Control Plane Endpoint Access Should Be Limited To Authorized Networks

More Info:

Control Plane endpoint access should be limited to authorized networks only

Risk Level

Critical

Address

Security, Reliability, Best Practice

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Control Plane Endpoint Access Should Be Limited To Authorized Networks” for GCP using GCP CLI, follow these steps:

Open the Cloud Shell in the GCP Console.
Run the following command to list the current authorized networks:

gcloud container clusters describe [CLUSTER_NAME] --zone [ZONE] --format="value(masterAuthorizedNetworksConfig.cidrBlocks)"

Replace [CLUSTER_NAME] and [ZONE] with the name and zone of your cluster.

If the output shows that there are no authorized networks, or if the authorized networks are not correct, run the following command to add authorized networks:

gcloud container clusters update [CLUSTER_NAME] --zone [ZONE] --update-master --master-authorized-networks=[CIDR_BLOCK]

Replace [CLUSTER_NAME], [ZONE], and [CIDR_BLOCK] with your own values. You can specify multiple CIDR blocks separated by commas.

Verify that the authorized networks have been added by running the first command again.
Repeat steps 2-4 for each cluster in your GCP project.

By following these steps, you will restrict access to the control plane endpoint to only the authorized networks, reducing the risk of unauthorized access.

Using Python

To remediate “Control Plane Endpoint Access Should Be Limited To Authorized Networks” for GCP using python, you can follow these steps:

Import necessary libraries:

from googleapiclient import discovery
from google.oauth2 import service_account

Set up authentication using a service account:

credentials = service_account.Credentials.from_service_account_file(
    '/path/to/service_account_key.json')

Initialize the GCP API client:

service = discovery.build('container', 'v1', credentials=credentials)

Get the current cluster configuration:

project_id = 'your-project-id'
zone = 'your-zone'
cluster_id = 'your-cluster-id'

cluster = service.projects().zones().clusters().get(
    projectId=project_id, zone=zone, clusterId=cluster_id).execute()

Update the cluster configuration to limit control plane endpoint access to authorized networks:

authorized_networks_config = {
    'enabled': True,
    'cidrBlocks': ['10.0.0.0/8', '172.16.0.0/12']
}

cluster['masterAuthorizedNetworksConfig'] = authorized_networks_config

response = service.projects().zones().clusters().update(
    projectId=project_id, zone=zone, clusterId=cluster_id, body=cluster).execute()

In this example, we are limiting control plane endpoint access to the IP ranges ‘10.0.0.0/8’ and ‘172.16.0.0/12’. You can modify the cidrBlocks list to include the authorized networks for your specific use case.Note: This code assumes that you have the necessary permissions to modify the cluster configuration.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Control Plane Endpoint Access Should Be Limited To Authorized Networks

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation