GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Client Certificate Authentication Should Not Be Used For Users
More Info:
Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose. It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication.
Risk Level
High
Address
Security, Reliability
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” for GCP using GCP console, follow the below steps:
- Login to the GCP console.
- Navigate to the Cloud Identity-Aware Proxy page.
- Select the project for which you want to remediate the misconfiguration.
- Click on the Edit button for the resource you want to modify.
- Under the “Authentication” section, select the “OAuth” option.
- Next, select the “User-managed” option and click on the “Save” button.
- Verify that the change has been applied by checking that the “Client Certificate” option is no longer selected under the “Authentication” section.
By following these steps, you have successfully remediated the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” for GCP using GCP console.
To remediate the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” for GCP using GCP CLI, you can follow the below steps:
-
Open the Google Cloud Console and select the project in which you want to make the changes.
-
Open the Cloud Shell by clicking on the icon on the top right corner of the console.
-
In the Cloud Shell, run the following command to disable client certificate authentication:
gcloud alpha container hub config set --user-authentication-mode=NONE
- Verify that the authentication mode has been changed by running the following command:
gcloud alpha container hub config describe
This command will display the current configuration of the Google Kubernetes Engine (GKE) hub.
- Ensure that the authentication mode is set to “NONE” for user authentication.
By following these steps, you can remediate the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” for GCP using GCP CLI.
To remediate the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” in GCP using Python, you can follow the below steps:
- First, you need to check if client certificate authentication is enabled for any user in your GCP project. You can use the following Python code to check this:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
service = discovery.build('iam', 'v1', credentials=credentials)
response = service.projects().getIamPolicy(resource=<your-project-id>).execute()
for binding in response['bindings']:
if 'members' in binding:
for member in binding['members']:
if member.startswith('clientCertificate:'):
print(f'Client certificate authentication is enabled for user: {member}')
- If the above code returns any user who has client certificate authentication enabled, you need to disable it. You can use the following Python code to disable client certificate authentication for a user:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
service = discovery.build('iam', 'v1', credentials=credentials)
member = 'clientCertificate:<user-email>'
policy = {
'bindings': [
{
'role': '<role>',
'members': [member],
'condition': {
'title': 'deny-client-certificate',
'expression': 'request.auth.cert_subject_dn != "<client-certificate-dn>"'
}
}
]
}
response = service.projects().setIamPolicy(resource=<your-project-id>, body={'policy': policy}).execute()
Replace <user-email> with the email address of the user for whom you want to disable client certificate authentication. Replace <role> with the role assigned to the user. Replace <client-certificate-dn> with the distinguished name of the client certificate that the user is using for authentication.
-
Run the above code to disable client certificate authentication for the user.
-
Verify that client certificate authentication is disabled for the user by running the first code snippet again. If it returns no user, then the remediation is successful.
Note: Make sure you have the required permissions to modify IAM policies in your GCP project.