More Info:

Cloud Functions should access resources only in VPC

Risk Level

Medium

Address

Security

Compliance Standards

PCIDSS, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Cloud Functions Should Connect To Resources In VPC only” for GCP using GCP console, follow the below steps:
  1. Open the Google Cloud Console and select the project where the Cloud Function is located.
  2. In the left-hand navigation menu, select “VPC Network” and then select “VPC networks”.
  3. Select the VPC network that you want to use for your Cloud Function.
  4. In the “VPC Network Details” page, select “Add subnet”.
  5. In the “Create subnet” page, enter a name for the subnet and select the region where you want the subnet to be located.
  6. Configure the subnet IP range and select the VPC network that you want to use for your Cloud Function.
  7. Click “Create” to create the subnet.
  8. In the left-hand navigation menu, select “Cloud Functions” and then select the Cloud Function that you want to configure.
  9. In the “Cloud Function Details” page, click on the “Edit” button.
  10. Scroll down to the “VPC connector” section and select the VPC connector that you created in step 6.
  11. Click “Save” to save the changes.
After following these steps, your Cloud Function will be configured to connect to resources in the specified VPC only.

To remediate the misconfiguration of allowing Cloud Functions to connect to resources outside of VPC on GCP, you can follow the below steps using the GCP CLI:
  1. First, create a VPC network and subnet in your GCP project using the following command:
gcloud compute networks create [NETWORK_NAME] --subnet-mode custom
  1. Next, create a subnet within the VPC network using the following command:
gcloud compute networks subnets create [SUBNET_NAME] --network [NETWORK_NAME] --region [REGION] --range [IP_RANGE]
Replace [SUBNET_NAME], [NETWORK_NAME], [REGION], and [IP_RANGE] with appropriate values.
  1. Now, you need to deploy the Cloud Function within the VPC network by specifying the --vpc-connector flag with the gcloud functions deploy command. The --vpc-connector flag specifies the name of the Serverless VPC Access connector to use for the function.
gcloud functions deploy [FUNCTION_NAME] --vpc-connector [CONNECTOR_NAME] --entry-point [ENTRY_POINT] --runtime [RUNTIME] --trigger-http
Replace [FUNCTION_NAME], [CONNECTOR_NAME], [ENTRY_POINT], and [RUNTIME] with appropriate values.
  1. Finally, create a Serverless VPC Access connector using the following command:
gcloud compute networks vpc-access connectors create [CONNECTOR_NAME] --network [NETWORK_NAME] --region [REGION] --range [IP_RANGE]
Replace [CONNECTOR_NAME], [NETWORK_NAME], [REGION], and [IP_RANGE] with appropriate values.By following the above steps, you can remediate the misconfiguration of allowing Cloud Functions to connect to resources outside of VPC on GCP and ensure that all Cloud Functions are only able to connect to resources within the VPC network.
To remediate this misconfiguration in GCP, you can follow the below steps using Python:Step 1: Create a VPC connector
  • First, create a VPC connector in the same region as your Cloud Function.
  • You can create a VPC connector using the google.cloud.functions.v1.VpcConnector client library in Python.
from google.cloud.functions.v1 import VpcConnector
from google.cloud.functions_v1.types import VpcConnector

client = VpcConnector()
parent = "projects/<your-project-id>/locations/<your-region>"
connector = VpcConnector(display_name="<your-connector-name>", uri="<your-connector-uri>")
response = client.create_vpc_connector(parent=parent, connector=connector)
Step 2: Update the Cloud Function to use the VPC connector
  • Next, update the Cloud Function to use the VPC connector you created in step 1.
  • You can update the Cloud Function using the google.cloud.functions.v1.CloudFunctionsServiceClient client library in Python.
from google.cloud.functions.v1 import CloudFunctionsServiceClient
from google.cloud.functions_v1.types import CloudFunction

client = CloudFunctionsServiceClient()
function_name = "<your-function-name>"
function = client.get_cloud_function(name=function_name)
function.vpc_connector = "<your-connector-name>"
response = client.update_cloud_function(update_mask=field_mask, function=function)
Step 3: Test the updated Cloud Function
  • Finally, test the updated Cloud Function to ensure that it can only connect to resources in the VPC.
  • You can test the Cloud Function by invoking it and verifying that it can only access resources in the VPC.
Note: Make sure to replace the placeholders <your-project-id>, <your-region>, <your-connector-name>, <your-connector-uri>, and <your-function-name> with the appropriate values for your GCP environment.

Additional Reading: