jpskill.com
🛠️ 開発・MCP コミュニティ

gcp-waf-security

Google Cloudの安全性を高めるため、設計段階からのセキュリティ対策、ゼロトラストモデルの導入、CI/CDでの脆弱性スキャン、VPC Service ControlsやCloud Armorなどの活用を支援し、セキュリティ体制の評価や改善を効率的に行うSkill。

📜 元の英語説明(参考)

Apply the Google Cloud Well-Architected Framework's Security pillar — security by design, zero trust with IAP and BeyondCorp, shift-left scanning in CI/CD, Binary Authorization, VPC Service Controls, Cloud Armor, Sensitive Data Protection, and Security Command Center. Use for security architecture reviews, hardening checklists, and compliance evaluations.

🇯🇵 日本人クリエイター向け解説

一言でいうと

Google Cloudの安全性を高めるため、設計段階からのセキュリティ対策、ゼロトラストモデルの導入、CI/CDでの脆弱性スキャン、VPC Service ControlsやCloud Armorなどの活用を支援し、セキュリティ体制の評価や改善を効率的に行うSkill。

※ jpskill.com 編集部が日本のビジネス現場向けに補足した解説です。Skill本体の挙動とは独立した参考情報です。

⚡ おすすめ: コマンド1行でインストール(60秒)

下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。

🍎 Mac / 🐧 Linux 
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o gcp-waf-security.zip https://jpskill.com/download/14936.zip && unzip -o gcp-waf-security.zip && rm gcp-waf-security.zip
🪟 Windows (PowerShell) 
$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/14936.zip -OutFile "$d\gcp-waf-security.zip"; Expand-Archive "$d\gcp-waf-security.zip" -DestinationPath $d -Force; ri "$d\gcp-waf-security.zip"

完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。

💾 手動でダウンロードしたい(コマンドが難しい人向け)
  1. 1. 下の青いボタンを押して gcp-waf-security.zip をダウンロード
  2. 2. ZIPファイルをダブルクリックで解凍 → gcp-waf-security フォルダができる
  3. 3. そのフォルダを C:\Users\あなたの名前\.claude\skills\(Win)または ~/.claude/skills/(Mac)へ移動
  4. 4. Claude Code を再起動
⬇ .zip でダウンロード(推奨) ⬇ .skill 形式(上級者用) 元のソース ↗

⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。

🎯 このSkillでできること

下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。

📦 インストール方法 (3ステップ)

  1. 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
  2. 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
  3. 3. 展開してできたフォルダを、ホームフォルダの .claude/skills/ に置く
    • · macOS / Linux: ~/.claude/skills/
    • · Windows: %USERPROFILE%\.claude\skills\

Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。

詳しい使い方ガイドを見る →
最終更新
2026-05-18
取得日時
2026-05-18
同梱ファイル
1

📖 Skill本文(日本語訳)

※ 原文(英語/中国語)を Gemini で日本語化したものです。Claude 自身は原文を読みます。誤訳がある場合は原文をご確認ください。

GCP Well-Architected Framework — セキュリティ

概要

セキュリティは、アイデンティティ、ネットワーク、データ、サプライチェーン、ランタイム、および運用といった階層構造になっています。Google Cloud Well-Architected Framework のセキュリティの柱は、原則とプロダクトマップを提供します。このスキルは、ワークロードを評価し、具体的な制御策を推奨するために適用されます。一般的なアドバイスではありません。

手順

中核となる原則

原則 意味
設計段階からのセキュリティ (Security by design) 脅威モデリングは、ローンチ後ではなく設計段階で行う
ゼロトラスト (Zero trust) すべてのリクエストを認証する。ネットワーク上の位置によって信頼しない
シフトレフトセキュリティ (Shift-left security) スキャン、署名、検証は CI で行う。本番環境では行わない
先制的なサイバー防御 (Preemptive cyber defense) 脅威インテリジェンス、集中ログ、自動応答
AI の安全かつ責任ある利用 (Use AI securely & responsibly) モデル、データを保護し、SAIF のガイダンスに従う
セキュリティのための AI の利用 (Use AI for security) Security in Gemini、自動化のための Google SecOps
コンプライアンスとプライバシー (Compliance & privacy) Assured Workloads、Org Policy、リージョンレジデンシー

