GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Basic Authentication Should Be Disabled
More Info:
Ensure basic authentication is set to disabled on Kubernetes clusters.
Risk Level
High
Address
Security, Reliability
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the “Basic Authentication Should Be Disabled” misconfiguration in GCP using the GCP console, you can follow these steps:
-
Open the GCP console and select the project that you want to work on.
-
Go to the Cloud Run service that you want to remediate.
-
Click on the “Edit and deploy new revision” button.
-
Scroll down to the “Container” section and click on the “Show advanced settings” link.
-
In the “Container” section, locate the “Environment variables” field.
-
Click on the “Add item” button to add a new environment variable.
-
In the “Name” field, enter “DISABLE_BASIC_AUTH”.
-
In the “Value” field, enter “true”.
-
Click on the “Save” button to save the changes.
-
Redeploy the service to apply the changes.
Once you have completed these steps, Basic Authentication will be disabled for the Cloud Run service in GCP.
To remediate the “Basic Authentication Should Be Disabled” misconfiguration for GCP using GCP CLI, follow these steps:
- Open the Cloud Shell in your GCP console.
- Run the following command to list all the Cloud SQL instances in your project:
gcloud sql instances list
- Choose the instance for which you want to disable basic authentication and run the following command to update the instance:
gcloud sql instances patch INSTANCE_NAME --database-flags=skip_enable_binlog_mysql=on
Replace INSTANCE_NAME with the name of your Cloud SQL instance.
-
After running the above command, you will see the updated instance information. Verify that the
skip_enable_binlog_mysqlflag is set toON. -
Run the following command to verify that basic authentication is disabled:
gcloud sql instances describe INSTANCE_NAME | grep requireSsl
If the output shows requireSsl: true, then basic authentication is disabled.
Note: Disabling basic authentication may affect your application’s functionality, so make sure to test your application after making this change.
To remediate the “Basic Authentication Should Be Disabled” misconfiguration in GCP using Python, you can follow these steps:
- Import the necessary libraries:
from googleapiclient import errors
from google.oauth2 import service_account
from google.cloud import asset_v1
- Set up the credentials to authenticate with the GCP API:
credentials = service_account.Credentials.from_service_account_file('path/to/credentials.json')
- Create a function to check if basic authentication is enabled:
def check_basic_auth(project_id):
client = asset_v1.AssetServiceClient(credentials=credentials)
asset_query = asset_v1.AssetQuery()
asset_query.asset_types = ['google.compute.Instance']
asset_query.query = f'project = "{project_id}" AND securityConfiguration.basicAuthEnabled = true'
response = client.search_all_resources(scope=f'projects/{project_id}', query=asset_query)
return response
- Create a function to disable basic authentication:
def disable_basic_auth(project_id, instance_name, zone):
from googleapiclient.discovery import build
compute = build('compute', 'v1', credentials=credentials)
instance = compute.instances().get(project=project_id, zone=zone, instance=instance_name).execute()
if 'securityConfiguration' not in instance:
instance['securityConfiguration'] = {}
instance['securityConfiguration']['basicAuthEnabled'] = False
request = compute.instances().update(project=project_id, zone=zone, instance=instance_name, body=instance)
response = request.execute()
return response
- Call the check_basic_auth function to check if basic authentication is enabled:
response = check_basic_auth('your-project-id')
if response.total_size > 0:
for result in response:
instance_name = result.resource.name.split('/')[-1]
zone = result.resource.location.split('/')[-1]
disable_basic_auth('your-project-id', instance_name, zone)
This code will check if basic authentication is enabled for any instances in the specified project and disable it if it is enabled. You can run this code periodically to ensure that basic authentication remains disabled.