Cloud Functions Endpoint Should Not Be Publicly Accessible

More Info:

Ensure that Function endpoint is not open to the internet 0.0.0.0/0

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, ISO27001, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

Using Python

To remediate the issue of Cloud Functions Endpoint being publicly accessible on GCP using Python, you can follow the below steps:

Open the Cloud Functions Console in your GCP project.
Select the function that you want to remediate and click on the “Edit” button.
In the “Edit Function” screen, scroll down to the “Networking” section and click on “Add VPC connector”.
In the “Add VPC connector” screen, select the VPC network that you want to use and click on “Save”.
Once the VPC connector is added, scroll down to the “Ingress Settings” section and select “Allow internal traffic only”.
Click on “Save” to save the changes.

Now, your Cloud Functions Endpoint will not be publicly accessible and can only be accessed internally within the VPC network that you have specified.To automate this process using Python, you can use the GCP Python client library. Here’s an example code snippet:

from google.cloud import functions_v1

# Replace with your project ID
project_id = "your-project-id"

# Replace with the name of the Cloud Function that you want to remediate
function_name = "your-function-name"

# Initialize the Cloud Functions API client
client = functions_v1.CloudFunctionsServiceClient()

# Get the current configuration of the Cloud Function
function = client.get_function(name=f"projects/{project_id}/locations/us-central1/functions/{function_name}")

# Add the VPC connector to the Cloud Function
function.vpc_connector = "projects/{project_id}/locations/us-central1/connectors/{vpc-connector-name}"

# Set the ingress settings to "Allow internal traffic only"
function.ingress_settings = functions_v1.CloudFunction.IngressSettings.ALLOW_INTERNAL_ONLY

# Update the configuration of the Cloud Function
client.update_function(function=function, update_mask={"paths": ["vpc_connector", "ingress_settings"]})

Make sure to replace the project_id, function_name, and vpc-connector-name variables with the appropriate values for your environment.

Additional Reading:

https://cloud.google.com/functions/docs/securing

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Cloud Functions Endpoint Should Not Be Publicly Accessible

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: