More Info:

Disable Client Certificates, which require certificate rotation, for authentication. Instead, use another authentication method like OpenID Connect.

Risk Level

Low

Address

Security, Reliability, Operational Excellence, Performance Efficiency

Compliance Standards

SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Authentication Using Client Certificates Is Disabled” in GCP using GCP console, you can follow the below steps:
  1. Open the GCP Console and navigate to the Security Command Center.
  2. From the Security Command Center dashboard, select the project that you want to remediate.
  3. Click on the “Policy” tab and search for the policy “Ensure Authentication Using Client Certificates Is Disabled”.
  4. Click on the policy to view the list of non-compliant resources.
  5. Click on the non-compliant resource that you want to remediate.
  6. In the “Resource Details” page, click on the “Remediate” button.
  7. In the “Remediation” dialog box, select the option “Disable client certificate authentication”.
  8. Click on the “Remediate” button to apply the remediation.
  9. Once the remediation is applied, the policy status will change to “Compliant”.
  10. Verify that the policy is now compliant by checking the policy status and the resource details page.
By following these steps, you can remediate the misconfiguration “Ensure Authentication Using Client Certificates Is Disabled” in GCP using GCP console.

To remediate the misconfiguration “Ensure Authentication Using Client Certificates Is Disabled” for GCP using GCP CLI, follow the below steps:
  1. Open the Cloud Shell in the GCP console.
  2. Run the following command to list all the backend services in the current project: 
    gcloud compute backend-services list
  3. Identify the backend service that needs to be remediated and note down its name.
  4. Run the following command to describe the backend service: 
    gcloud compute backend-services describe [BACKEND_SERVICE_NAME]
    Replace [BACKEND_SERVICE_NAME] with the name of the backend service identified in step 3.
  5. In the output, locate the securityPolicy field. If this field is set to a security policy that enforces client certificate authentication, then client certificate authentication is enabled. To disable it, you need to set the securityPolicy field to null.
  6. Run the following command to update the backend service and disable client certificate authentication: 
    gcloud compute backend-services update [BACKEND_SERVICE_NAME] --no-security-policy
    Replace [BACKEND_SERVICE_NAME] with the name of the backend service identified in step 3.
  7. Verify that the misconfiguration has been remediated by running the command in step 4 again and checking that the securityPolicy field is now set to null.
By following these steps, you can remediate the misconfiguration “Ensure Authentication Using Client Certificates Is Disabled” for GCP using GCP CLI.
To remediate the misconfiguration “Ensure Authentication Using Client Certificates is Disabled” for GCP using Python, you can follow these steps:
  1. First, you need to authenticate with GCP using a service account key file. You can create a service account and download the key file from the GCP console. Then, set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the key file.
import os
from google.oauth2 import service_account

# Replace [PATH_TO_KEY_FILE] with the path to your service account key file
key_path = '[PATH_TO_KEY_FILE]'
credentials = service_account.Credentials.from_service_account_file(key_path)
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = key_path
  1. Next, you can use the google-cloud-resource-manager library to retrieve a list of all projects in your GCP organization.
from google.cloud import resource_manager

client = resource_manager.Client(credentials=credentials)
projects = list(client.list_projects())
  1. For each project, you can use the google-cloud-compute library to retrieve a list of all instances in the project.
from google.cloud import compute_v1

compute_client = compute_v1.InstancesClient(credentials=credentials)
for project in projects:
    instances = list(compute_client.list(project=project.project_id))
  1. For each instance, you can check if client certificate authentication is enabled by checking the clientCertEnabled field in the instance’s metadata.
for instance in instances:
    metadata = compute_client.get_iam_policy(instance=instance.self_link)
    if metadata.items.get('clientCertEnabled', {}).get('value', '') == 'true':
        # Client certificate authentication is enabled
  1. To disable client certificate authentication, you can update the instance’s metadata using the google-cloud-compute library.
from google.cloud.compute_v1.types import Instance

metadata = compute_client.get_iam_policy(instance=instance.self_link)
metadata.items['clientCertEnabled'] = Instance.Metadata.Items.Value(value='false')
compute_client.set_metadata(instance=instance.self_link, metadata=metadata)
  1. Finally, you can confirm that client certificate authentication is disabled by checking the clientCertEnabled field in the instance’s updated metadata.
metadata = compute_client.get_iam_policy(instance=instance.self_link)
if metadata.items.get('clientCertEnabled', {}).get('value', '') == 'false':
    # Client certificate authentication is disabled
By following these steps, you can remediate the misconfiguration “Ensure Authentication Using Client Certificates is Disabled” for GCP using Python.

Additional Reading: