
Implement or refine:
Horizontal Pod Autoscaling (framework setup using terraform)
Resource requests and limits
Ensure scaling behavior:
Matches real production load
Avoids runaway compute costs
Validate autoscaling with test traffic or simulated load (where feasible)
6. Documentation & Handoff
Deliver a concise security and operations report including:
What was changed
What risks were eliminated
Remaining risks or follow-ups
Provide:
A 1–2 page Security & Ops Maintenance Checklist
Clear guidance on how the team should monitor and respond going forward
Deliverables
Hardened GCP environment with documented changes
Rotated and secured secrets
IAM roles cleaned and minimized
Client Whitelisting optimized
Grafana dashboards and alerts configured and tested
Kubernetes workloads horizontally scalable and cost-aware
Written handoff documentation (concise, operational)
Required Experience
3+ years working with Google Cloud Platform
Strong experience with:
GCE
IAM
VPC networking & firewall rules
GCP Secret Manager, ConfigMaps, Secrets in K8s
Kubernetes (GKE preferred)
Horizontal Pod Autoscaling
Grafana / Prometheus-based monitoring
Prior experience responding to:
Cloud abuse incidents
Compromised or crypto-mining workloads
Ability to execute independently and explain decisions clearly
How to Apply
Please include:
A brief description of a similar GCP security hardening or incident response you’ve done
Experience implementing Grafana monitoring and Kubernetes autoscaling in production
Your proposed approach for the first 72 hours of this engagement
Estimated hours and availability
Apply Now
Apply Now