GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Restrict Shared VPC Subnetworks
More Info:
Ensure that “Restrict Shared VPC Subnetworks” policy is enforced for your GCP organizations.
Risk Level
Medium
Address
Security, Operational Maturity
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the “Restrict Shared VPC Subnetworks” misconfiguration in GCP using GCP console, you can follow these steps:
- Open the GCP console and go to the VPC network page.
- Select the shared VPC network for which you want to restrict subnetworks.
- In the “Subnetworks” section, click on the “Edit” button.
- In the “Subnetworks” dialog box, uncheck the “Allow new subnetworks in this VPC network” option.
- Click on the “Save” button to apply the changes.
By following these steps, you have successfully restricted the creation of new subnetworks in the shared VPC network, which will help in preventing unauthorized access and potential security threats.
To remediate the misconfiguration of “Restrict Shared VPC Subnetworks” in GCP using GCP CLI, you can follow the below steps:
Step 1: Open the Cloud Shell
Step 2: Run the below command to list all the subnetworks in the shared VPC:
gcloud compute shared-vpc list-associated-resources [SHARED_VPC_NAME] --project=[HOST_PROJECT_ID] --subnet
Note: Replace [SHARED_VPC_NAME] and [HOST_PROJECT_ID] with the actual shared VPC name and host project ID.
Step 3: Run the below command to restrict the subnetworks in the shared VPC:
gcloud compute shared-vpc update [SHARED_VPC_NAME] --project=[HOST_PROJECT_ID] --no-enable-flow-logs --no-enable-private-google-access --no-enable-intra-host-mtls --no-enable-intra-host-visibility --no-enable-routes-without-logs --no-enable-vpc-flow-logs --no-enable-private-endpoint
Note: Replace [SHARED_VPC_NAME] and [HOST_PROJECT_ID] with the actual shared VPC name and host project ID.
This command will disable all the shared VPC features which can be enabled on subnetworks.
Step 4: Run the below command to verify the changes:
gcloud compute shared-vpc describe [SHARED_VPC_NAME] --project=[HOST_PROJECT_ID]
Note: Replace [SHARED_VPC_NAME] and [HOST_PROJECT_ID] with the actual shared VPC name and host project ID.
This command will display the details of the shared VPC and confirm that the subnetworks are restricted.
By following these steps, you can remediate the misconfiguration of “Restrict Shared VPC Subnetworks” in GCP using GCP CLI.
To remediate the misconfiguration of “Restrict Shared VPC Subnetworks” for GCP using Python, follow the below steps:
-
First, you need to create a service account and download the JSON key for authentication.
-
Install the Google Cloud SDK and the necessary Python libraries.
-
Use the following Python code to remediate the misconfiguration:
from google.cloud import compute_v1
# Authenticate using the service account key
client = compute_v1.SubnetworksClient.from_service_account_json('path/to/service_account_key.json')
# Set the project ID and the name of the subnetwork to restrict
project_id = 'your_project_id'
subnetwork_name = 'your_subnetwork_name'
# Get the subnetwork
subnetwork = client.get(project=project_id, region='global', subnetwork=subnetwork_name)
# Set the private IP Google access to "false"
subnetwork.private_ip_google_access = False
# Update the subnetwork
response = client.update(project=project_id, region='global', subnetwork=subnetwork_name, subnetwork_resource=subnetwork)
print('Subnetwork updated:', response)
This code will set the “private_ip_google_access” property of the subnetwork to “false”, which will restrict shared VPC subnetworks.
Note: Make sure to replace the “path/to/service_account_key.json”, “your_project_id”, and “your_subnetwork_name” with the actual values.