Serial Ports Connection Should Be Disabled

More Info:

Serial ports connection should not be enabled for VM instances. As serial console does not allow restricting IP Addresses, so then it allows any IP address to connect to instance and should therefore be disabled.

Risk Level

Low

Address

Security

Compliance Standards

CISGCP, CBP, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of serial ports connection being enabled in GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in the GCP Console.
Run the following command to list all the instances in your project:
```
gcloud compute instances list
```
Choose the instance for which you want to disable serial port connection.
Run the following command to disable serial port connection for the chosen instance:
```
gcloud compute instances update [INSTANCE_NAME] --no-enable-serial-port
```
Replace [INSTANCE_NAME] with the name of the instance you want to remediate.
Verify that the serial port connection is disabled for the instance by running the following command:
```
gcloud compute instances describe [INSTANCE_NAME] | grep -i serial
```
This command should not return any output.

By following these steps, you can remediate the misconfiguration of serial ports connection being enabled in GCP using GCP CLI.

Using Python

To remediate the “Serial Ports Connection Should Be Disabled” misconfiguration for GCP using Python, you can use the Cloud Asset Inventory and Cloud Asset API to identify and disable serial ports connections on all Compute Engine instances in your project. Here are the step-by-step instructions:

First, you need to enable the Cloud Asset API for your project. You can do this by going to the Google Cloud Console, selecting your project, and navigating to APIs & Services > Dashboard. Then, click on the ”+ ENABLE APIS AND SERVICES” button, search for “Cloud Asset API”, and click on the “ENABLE” button.
Next, you need to install the Google Cloud SDK and the Python client library for the Cloud Asset API. You can do this by running the following command in your terminal:

pip install google-cloud-sdk google-cloud-asset

Once you have installed the necessary tools, you can use the following Python code to identify and disable serial ports connections on all Compute Engine instances in your project:

from google.cloud import asset_v1

# Create a client object for the Cloud Asset API
client = asset_v1.AssetServiceClient()

# Define the project ID for your GCP project
project_id = 'YOUR_PROJECT_ID'

# Define the query to search for Compute Engine instances with serial ports connections enabled
query = 'resource:"//cloudresourcemanager.googleapis.com/projects/{}/" ' \
        'AND resource_type="compute.googleapis.com/Instance" ' \
        'AND (serialPortConfigs.accessible=true OR serialPortConfigs.enable=true)'.format(project_id)

# Execute the query and get the results
response = client.search_all_resources(scope='projects/{}'.format(project_id), query=query)

# Loop through the results and disable serial ports connections on each Compute Engine instance
for result in response:
    if result.asset.resource_type == 'compute.googleapis.com/Instance':
        instance_name = result.asset.name.split('/')[-1]
        zone = result.asset.resource_data['zone'].split('/')[-1]
        instance_client = compute_v1.InstancesClient()
        instance = instance_client.get(project=project_id, zone=zone, instance=instance_name)
        if instance.serial_port_configs:
            instance.serial_port_configs = []
            instance_client.update(project=project_id, zone=zone, instance=instance_name, body=instance)

Replace “YOUR_PROJECT_ID” with your actual GCP project ID in the code.
Run the code in your terminal or in a Python IDE.

This code will search for Compute Engine instances in your project that have serial ports connections enabled, and disable them by removing all serial port configurations. This will remediate the “Serial Ports Connection Should Be Disabled” misconfiguration for your GCP project.

Additional Reading:

https://cloud.google.com/compute/docs/instances/interacting-with-serial-console

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Serial Ports Connection Should Be Disabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: