GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Ensure Access Approval Is Enabled
More Info:
Controlling access to your information is one of the foundations of information security. Google Employees do have access to your organizations’ projects for support reasons. With Access Approval, organizations can then be certain that their information is accessed by only approved Google Personnel.
Risk Level
Medium
Address
Security
Compliance Standards
CISGCP, CBP
Triage and Remediation
Remediation
To remediate the “Ensure Access Approval Is Enabled” misconfiguration in GCP using the GCP console, please follow the below steps:
- Log in to the GCP console with your credentials.
- Navigate to the “Access Approval” page by clicking on the hamburger menu in the top left corner and selecting “Security” > “Access Approval”.
- Click on the “Enable Access Approval” button.
- Configure the access approval settings as per your organization’s policies.
- Click on the “Save” button to save the changes.
Once you have completed these steps, access approval will be enabled for your GCP organization, and any requests for access to resources will need to be approved before they are granted.
To remediate the misconfiguration “Ensure Access Approval Is Enabled” in GCP using GCP CLI, follow the below steps:
Step 1: Open the Cloud Shell in your GCP console.
Step 2: Run the following command to check if Access Approval is enabled or not:
gcloud access-approval settings describe
Step 3: If the output of the above command shows that Access Approval is not enabled, then run the following command to enable it:
gcloud access-approval settings update --enforce-on-approval=true
Step 4: After running the above command, Access Approval will be enabled and any requests for access to resources in your GCP project will require approval before they can be granted.
Step 5: Verify that Access Approval is enabled by running the following command:
gcloud access-approval settings describe
Step 6: The output of the above command should show that Access Approval is enabled and enforced.
With these steps, you have successfully remediated the misconfiguration “Ensure Access Approval Is Enabled” in GCP using GCP CLI.
To remediate the misconfiguration “Ensure Access Approval Is Enabled” in GCP using Python, you can follow the below steps:
- Import the necessary libraries:
from google.cloud import accessapproval_v1
from google.oauth2 import service_account
- Create a service account and grant it the necessary permissions to access the Access Approval API.
credentials = service_account.Credentials.from_service_account_file('path/to/service_account.json')
client = accessapproval_v1.AccessApprovalClient(credentials=credentials)
- Get the current Access Approval settings:
response = client.get_access_approval_settings(request={"name": "projects/<project_id>/accessApprovalSettings"})
- Check if Access Approval is enabled or not:
if response.enforcement_mode == accessapproval_v1.EnforcementMode.ENFORCEMENT_MODE_UNSPECIFIED:
response.enforcement_mode = accessapproval_v1.EnforcementMode.ENFORCEMENT_MODE_ENABLED
response = client.update_access_approval_settings(request={"access_approval_settings": response})
- If Access Approval is not enabled, enable it:
response.enforcement_mode = accessapproval_v1.EnforcementMode.ENFORCEMENT_MODE_ENABLED
response = client.update_access_approval_settings(request={"access_approval_settings": response})
- Verify that Access Approval is enabled:
if response.enforcement_mode == accessapproval_v1.EnforcementMode.ENFORCEMENT_MODE_ENABLED:
print("Access Approval is enabled.")
else:
print("Failed to enable Access Approval.")
Note: Replace <project_id> with your actual project ID.
These steps will ensure that Access Approval is enabled in GCP using Python.