アイデンティティとアクセス (ゼロトラストの基盤)

# 組織レベルでデフォルトネットワークを無効にする (Org Policy)
gcloud resource-manager org-policies enable-enforce \
  compute.skipDefaultNetworkCreation \
  --organization=ORG_ID

# サービスアカウントキーの作成を制限する
gcloud resource-manager org-policies enable-enforce \
  iam.disableServiceAccountKeyCreation --organization=ORG_ID

# リソースを承認されたリージョンに制限する
gcloud resource-manager org-policies set-policy policy.yaml --organization=ORG_ID
# policy.yaml — EU リージョンのみを許可する
constraint: constraints/gcp.resourceLocations
listPolicy:
  allowedValues:
    - in:eu-locations
# 内部アプリ用の Identity-Aware Proxy (VPN は不要)
gcloud iap web add-iam-policy-binding \
  --resource-type=backend-services --service=internal-app \
  --member="group:eng-team@example.com" \
  --role="roles/iap.httpsResourceAccessor"

ネットワークセキュリティ

# 階層型ファイアウォールポリシー — フォルダ/組織に適用され、プロジェクトでオーバーライドできない
gcloud compute firewall-policies create global-deny-all \
  --organization=ORG_ID --short-name="org-baseline"

gcloud compute firewall-policies rules create 1000 \
  --firewall-policy=global-deny-all \
  --action=DENY --direction=EGRESS \
  --layer4-configs=tcp,udp \
  --dest-ip-ranges=0.0.0.0/0
# Cloud Armor — HTTPS ロードバランサー向けの DDoS + WAF
gcloud compute security-policies create web-policy \
  --description="OWASP rules + rate limiting"

gcloud compute security-policies rules create 1000 \
  --security-policy=web-policy \
  --expression="evaluatePreconfiguredExpr('sqli-v33-stable')" \
  --action=deny-403

gcloud compute security-policies rules create 2000 \
  --security-policy=web-policy \
  --expression="true" \
  --action=rate-based-ban \
  --rate-limit-threshold-count=100 \
  --rate-limit-threshold-interval-sec=60 \
  --ban-duration-sec=600 \
  --conform-action=allow \
  --enforce-on-key=IP
# VPC Service Controls — 機密 API (BigQuery、GCS など) の周囲の境界
gcloud access-context-manager perimeters create prod-perimeter \
  --title="Prod data perimeter" \
  --resources=projects/PROJECT_NUMBER \
  --restricted-services=bigquery.googleapis.com,storage.googleapis.com \
  --policy=POLICY_NUMBER

VPC Service Controls は、データ流出保護が必要な場合に適切なソリューションです。境界内のサービスアカウントが、有効な認証情報を持っていても、境界外のプロジェクトにデータを送信することを防ぎます。

シフトレフト: サプライチェーンセキュリティ

# cloudbuild.yaml — スキャン、署名、デプロイの順に実行
steps:
  - name: gcr.io/cloud-builders/docker
    args: ['build', '-t', '${_IMAGE}:${SHORT_SHA}', '.']

  - name: gcr.io/google.com/cloudsdktool/cloud-sdk
    entrypoint: gcloud
    args: ['artifacts', 'docker', 'images', 'scan', '${_IMAGE}:${SHORT_SHA}',
           '--remote', '--format=value(response.scan)']

  - name: gcr.io/google.com/cloudsdktool/cloud-sdk
    entrypoint: bash
    args:
      - -c
      - |
        VULNS=$(gcloud artifacts docker images list-vulnerabilities \
          ${_IMAGE}:${SHORT_SHA} --filter="severity=CRITICAL" --format="value(name)")
        if [ -n "$VULNS" ]; then
          echo "Critical vulnerabilities found"; exit 1
        fi

