GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Control Plane Endpoint Access Should Be Limited To Authorized Networks
More Info:
Control Plane endpoint access should be limited to authorized networks only
Risk Level
Critical
Address
Security, Reliability, Best Practice
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the control plane endpoint access misconfiguration in GCP, you can follow these steps:
- Open the Google Cloud Console and navigate to the VPC network page.
- Select the VPC network that you want to configure.
- Click on the “Firewall rules” tab.
- Click on the “Create Firewall Rule” button.
- In the “Name” field, enter a name for the firewall rule.
- In the “Targets” field, select “All instances in the network”.
- In the “Source IP ranges” field, enter the IP address range of the authorized networks that should have access to the control plane endpoint.
- In the “Protocols and ports” section, select “Specified protocols and ports”.
- In the “Specified protocols and ports” field, enter “tcp:443”.
- Click on the “Create” button to create the firewall rule.
This will create a firewall rule that will restrict access to the control plane endpoint to only the authorized networks that you specified.
To remediate the misconfiguration “Control Plane Endpoint Access Should Be Limited To Authorized Networks” for GCP using GCP CLI, follow these steps:
-
Open the Cloud Shell in the GCP Console.
-
Run the following command to list the current authorized networks:
gcloud container clusters describe [CLUSTER_NAME] --zone [ZONE] --format="value(masterAuthorizedNetworksConfig.cidrBlocks)"
Replace [CLUSTER_NAME] and [ZONE] with the name and zone of your cluster.
- If the output shows that there are no authorized networks, or if the authorized networks are not correct, run the following command to add authorized networks:
gcloud container clusters update [CLUSTER_NAME] --zone [ZONE] --update-master --master-authorized-networks=[CIDR_BLOCK]
Replace [CLUSTER_NAME], [ZONE], and [CIDR_BLOCK] with your own values. You can specify multiple CIDR blocks separated by commas.
-
Verify that the authorized networks have been added by running the first command again.
-
Repeat steps 2-4 for each cluster in your GCP project.
By following these steps, you will restrict access to the control plane endpoint to only the authorized networks, reducing the risk of unauthorized access.
To remediate “Control Plane Endpoint Access Should Be Limited To Authorized Networks” for GCP using python, you can follow these steps:
- Import necessary libraries:
from googleapiclient import discovery
from google.oauth2 import service_account
- Set up authentication using a service account:
credentials = service_account.Credentials.from_service_account_file(
'/path/to/service_account_key.json')
- Initialize the GCP API client:
service = discovery.build('container', 'v1', credentials=credentials)
- Get the current cluster configuration:
project_id = 'your-project-id'
zone = 'your-zone'
cluster_id = 'your-cluster-id'
cluster = service.projects().zones().clusters().get(
projectId=project_id, zone=zone, clusterId=cluster_id).execute()
- Update the cluster configuration to limit control plane endpoint access to authorized networks:
authorized_networks_config = {
'enabled': True,
'cidrBlocks': ['10.0.0.0/8', '172.16.0.0/12']
}
cluster['masterAuthorizedNetworksConfig'] = authorized_networks_config
response = service.projects().zones().clusters().update(
projectId=project_id, zone=zone, clusterId=cluster_id, body=cluster).execute()
In this example, we are limiting control plane endpoint access to the IP ranges ‘10.0.0.0/8’ and ‘172.16.0.0/12’. You can modify the cidrBlocks list to include the authorized networks for your specific use case.
Note: This code assumes that you have the necessary permissions to modify the cluster configuration.