SECURITY_GUIDE.md

🔒 Security Guide: Dataproc MCP Server

This guide covers security best practices, configuration, and hardening for the Dataproc MCP Server.

Overview

The Dataproc MCP Server implements comprehensive security measures including:

• Input validation and sanitization
• Rate limiting and abuse prevention
• Credential management and protection
• Audit logging and monitoring
• Secure defaults and configurations

Security Features

🛡️ Input Validation

All tool inputs are validated using comprehensive Zod schemas that enforce:

• GCP Resource Constraints: Project IDs, regions, zones, and cluster names must follow GCP naming conventions
• Data Type Validation: Ensures correct data types and formats
• Length Limits: Prevents oversized inputs that could cause issues
• Pattern Matching: Uses regex patterns to validate GCP-specific formats
• Injection Prevention: Detects and blocks common injection patterns

Example Validation Rules

// Project ID validation
const projectId = "my-project-123"; // ✅ Valid
const projectId = "My-Project";     // ❌ Invalid (uppercase)
const projectId = "a";              // ❌ Invalid (too short)

// Cluster name validation
const clusterName = "my-cluster";   // ✅ Valid
const clusterName = "My_Cluster";   // ❌ Invalid (underscore)
const clusterName = "cluster-";     // ❌ Invalid (ends with hyphen)

🚦 Rate Limiting

Built-in rate limiting prevents abuse and ensures fair resource usage:

• Default Limits: 100 requests per minute per client
• Configurable Windows: Adjustable time windows and limits
• Per-Tool Limiting: Different limits can be set per tool
• Automatic Cleanup: Expired rate limit entries are automatically cleaned up

Configuration

{
  "rateLimiting": {
    "windowMs": 60000,     // 1 minute window
    "maxRequests": 100,    // Max requests per window
    "enabled": true
  }
}

🔐 Credential Management

For detailed information on credential management, including service account impersonation, key validation, and best practices, refer to the Authentication Implementation Guide.

📊 Audit Logging

All security-relevant events are logged for monitoring and compliance:

Logged Events

• Authentication Events: Login attempts, key validation, impersonation
• Input Validation Failures: Invalid inputs, injection attempts
• Rate Limit Violations: Exceeded request limits
• Tool Executions: All tool calls with sanitized parameters
• Error Conditions: Security-related errors and warnings

Log Format

{
  "timestamp": "2025-05-29T22:30:00.000Z",
  "event": "Input validation failed",
  "details": {
    "tool": "start_dataproc_cluster",
    "error": "Invalid project ID format",
    "clientId": "[REDACTED]"
  },
  "severity": "warn"
}

🔍 Threat Detection

Automatic detection of suspicious patterns:

• SQL Injection: Detects SQL keywords and patterns
• XSS Attempts: Identifies script injection attempts
• Path Traversal: Catches directory traversal attempts
• Template Injection: Detects template expression patterns
• Code Injection: Identifies code execution attempts
• System Commands: Flags dangerous system commands

Security Configuration

Environment Variables

# Security settings
SECURITY_RATE_LIMIT_ENABLED=true
SECURITY_RATE_LIMIT_WINDOW=60000
SECURITY_RATE_LIMIT_MAX=100
SECURITY_AUDIT_LOG_LEVEL=info
SECURITY_CREDENTIAL_VALIDATION=strict

Configuration File

{
  "security": {
    "enableRateLimiting": true,
    "maxRequestsPerMinute": 100,
    "enableInputValidation": true,
    "sanitizeCredentials": true,
    "auditLogLevel": "info",
    "enableThreatDetection": true,
    "secureHeaders": {
      "enabled": true,
      "customHeaders": {}
    }
  }
}

Hardening Checklist

✅ Basic Security

• Service account keys have restrictive permissions (600)
• Using service account impersonation instead of direct keys
• Rate limiting is enabled and configured appropriately
• Input validation is enabled for all tools
• Audit logging is configured and monitored

✅ Advanced Security

• Service account keys are rotated regularly (≤90 days)
• Monitoring and alerting for security events
• Network access is restricted (firewall rules)
• TLS/SSL is used for all communications
• Regular security audits and penetration testing

✅ Production Security

• Dedicated service accounts per environment
• Centralized credential management (Secret Manager)
• Automated security scanning in CI/CD
• Incident response procedures documented
• Security training for operators

Monitoring and Alerting

Key Metrics to Monitor

1. Authentication Failures

   • Failed service account validations
   • Invalid credential attempts
   • Permission denied errors

2. Rate Limiting Events

   • Clients hitting rate limits
   • Unusual traffic patterns
   • Potential abuse attempts

3. Input Validation Failures

   • Malformed requests
   • Injection attempt patterns
   • Suspicious input patterns

4. System Health

   • Error rates by tool
   • Response times
   • Resource utilization

Sample Alerts

# Example Prometheus alerts
groups:
  - name: dataproc-mcp-security
    rules:
      - alert: HighAuthenticationFailures
        expr: rate(dataproc_auth_failures_total[5m]) > 0.1
        for: 2m
        labels:
          severity: warning
        annotations:
          summary: "High authentication failure rate"
          
      - alert: RateLimitViolations
        expr: rate(dataproc_rate_limit_violations_total[5m]) > 0.05
        for: 1m
        labels:
          severity: warning
        annotations:
          summary: "Rate limit violations detected"

Incident Response

Security Incident Types

1. Credential Compromise

   • Immediately rotate affected keys
   • Review audit logs for unauthorized access
   • Update access controls

2. Injection Attacks

   • Block suspicious clients
   • Review and strengthen input validation
   • Analyze attack patterns

3. Rate Limit Abuse

   • Identify and block abusive clients
   • Adjust rate limits if necessary
   • Investigate traffic patterns

Response Procedures

1. Immediate Response

   • Isolate affected systems
   • Preserve evidence (logs, configurations)
   • Notify security team

2. Investigation

   • Analyze audit logs
   • Identify attack vectors
   • Assess impact and scope

3. Recovery

   • Apply security patches
   • Update configurations
   • Restore normal operations

4. Post-Incident

   • Document lessons learned
   • Update security procedures
   • Implement additional controls

Compliance Considerations

Data Protection

• PII Handling: Ensure no personally identifiable information is logged
• Data Encryption: Use encryption for data at rest and in transit
• Access Controls: Implement least privilege access principles

Regulatory Requirements

• SOC 2: Implement appropriate security controls
• GDPR: Ensure data protection and privacy compliance
• HIPAA: Additional controls for healthcare data (if applicable)

Audit Requirements

• Log Retention: Maintain audit logs for required periods
• Access Reviews: Regular review of service account permissions
• Security Assessments: Periodic security evaluations

Security Updates

Keeping Secure

1. Regular Updates

   • Update dependencies regularly
   • Apply security patches promptly
   • Monitor security advisories

2. Vulnerability Scanning

   • Automated dependency scanning
   • Container image scanning
   • Infrastructure scanning

3. Security Testing

   • Regular penetration testing
   • Code security reviews
   • Configuration audits

Support and Resources

Getting Help

• Security Issues: Report to security team immediately
• Configuration Questions: Consult this guide and documentation
• Best Practices: Follow industry security standards

Additional Resources

• Google Cloud Security Best Practices
• OWASP Security Guidelines
• NIST Cybersecurity Framework

---

Remember: Security is an ongoing process, not a one-time setup. Regularly review and update your security configurations as threats evolve.