Google’s Unattended Project Reminder feature has moved to a public preview and aims to improve cloud utilization, and address security issues caused by forgotten old cloud-computing projects that shouldn’t be around anymore.
Unattended Project Reminder, a part of Google Cloud’s Active Assist, could be useful in reducing security risks by finding those old initiatives, such as a prototyping project, that no longer require network access, cloud resources, or supported APIs.
Google has developed the feature through 2021 as part of a prototype aimed at cleaning up internal projects that were unattended.
Google’s internal security team had the issue of unattended projects on the radar for some time, according to Google Cloud, so the two units started searching for unattended cloud projects within the “google.com” organization.
Despite being a good idea, Google ran into detection problems because it was difficult to use signals – such as API, network and user activity – to tell the difference between an actually unattended project and a project that intentionally has a low level of activity.
Risks here include correctly identifying unattended projects, and accidentally deleting a component that was essential to a production workload, thus inadvertently causing permanent data loss. But benefits include reducing cloud bills for unnecessary resources and reducing configuration issues, such as open firewalls or privileged service account keys that attackers can exploit to get a hold of your cloud resources for cryptocurrency mining or to steal data.
“These security risks tend to grow over time because the latest best practices and patches are usually not applied to unattended projects,” Googe said.
To address these issues, it worked with customers using real-life data to find thousands of unattended projects.
Key signals that Unattended Project Reminder uses include API activity (such as service accounts with authentication activity and API calls consumed), networking activity, billing activity, user activity, and cloud services usage (such as active VMs, BigQuery jobs, and storage requests).
“Based on these signals, it can generate recommendations to clean up projects that have low usage activity (where “low usage” is defined using a machine learning model that ranks projects in your organization by level of usage), or recommendations to reclaim projects that have high usage activity but no active project owners,” explain Google Cloud product managers, Dima Melnyk and Bakh Inamov.
Insights and recommendations can be sent automatically via email or chat messages to project owners.
Admins have a recovery option for accidentally removed projects: the recovery period is 30 days. However, Google notes some resources, such as Cloud Storage or Pub/Sub resources, are deleted before the 30-day period ends, and may not be fully recoverable.
French sporting goods retail giant Decathlon used the feature to delete 775 projects. “And no one complained,” said Adeline Villette, Decathlon’s cloud security officer.
French utility Veolia and US file storage firm Box trialed the technology to reduce the number of unattended projects they were respectively supporting.