More Info:

Ensure that “Disable VM serial port access” constraint policy is enabled for your Google Cloud Platform (GCP) organizations. Due to security and compliance regulations, the serial port access to your Compute Engine virtual machine (VM) instances must be disabled.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the “Disable Serial Port Access Support at Organization Level” misconfiguration in GCP using the GCP console, follow these steps:
  1. Open the GCP console and navigate to the “IAM & Admin” section.
  2. Click on “Organization” and select your organization from the dropdown menu.
  3. Click on the “Policies” tab and scroll down to the “Compute Engine” section.
  4. Locate the policy for “Serial Port Access” and click on the “Edit” button next to it.
  5. In the policy editor, select “Deny” for the “SerialPortAccess” permission.
  6. Click on “Save” to update the policy.
This will disable Serial Port Access Support at the organization level in GCP. Note that this change may take some time to propagate across all resources in your organization.

To remediate the misconfiguration “Disable Serial Port Access Support at Organization Level” for GCP using GCP CLI, follow these steps:
  1. Open the GCP CLI and log in to your GCP account using your credentials.
  2. Run the following command to disable serial port access support at the organization level: 
gcloud alpha compute organizations update --disable-serial-port-access
  1. Once the command is executed successfully, the serial port access support will be disabled at the organization level.
  2. Verify the changes by running the following command: 
gcloud alpha compute organizations describe
This command will display the organization’s details, including the serial port access support status. If the serial port access support is disabled, it will be reflected in the output.Note: The above command is in alpha state and may change in the future. It is recommended to check the latest documentation before executing the command.
To disable Serial Port Access Support at the Organization Level in GCP using Python, you can follow these steps:
  1. First, you need to authenticate with the GCP API using a Service Account. You can create a Service Account with the necessary permissions in the GCP Console and download the Service Account Key as a JSON file.
  2. Install the Google Cloud SDK and the necessary Python libraries for interacting with the GCP API. You can do this by running the following command in your terminal: 
pip install google-cloud google-auth google-auth-oauthlib google-auth-httplib2
  1. Import the necessary libraries and authenticate with the GCP API using the Service Account Key:
from google.oauth2 import service_account
from googleapiclient.discovery import build

credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account_key.json')
service = build('cloudresourcemanager', 'v1', credentials=credentials)
  1. Use the organizations.patch method to update the enableSerialPortAccess field of the Organization resource. Set the value of enableSerialPortAccess to False to disable Serial Port Access Support at the Organization Level:
org_id = 'your_organization_id'
org = service.organizations().get(name=f'organizations/{org_id}').execute()
org['enableSerialPortAccess'] = False
updated_org = service.organizations().patch(name=f'organizations/{org_id}', body=org).execute()
  1. Verify that Serial Port Access Support has been disabled at the Organization Level by checking the enableSerialPortAccess field of the Organization resource:
print(f'Serial Port Access Support is now disabled at the Organization Level: {updated_org["enableSerialPortAccess"]}')
And that’s it! You have successfully remediated the misconfiguration by disabling Serial Port Access Support at the Organization Level in GCP using Python.