GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Disable Serial Port Access Support at Organization Level
More Info:
Ensure that “Disable VM serial port access” constraint policy is enabled for your Google Cloud Platform (GCP) organizations. Due to security and compliance regulations, the serial port access to your Compute Engine virtual machine (VM) instances must be disabled.
Risk Level
Medium
Address
Security, Operational Maturity
Compliance Standards
CISGCP, CBP
Triage and Remediation
Remediation
To remediate the “Disable Serial Port Access Support at Organization Level” misconfiguration in GCP using the GCP console, follow these steps:
- Open the GCP console and navigate to the “IAM & Admin” section.
- Click on “Organization” and select your organization from the dropdown menu.
- Click on the “Policies” tab and scroll down to the “Compute Engine” section.
- Locate the policy for “Serial Port Access” and click on the “Edit” button next to it.
- In the policy editor, select “Deny” for the “SerialPortAccess” permission.
- Click on “Save” to update the policy.
This will disable Serial Port Access Support at the organization level in GCP. Note that this change may take some time to propagate across all resources in your organization.
To remediate the misconfiguration “Disable Serial Port Access Support at Organization Level” for GCP using GCP CLI, follow these steps:
-
Open the GCP CLI and log in to your GCP account using your credentials.
-
Run the following command to disable serial port access support at the organization level:
gcloud alpha compute organizations update --disable-serial-port-access
-
Once the command is executed successfully, the serial port access support will be disabled at the organization level.
-
Verify the changes by running the following command:
gcloud alpha compute organizations describe
This command will display the organization’s details, including the serial port access support status. If the serial port access support is disabled, it will be reflected in the output.
Note: The above command is in alpha state and may change in the future. It is recommended to check the latest documentation before executing the command.
To disable Serial Port Access Support at the Organization Level in GCP using Python, you can follow these steps:
-
First, you need to authenticate with the GCP API using a Service Account. You can create a Service Account with the necessary permissions in the GCP Console and download the Service Account Key as a JSON file.
-
Install the Google Cloud SDK and the necessary Python libraries for interacting with the GCP API. You can do this by running the following command in your terminal:
pip install google-cloud google-auth google-auth-oauthlib google-auth-httplib2
- Import the necessary libraries and authenticate with the GCP API using the Service Account Key:
from google.oauth2 import service_account
from googleapiclient.discovery import build
credentials = service_account.Credentials.from_service_account_file(
'path/to/service_account_key.json')
service = build('cloudresourcemanager', 'v1', credentials=credentials)
- Use the
organizations.patchmethod to update theenableSerialPortAccessfield of the Organization resource. Set the value ofenableSerialPortAccesstoFalseto disable Serial Port Access Support at the Organization Level:
org_id = 'your_organization_id'
org = service.organizations().get(name=f'organizations/{org_id}').execute()
org['enableSerialPortAccess'] = False
updated_org = service.organizations().patch(name=f'organizations/{org_id}', body=org).execute()
- Verify that Serial Port Access Support has been disabled at the Organization Level by checking the
enableSerialPortAccessfield of the Organization resource:
print(f'Serial Port Access Support is now disabled at the Organization Level: {updated_org["enableSerialPortAccess"]}')
And that’s it! You have successfully remediated the misconfiguration by disabling Serial Port Access Support at the Organization Level in GCP using Python.