Restrict Allowed Google Cloud APIs and Services
More Info:
Ensure that all the Google Cloud APIs and services restricted within your organization are defined using the “Restrict allowed Google Cloud APIs and services” organization policy. This constraint policy helps you achieve regulatory compliance by defining the set of cloud services and APIs that cannot be used within your GCP organization.Risk Level
MediumAddress
Security, Operational MaturityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of “Restrict Allowed Google Cloud APIs and Services” in GCP using the GCP console, please follow the below steps:Step 1: Login to your Google Cloud Platform console.Step 2: Select the project you want to remediate the misconfiguration for.Step 3: Click on the Navigation menu, go to the “IAM & Admin” section, and select “IAM”.Step 4: In the IAM page, select the role for which you want to restrict the allowed APIs and services.Step 5: Click on the “Edit” button next to the selected role.Step 6: Scroll down to the “Permissions” section and click on the “Add Condition” button.Step 7: In the “Add Condition” dialog box, select the “APIs & Services” option from the dropdown menu.Step 8: In the “APIs & Services” section, select the “APIs” tab and select the APIs and services you want to allow.Step 9: Click on the “Save” button to apply the changes.Step 10: Verify that the allowed APIs and services are restricted by checking the IAM page for the role you modified.By following these steps, you can remediate the misconfiguration of “Restrict Allowed Google Cloud APIs and Services” in GCP using the GCP console.
Using CLI
Using CLI
To remediate the “Restrict Allowed Google Cloud APIs and Services” misconfiguration in GCP using GCP CLI, you can follow the below steps:Step 1: Open the Cloud Shell in your GCP Console.Step 2: Run the following command to list all the enabled APIs and services in your project:Step 3: Identify the APIs and services that are not required for your project and note down their service names. For example, if you want to restrict the Cloud SQL Admin API, note down its service name “sqladmin.googleapis.com”.Step 4: Run the following command to disable the unnecessary APIs and services:Replace [SERVICE_NAME] with the service name that you want to disable. For example, to disable the Cloud SQL Admin API, run the following command:Step 5: Verify that the API or service has been disabled by running the following command:This will list all the enabled APIs and services in your project. Make sure that the API or service that you have disabled is not listed.By following the above steps, you can remediate the “Restrict Allowed Google Cloud APIs and Services” misconfiguration in GCP using GCP CLI.
Using Python
Using Python
To restrict allowed Google Cloud APIs and Services in GCP using Python, you can follow the below steps:This Python script will restrict the allowed Google Cloud APIs and Services for the specified project.
- Import the required libraries:
- Set up the credentials using the service account key file:
- Set up the client for the Service Usage API:
- Define the project ID and the list of APIs and Services to be restricted:
- Get the list of enabled services for the project:
- Disable the services that are not in the restricted list:
- Verify that only the restricted services are enabled: