More Info:

Ensure that only images from trusted Google Cloud Platform (GCP) projects are allowed as the source for boot disks for new virtual machine instances. To enforce this constraint, enable and configure the “Define Trusted Image Projects” policy at the GCP organization level.

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of restricting the use of images in GCP using GCP console, follow these steps:
  1. Open the GCP console and select the project where the misconfiguration exists.
  2. Click on the “Navigation menu” button (☰) in the top-left corner of the console.
  3. Navigate to the “Compute Engine” section and click on “Images”.
  4. Select the image that needs to be restricted and click on the “Edit” button at the top of the page.
  5. In the “Permissions” section, click on the “Add item” button.
  6. In the “New permission” window, enter the email address of the user or group that should have access to the image.
  7. Select the “Compute Image User” role from the “Select a role” dropdown menu.
  8. Click on the “Save” button to add the new permission.
  9. Repeat steps 5-8 for each user or group that should have access to the image.
  10. Click on the “Save” button at the bottom of the page to save the changes.
By following these steps, you have successfully restricted the use of images in GCP by granting access to only authorized users or groups.

To remediate the misconfiguration of restricting the use of images in GCP, you can follow the below steps using GCP CLI:
  1. Open the Cloud Shell from the GCP console.
  2. Run the following command to list all the images in your project: 
gcloud compute images list
  1. Identify the images that are not required and need to be deleted.
  2. Run the following command to delete the image: 
gcloud compute images delete [IMAGE-NAME] --project=[PROJECT-ID]
Replace [IMAGE-NAME] with the name of the image that you want to delete and [PROJECT-ID] with the ID of your GCP project.
  1. Repeat step 4 for all the images that you want to delete.
  2. Once all the unnecessary images are deleted, you can create a policy to restrict the use of images. Run the following command to create a policy: 
gcloud beta resource-manager org-policies create-enforcer iam.allowedImageTypes --organization [ORGANIZATION-ID] --policy boolean_policy.yaml
Replace [ORGANIZATION-ID] with the ID of your GCP organization.
  1. In the above command, the policy is created using a YAML file named boolean_policy.yaml. Create this file with the following content:
enforce: true
constraint: constraints/compute.allowedImageTypes
Save the file.
  1. Run the following command to update the policy:
gcloud beta resource-manager org-policies set-policy iam.allowedImageTypes --policy boolean_policy.yaml
  1. The policy is now enforced and any user who tries to use an image that is not allowed will receive an error message.
By following the above steps, you can remediate the misconfiguration of restricting the use of images in GCP using GCP CLI.
To remediate the misconfiguration of restricting the use of images in GCP using Python, you can follow the below steps:
  1. Firstly, you need to create a service account in the GCP project with the required permissions to manage the images. You can use the following command to create a service account:
gcloud iam service-accounts create [SA-NAME] --description "[SA-DESCRIPTION]" --display-name "[SA-DISPLAY-NAME]"
  1. After creating the service account, you need to grant it the required permissions to manage the images. You can use the following command to grant the required permissions:
gcloud projects add-iam-policy-binding [PROJECT-ID] --member serviceAccount:[SA-EMAIL] --role roles/compute.imageUser
  1. Next, you need to create a custom IAM role that restricts the use of images. You can use the following Python code to create a custom IAM role:
from google.cloud import iam

client = iam.IAMClient()

# Define the permissions for the custom role
permissions = [
    "compute.images.get",
    "compute.images.list",
    "compute.images.useReadOnly"
]

# Create the custom role
response = client.create_role(
    parent="projects/[PROJECT-ID]",
    role_id="[ROLE-ID]",
    role={
        "title": "[ROLE-TITLE]",
        "description": "[ROLE-DESCRIPTION]",
        "included_permissions": permissions
    }
)
  1. After creating the custom IAM role, you need to assign it to the service account that you created in step 1. You can use the following Python code to assign the custom IAM role to the service account:
from google.cloud import iam

client = iam.IAMClient()

# Assign the custom role to the service account
response = client.set_iam_policy(
    resource="[RESOURCE-ID]",
    policy={
        "bindings": [
            {
                "role": "projects/[PROJECT-ID]/roles/[ROLE-ID]",
                "members": [
                    "serviceAccount:[SA-EMAIL]"
                ]
            }
        ]
    }
)
  1. Finally, you need to verify that the custom IAM role has been assigned to the service account and that the service account has the required permissions to manage the images. You can use the following command to verify the same:
gcloud projects get-iam-policy [PROJECT-ID] --flatten="bindings[].members" --format="table(bindings.role, bindings.members)"
By following the above steps, you can remediate the misconfiguration of restricting the use of images in GCP using Python.