Restricting the Use of Images

More Info:

Ensure that only images from trusted Google Cloud Platform (GCP) projects are allowed as the source for boot disks for new virtual machine instances. To enforce this constraint, enable and configure the “Define Trusted Image Projects” policy at the GCP organization level.

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of restricting the use of images in GCP, you can follow the below steps using GCP CLI:

Open the Cloud Shell from the GCP console.
Run the following command to list all the images in your project:

gcloud compute images list

Identify the images that are not required and need to be deleted.
Run the following command to delete the image:

gcloud compute images delete [IMAGE-NAME] --project=[PROJECT-ID]

Replace [IMAGE-NAME] with the name of the image that you want to delete and [PROJECT-ID] with the ID of your GCP project.

Repeat step 4 for all the images that you want to delete.
Once all the unnecessary images are deleted, you can create a policy to restrict the use of images. Run the following command to create a policy:

gcloud beta resource-manager org-policies create-enforcer iam.allowedImageTypes --organization [ORGANIZATION-ID] --policy boolean_policy.yaml

Replace [ORGANIZATION-ID] with the ID of your GCP organization.

In the above command, the policy is created using a YAML file named boolean_policy.yaml. Create this file with the following content:

enforce: true
constraint: constraints/compute.allowedImageTypes

Save the file.

Run the following command to update the policy:

gcloud beta resource-manager org-policies set-policy iam.allowedImageTypes --policy boolean_policy.yaml

The policy is now enforced and any user who tries to use an image that is not allowed will receive an error message.

By following the above steps, you can remediate the misconfiguration of restricting the use of images in GCP using GCP CLI.

Using Python

To remediate the misconfiguration of restricting the use of images in GCP using Python, you can follow the below steps:

Firstly, you need to create a service account in the GCP project with the required permissions to manage the images. You can use the following command to create a service account:

gcloud iam service-accounts create [SA-NAME] --description "[SA-DESCRIPTION]" --display-name "[SA-DISPLAY-NAME]"

After creating the service account, you need to grant it the required permissions to manage the images. You can use the following command to grant the required permissions:

gcloud projects add-iam-policy-binding [PROJECT-ID] --member serviceAccount:[SA-EMAIL] --role roles/compute.imageUser

Next, you need to create a custom IAM role that restricts the use of images. You can use the following Python code to create a custom IAM role:

from google.cloud import iam

client = iam.IAMClient()

# Define the permissions for the custom role
permissions = [
    "compute.images.get",
    "compute.images.list",
    "compute.images.useReadOnly"
]

# Create the custom role
response = client.create_role(
    parent="projects/[PROJECT-ID]",
    role_id="[ROLE-ID]",
    role={
        "title": "[ROLE-TITLE]",
        "description": "[ROLE-DESCRIPTION]",
        "included_permissions": permissions
    }
)

After creating the custom IAM role, you need to assign it to the service account that you created in step 1. You can use the following Python code to assign the custom IAM role to the service account:

from google.cloud import iam

client = iam.IAMClient()

# Assign the custom role to the service account
response = client.set_iam_policy(
    resource="[RESOURCE-ID]",
    policy={
        "bindings": [
            {
                "role": "projects/[PROJECT-ID]/roles/[ROLE-ID]",
                "members": [
                    "serviceAccount:[SA-EMAIL]"
                ]
            }
        ]
    }
)

Finally, you need to verify that the custom IAM role has been assigned to the service account and that the service account has the required permissions to manage the images. You can use the following command to verify the same:

gcloud projects get-iam-policy [PROJECT-ID] --flatten="bindings[].members" --format="table(bindings.role, bindings.members)"

By following the above steps, you can remediate the misconfiguration of restricting the use of images in GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Restricting the Use of Images

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation