More Info:

Ensures the private endpoint setting is enabled for kubernetes clusters. Kubernetes private endpoints can be used to route all traffic between the Kubernetes worker and control plane nodes over a private VPC endpoint rather than across the public internet.

Risk Level

High

Address

Security

Compliance Standards

SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Private Endpoints Should Be Enabled” in GCP using GCP console, you can follow the below steps:
  1. Login to the GCP console and select the project where the misconfiguration exists.
  2. Go to the “VPC network” section from the navigation menu.
  3. Click on “Endpoints” from the left-hand side menu.
  4. Select the service for which you want to enable Private Endpoint.
  5. Click on “Create Endpoint”.
  6. Choose the VPC network and subnet in which you want to create the endpoint.
  7. Select the service you want to connect to and provide the required details.
  8. Click on “Create” to create the Private Endpoint.
Once you have created the Private Endpoint, you need to update the DNS settings for the service to use the Private Endpoint. You can follow the below steps to update the DNS settings:
  1. Go to the “Cloud DNS” section from the navigation menu.
  2. Select the DNS zone for which you want to update the DNS settings.
  3. Click on “Add Record Set”.
  4. Provide the required details like name, type, and IP address.
  5. In the IP address field, provide the IP address of the Private Endpoint you created.
  6. Click on “Create” to update the DNS settings.
By following the above steps, you can remediate the misconfiguration “Private Endpoints Should Be Enabled” in GCP using GCP console.

To remediate the misconfiguration “Private Endpoints Should Be Enabled” for GCP using GCP CLI, follow these steps:
  1. Open the Google Cloud Console and navigate to the VPC network page.
  2. Select the VPC network that you want to enable private endpoints for.
  3. Navigate to the Private Service Connection tab.
  4. Click on the Create connection button.
  5. In the Create private service connection dialog box, select the service that you want to connect to.
  6. Choose the VPC network that you want to use for the connection.
  7. Select the subnet that you want to use for the connection.
  8. Click on the Create button to create the private service connection.
  9. Repeat steps 4-8 for each service that you want to connect to.
Alternatively, you can use the gcloud command-line tool to enable private endpoints for a service. Here’s an example command:
gcloud services vpc-peerings connect \
    --network=[NETWORK_NAME] \
    --ranges=[PEERING_RANGES] \
    --service=[SERVICE_NAME] \
    --project=[PROJECT_ID]
Replace [NETWORK_NAME] with the name of your VPC network, [PEERING_RANGES] with the IP ranges for the private service connection, [SERVICE_NAME] with the name of the service that you want to connect to, and [PROJECT_ID] with your GCP project ID.
To remediate the misconfiguration of Private Endpoints not being enabled in GCP using Python, you can follow the below steps:
  1. Import the required libraries:
from google.cloud import compute_v1
from google.oauth2 import service_account
  1. Set up the credentials for authentication:
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
  1. Initialize the Compute Engine API client:
compute_client = compute_v1.ComputeClient(credentials=credentials)
  1. Get the list of all the networks in the project:
networks = compute_client.networks().list(project='<project_name>').execute()
  1. For each network, check if Private Google Access is enabled:
for network in networks['items']:
    if network['autoCreateSubnetworks']:
        subnetworks = compute_client.subnetworks().list(project='<project_name>', region=network['region'], network=network['name']).execute()
        for subnetwork in subnetworks['items']:
            if not subnetwork['privateIpGoogleAccess']:
                # Enable Private Google Access for the subnetwork
                compute_client.subnetworks().patch(project='<project_name>', region=network['region'], network=network['name'], subnetwork=subnetwork['name'], body={'privateIpGoogleAccess': True}).execute()
  1. Save the Python script and run it to enable Private Google Access for all the subnetworks in the project.
Note: Replace <path_to_service_account_file> with the path to the service account file, <project_name> with the name of the GCP project.

Additional Reading: