More Info:

Ensure that Cloud DNS Managed Zones config state is on.

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “GCP DNS Managed Zones Should Config State Should Be On” in GCP using the GCP console, follow these steps:
  1. Log in to the GCP console and select the project where the DNS Managed Zones configuration needs to be remediated.
  2. Navigate to the “DNS” page from the left-hand menu.
  3. Select the “Managed Zones” tab from the top menu.
  4. Identify the Managed Zones with the “Config State” set to “Off”.
  5. Click on the name of each Managed Zone with the “Config State” set to “Off”.
  6. Click on the “Edit” button at the top of the Managed Zone page.
  7. Scroll down to the “Advanced” section.
  8. Toggle the “Config State” switch to “On”.
  9. Click on the “Save” button at the bottom of the page.
  10. Repeat steps 5-9 for each Managed Zone with the “Config State” set to “Off”.
By following these steps, you can remediate the misconfiguration “GCP DNS Managed Zones Should Config State Should Be On” in GCP using the GCP console.

To remediate the misconfiguration of GCP DNS Managed Zones Config State being off, you can follow the below steps using GCP CLI:
  1. Open the Cloud Shell in GCP Console.
  2. Run the following command to list all the managed zones in your project: 
    gcloud dns managed-zones list
  3. Identify the managed zone that has “config-state” set to “off”.
  4. Run the following command to update the “config-state” of the identified managed zone to “on”: 
    gcloud dns managed-zones update [MANAGED_ZONE_NAME] --config-state=on
    Replace [MANAGED_ZONE_NAME] with the actual name of the managed zone.
  5. Verify that the “config-state” of the managed zone has been updated by running the following command: 
    gcloud dns managed-zones describe [MANAGED_ZONE_NAME]
    This command should return the details of the managed zone, including the updated “config-state” value.
By following the above steps, you can remediate the misconfiguration of GCP DNS Managed Zones Config State being off.
To remediate the GCP DNS Managed Zones Config State issue using Python, you can use the Google Cloud DNS API client library. Here are the step-by-step instructions:
  1. Install the google-cloud-dns Python package using pip:
pip install google-cloud-dns
  1. Authenticate with the Google Cloud Platform by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your service account key file:
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service_account_key.json
  1. Import the necessary modules:
from google.cloud import dns
from google.oauth2 import service_account
  1. Create a dns.Client object using the service account credentials:
credentials = service_account.Credentials.from_service_account_file('/path/to/service_account_key.json')
client = dns.Client(project='your-project-id', credentials=credentials)
  1. Retrieve the list of Managed Zones:
zones = client.list_zones()
  1. For each zone, check if the config property is set to on. If it’s not, update the zone’s config property using the client.update_zone() method:
for zone in zones:
    if zone.config != 'on':
        zone.config = 'on'
        client.update_zone(zone)
  1. Your code should look like this:
from google.cloud import dns
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('/path/to/service_account_key.json')
client = dns.Client(project='your-project-id', credentials=credentials)

zones = client.list_zones()

for zone in zones:
    if zone.config != 'on':
        zone.config = 'on'
        client.update_zone(zone)
This code will remediate the GCP DNS Managed Zones Config State issue by setting the config property to on for all Managed Zones in your project.

Additional Reading: