GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Legacy Authorization Should Be Disabled
More Info:
Ensure legacy authorization is set to disabled on Kubernetes clusters. The legacy authorizer in Kubernetes grants broad, statically defined permissions.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the “Legacy Authorization Should Be Disabled” misconfiguration in GCP using GCP console, follow these steps:
- Open the GCP console and navigate to the IAM & Admin page.
- Click on the “Settings” tab.
- Scroll down to the “Authorization” section.
- Under “Legacy authorization”, click on the “Edit” button.
- Select the checkbox for “Disable project-wide legacy authorization”.
- Click on the “Save” button to apply the changes.
Once you have completed these steps, legacy authorization will be disabled for your GCP project. It is recommended to periodically review your IAM settings to ensure that they are up-to-date and secure.
To remediate the “Legacy Authorization Should Be Disabled” misconfiguration for GCP using GCP CLI, you can follow the below steps:
-
Open the Google Cloud Console and go to the Cloud Shell.
-
In the Cloud Shell, run the following command to check if legacy authorization is enabled:
gcloud projects get-iam-policy <project-id>Replace
<project-id>with your GCP project ID. -
If the output shows that legacy authorization is enabled, run the following command to disable it:
gcloud beta iam service-accounts disable-legacy-iam <service-account-email>Replace
<service-account-email>with the email address of the service account that you want to disable legacy authorization for. -
After running the above command, you can verify that legacy authorization has been disabled by running the following command:
gcloud projects get-iam-policy <project-id>The output should show that legacy authorization is now disabled.
Note: You need to have the necessary permissions to disable legacy authorization for a service account.
To remediate the “Legacy Authorization Should Be Disabled” misconfiguration in GCP using Python, you can follow these steps:
- Install the Google Cloud IAM API client library for Python using pip:
pip install --upgrade google-cloud-iam
- Create a Python script and import the necessary libraries:
from google.oauth2 import service_account
from google.cloud import iam_v1
- Set up authentication by creating a service account and downloading the JSON key file. Then, create a credentials object using the JSON key file:
key_path = '/path/to/key.json'
creds = service_account.Credentials.from_service_account_file(key_path)
- Create an instance of the IAM client:
client = iam_v1.IAMClient(credentials=creds)
- Get the current IAM policy for the project:
project_id = 'your-project-id'
resource = f'projects/{project_id}'
policy = client.get_iam_policy(request={'resource': resource})
- Check if the “allUsers” or “allAuthenticatedUsers” member exists in any of the IAM policy’s bindings:
for binding in policy.bindings:
if 'allUsers' in binding.members or 'allAuthenticatedUsers' in binding.members:
binding.members = [m for m in binding.members if m not in ['allUsers', 'allAuthenticatedUsers']]
- Update the IAM policy with the modified bindings:
policy = client.set_iam_policy(request={'resource': resource, 'policy': policy})
- Print a message indicating that the remediation is complete:
print('Legacy authorization has been disabled.')
- Save the script and run it using the command:
python script.py
This will remediate the “Legacy Authorization Should Be Disabled” misconfiguration in GCP by removing the “allUsers” and “allAuthenticatedUsers” members from any IAM policy bindings that contain them.