GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Minimize Container Registries To Only Approved Ones
More Info:
Use Binary Authorization to allowlist (whitelist) only approved container registries
Risk Level
Medium
Address
Security, Operational Excellence, Best Practice
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the misconfiguration “Minimize Container Registries To Only Approved Ones” for GCP using GCP console, please follow the below steps:
- Login to the GCP console (https://console.cloud.google.com/).
- Navigate to the Container Registry page by clicking on “Navigation menu > Container Registry”.
- Click on the Registry that you want to modify.
- Click on the “Permissions” tab.
- Click on the “Add Member” button.
- In the “New members” field, enter the email address of the user or group that you want to grant permissions to.
- In the “Select a role” field, choose the appropriate role that you want to grant to the user or group. For example, you can choose “Storage Object Viewer” to allow users to view the images in the registry.
- Click on the “Add” button to add the user or group to the registry with the selected role.
Repeat steps 5-8 for all the users or groups that need access to the registry. By doing this, you are minimizing the container registries to only approved ones.
To remediate the misconfiguration “Minimize Container Registries To Only Approved Ones” in GCP using GCP CLI, you can follow the below steps:
-
Open the terminal and authenticate into your GCP account using the following command:
gcloud auth login -
Once you are authenticated, set the project where the container registry is located using the following command:
gcloud config set project [PROJECT_ID] -
Now, list all the container registries in the project using the following command:
gcloud container images list -
Identify the container registries that are not approved and need to be minimized.
-
Delete the unwanted container registry using the following command:
gcloud container images delete [IMAGE_NAME] --force-delete-tags --quietReplace
[IMAGE_NAME]with the name of the container image that you want to delete. -
Repeat the above step for all the unwanted container registries.
-
Once you have deleted all the unwanted container registries, verify that only approved container registries are present using the following command:
gcloud container images listThis will list all the container registries present in the project.
By following the above steps, you can remediate the misconfiguration “Minimize Container Registries To Only Approved Ones” in GCP using GCP CLI.
To remediate the misconfiguration “Minimize Container Registries To Only Approved Ones” in GCP using Python, you can follow the below steps:
- First, you need to get the list of all the container registries in your GCP project using the Google Cloud SDK and Python. You can use the following command to get the list of container registries:
gcloud container images list
-
Next, you need to create a list of approved container registries that are allowed in your GCP project.
-
Then, you can loop through the list of container registries and check if each registry is in the approved list or not. If it is not in the approved list, then you can delete that container registry using the following command:
gcloud container images delete [IMAGE_NAME] --force-delete-tags
- You can write a Python script to automate this process. Here is an example script:
import subprocess
# List of approved container registries
approved_registries = ['gcr.io/my-project']
# Get the list of all container registries
registries = subprocess.check_output(['gcloud', 'container', 'images', 'list']).splitlines()
# Loop through the list of container registries
for registry in registries:
# Check if the registry is in the approved list
if registry not in approved_registries:
# Delete the container registry
subprocess.call(['gcloud', 'container', 'images', 'delete', registry, '--force-delete-tags'])
- You can run this script periodically to ensure that only approved container registries are present in your GCP project.