  - name: gcr.io/google.com/cloudsdktool/cloud-sdk
    entrypoint: gcloud
    args: ['artifacts', 'docker', 'images', 'sign', '${_IMAGE}:${SHORT_SHA}',
           '--key=projects/PROJECT/locations/global/keyRings/binauthz/cryptoKeys/build-signer/cryptoKeyVersions/1']

images: ['${_IMAGE}:${SHORT_SHA}']
# Binary Authorization ポリシー — 署名およびスキャンされたイメージのみをデプロイ
defaultAdmissionRule:
  evaluationMode: REQUIRE_ATTESTATION
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
  requireAttestationsBy:
    - projects/PROJECT/attestors/build-attestor
    - projects/PROJECT/attestors/security-attestor
clusterAdmissionRules:
  us-central1.prod-cluster:
    evaluationMode: REQUIRE_ATTESTATION
    enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
    requireAttestationsBy:
      - projects/PROJECT/attestors/build-attestor
      - projects/PROJECT/attestors/security-attestor

データ保護

# 顧客管理の暗号鍵 (CMEK) — 鍵はお客様が所有し、Google は暗号文を保持
gcloud kms keyrings create prod --location=us-central1
gcloud kms keys create db-key --keyring=prod --location=us-central1 --purpose=encryption

# Cloud SQL インスタンスで CMEK を使用する
gcloud sql instances create orders \
  --database-version=POSTGRES_15 \
  --tier=db-custom-2-7680 --region=us-central1 \
  --disk-encryption-key=projects/my-project/locations/us-central1/keyRings/prod/cryptoKeys/db-key
# Sensitive Data Protection — BigQuery で PII を検索して編集する
gcloud dlp jobs create \
  --inspect-job-from-file=inspect-pii.json

{
  "inspectJob": {
    "storageConfig": {
      "bigQueryOptions": {
        "tableReference": {
          "projectId": "my-project",
          "datasetId": "raw",


(原文がここで切り詰められています)
📜 原文 SKILL.md(Claudeが読む英語/中国語)を展開

GCP Well-Architected Framework — Security

Overview

Security is layered: identity, network, data, supply chain, runtime, and ops. The Google Cloud Well-Architected Framework's Security pillar gives you the principles and the product map. This skill applies it to evaluate workloads and recommend concrete controls — not generic advice.

Instructions

Core Principles

Principle What it means
Security by design Threat-model in the design phase, not after launch
Zero trust Authenticate every request; trust nothing by network position
Shift-left security Scan, sign, and verify in CI; not in production
Preemptive cyber defense Threat intelligence, centralized logs, automated response
Use AI securely & responsibly Protect models, data, and use SAIF guidance
Use AI for security Gemini in Security, Google SecOps for automation
Compliance & privacy Assured Workloads, Org Policy, regional residency

Identity & Access (Zero Trust Foundation)

# Disable default networks at org level (Org Policy)
gcloud resource-manager org-policies enable-enforce \
  compute.skipDefaultNetworkCreation \
  --organization=ORG_ID

# Restrict service account key creation
gcloud resource-manager org-policies enable-enforce \
  iam.disableServiceAccountKeyCreation --organization=ORG_ID

# Restrict resources to approved regions
gcloud resource-manager org-policies set-policy policy.yaml --organization=ORG_ID
# policy.yaml — only allow EU regions
constraint: constraints/gcp.resourceLocations
listPolicy:
  allowedValues:
    - in:eu-locations
# Identity-Aware Proxy for internal apps (no VPN needed)
gcloud iap web add-iam-policy-binding \
  --resource-type=backend-services --service=internal-app \
  --member="group:eng-team@example.com" \
  --role="roles/iap.httpsResourceAccessor"

Network Security

# Hierarchical firewall policies — applied at folder/org, can't be overridden by projects
gcloud compute firewall-policies create global-deny-all \
  --organization=ORG_ID --short-name="org-baseline"

gcloud compute firewall-policies rules create 1000 \
  --firewall-policy=global-deny-all \
  --action=DENY --direction=EGRESS \
  --layer4-configs=tcp,udp \
  --dest-ip-ranges=0.0.0.0/0
# Cloud Armor — DDoS + WAF for HTTPS load balancers
gcloud compute security-policies create web-policy \
  --description="OWASP rules + rate limiting"

gcloud compute security-policies rules create 1000 \
  --security-policy=web-policy \
  --expression="evaluatePreconfiguredExpr('sqli-v33-stable')" \
  --action=deny-403

gcloud compute security-policies rules create 2000 \
  --security-policy=web-policy \
  --expression="true" \
  --action=rate-based-ban \
  --rate-limit-threshold-count=100 \
  --rate-limit-threshold-interval-sec=60 \
  --ban-duration-sec=600 \
  --conform-action=allow \
  --enforce-on-key=IP
# VPC Service Controls — perimeter around sensitive APIs (BigQuery, GCS, etc.)
gcloud access-context-manager perimeters create prod-perimeter \
  --title="Prod data perimeter" \
  --resources=projects/PROJECT_NUMBER \
  --restricted-services=bigquery.googleapis.com,storage.googleapis.com \
  --policy=POLICY_NUMBER

VPC Service Controls is the right answer when you need data-exfiltration protection — it prevents service accounts inside the perimeter from sending data to projects outside it, even with valid credentials.

Shift-Left: Supply Chain Security

# cloudbuild.yaml — scan, sign, then deploy
steps:
  - name: gcr.io/cloud-builders/docker
    args: ['build', '-t', '${_IMAGE}:${SHORT_SHA}', '.']

  - name: gcr.io/google.com/cloudsdktool/cloud-sdk
    entrypoint: gcloud
    args: ['artifacts', 'docker', 'images', 'scan', '${_IMAGE}:${SHORT_SHA}',
           '--remote', '--format=value(response.scan)']

  - name: gcr.io/google.com/cloudsdktool/cloud-sdk
    entrypoint: bash
    args:
      - -c
      - |
        VULNS=$(gcloud artifacts docker images list-vulnerabilities \
          ${_IMAGE}:${SHORT_SHA} --filter="severity=CRITICAL" --format="value(name)")
        if [ -n "$VULNS" ]; then
          echo "Critical vulnerabilities found"; exit 1
        fi

  - name: gcr.io/google.com/cloudsdktool/cloud-sdk
    entrypoint: gcloud
    args: ['artifacts', 'docker', 'images', 'sign', '${_IMAGE}:${SHORT_SHA}',
           '--key=projects/PROJECT/locations/global/keyRings/binauthz/cryptoKeys/build-signer/cryptoKeyVersions/1']

images: ['${_IMAGE}:${SHORT_SHA}']
# Binary Authorization policy — only signed, scanned images deploy
defaultAdmissionRule:
  evaluationMode: REQUIRE_ATTESTATION
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
  requireAttestationsBy:
    - projects/PROJECT/attestors/build-attestor
    - projects/PROJECT/attestors/security-attestor
clusterAdmissionRules:
  us-central1.prod-cluster:
    evaluationMode: REQUIRE_ATTESTATION
    enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
    requireAttestationsBy:
      - projects/PROJECT/attestors/build-attestor
      - projects/PROJECT/attestors/security-attestor

Data Protection

# Customer-managed encryption keys (CMEK) — you own the key, Google holds the cipher
gcloud kms keyrings create prod --location=us-central1
gcloud kms keys create db-key --keyring=prod --location=us-central1 --purpose=encryption

# Use CMEK on a Cloud SQL instance
gcloud sql instances create orders \
  --database-version=POSTGRES_15 \
  --tier=db-custom-2-7680 --region=us-central1 \
  --disk-encryption-key=projects/my-project/locations/us-central1/keyRings/prod/cryptoKeys/db-key
# Sensitive Data Protection — find and redact PII in BigQuery
gcloud dlp jobs create \
  --inspect-job-from-file=inspect-pii.json
{
  "inspectJob": {
    "storageConfig": {
      "bigQueryOptions": {
        "tableReference": {
          "projectId": "my-project",
          "datasetId": "raw",
          "tableId": "events"
        }
      }
    },
    "inspectConfig": {
      "infoTypes": [
        {"name": "EMAIL_ADDRESS"}, {"name": "CREDIT_CARD_NUMBER"},
        {"name": "US_SOCIAL_SECURITY_NUMBER"}, {"name": "PHONE_NUMBER"}
      ],
      "minLikelihood": "LIKELY"
    },
    "actions": [
      { "saveFindings": { "outputConfig": { "table": {
        "projectId": "my-project", "datasetId": "dlp", "tableId": "findings"
      }}}}
    ]
  }
}

Security Command Center & SecOps

# Enable Security Command Center Premium / Enterprise (org-level)
gcloud scc settings update --organization=ORG_ID --service=security-command-center

# Subscribe a Pub/Sub topic to high-severity findings for automated response
gcloud scc notifications create high-severity-findings \
  --organization=ORG_ID \
  --description="Critical and high findings" \
  --pubsub-topic=projects/my-project/topics/scc-findings \
  --filter='severity="HIGH" OR severity="CRITICAL"'

Wire the Pub/Sub topic to a Cloud Function that auto-remediates well-known issues (e.g., disable a public bucket, revoke an over-broad IAM grant) and pages on-call for the rest.

Validation Checklist

Security by design

  • [ ] Defense-in-depth at network, host, and application layers
  • [ ] Threat model exists and is reviewed for major changes
  • [ ] Risk assessment uses an industry framework (NIST CSF, CIS)

Zero trust

  • [ ] Default networks disabled at org level
  • [ ] All apps front-ended by IAP or equivalent (no public admin endpoints)
  • [ ] VPC Service Controls perimeters around sensitive data services
  • [ ] Service-to-service auth via OIDC tokens; no shared secrets

Shift-left

  • [ ] All infra in IaC (Terraform); no console clicks for prod
  • [ ] CI/CD includes vulnerability scan + signing
  • [ ] Binary Authorization enforces signed-only deployment
  • [ ] Dependency updates automated (Renovate / Dependabot)

Preemptive defense

  • [ ] Security Command Center Premium/Enterprise enabled at org
  • [ ] All audit logs centralized to a SIEM or BigQuery
  • [ ] Automated response for known patterns (public buckets, over-broad IAM)
  • [ ] Red-team / pen-test exercises run regularly

AI security

  • [ ] AI training pipelines protected against data poisoning
  • [ ] Differential privacy / data masking on training data where applicable
  • [ ] Vertex Explainable AI used for governance

    Examples

Example 1 — Hardening review for a Cloud Run service

User has a customer-facing API on Cloud Run. Walk through: front it with a global HTTPS LB + Cloud Armor (OWASP rules + rate limit), require IAP for the admin endpoints, attach a least-privilege service account (no broad Editor), encrypt the Cloud SQL backend with CMEK, route audit logs to BigQuery, and enroll the project under a VPC Service Controls perimeter that blocks egress of customer data to external projects.

Example 2 — Build a deploy-time policy that blocks unscanned images

User wants to enforce that only scanned-and-signed images deploy to GKE prod. Set up Artifact Analysis vulnerability scanning on the registry, add Cloud Build steps that scan + fail on critical, sign with a KMS key on success, and configure Binary Authorization with REQUIRE_ATTESTATION on the prod cluster. Test by attempting to deploy an unsigned image — should be blocked with an audit log entry.

Guidelines

  • Default networks off at org level — they're a liability, not a feature
  • Disable service account key creation — use Workload Identity / impersonation
  • Restrict regions via Org Policy if you have data-residency obligations
  • IAP everywhere for internal apps; never expose admin UIs to the public internet
  • VPC Service Controls when you genuinely have data-exfil concerns; expect a learning curve
  • Cloud Armor on every public-facing load balancer — preconfigured WAF rules cost nothing extra
  • Binary Authorization is the only way to actually enforce "signed images only" at runtime
  • CMEK when keys must be in your control; default Google-managed encryption is otherwise fine
  • Sensitive Data Protection for PII discovery in BigQuery / GCS — automate, don't audit manually
  • Security Command Center Premium/Enterprise is non-negotiable at scale; the free tier is too limited
  • For AI workloads, follow Google's SAIF (Secure AI Framework) — it's the only published practical guidance