Read Replica Instances Should Not Be public

More Info:

Ensure that Read Replica Instances are not publicly accessible to prevent private data from being exposed.

Risk Level

High

Address

Security

Compliance Standards

HITRUST, GDPR, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

Using Python

To remediate the misconfiguration “Read Replica Instances Should Not Be Public” for GCP using Python, you can follow the below steps:

First, you need to identify all the read replica instances that are public. You can use the GCP Python SDK to retrieve the list of all read replica instances and check if they are public or not. You can use the following code snippet to retrieve the list of all read replica instances:

from google.cloud import bigquery

client = bigquery.Client()

# List all read replica instances
query = """
SELECT *
FROM `project_id.region`.INFORMATION_SCHEMA.REPLICA_INFO
WHERE ROLE = 'READ_REPLICA';
"""

query_job = client.query(query)

for row in query_job:
    print(row)

Once you have identified the public read replica instances, you can update their access controls to make them private. You can use the GCP Python SDK to update the instance’s access controls and remove the public IP address. You can use the following code snippet to update the access control of a read replica instance:

from google.cloud import compute_v1

compute_client = compute_v1.InstancesClient()

# Set instance access control to private
access_config = compute_v1.AccessConfig(name="External NAT", type_="ONE_TO_ONE_NAT")
network_interface = compute_v1.NetworkInterface(access_configs=[access_config])
instance = compute_v1.Instance(network_interfaces=[network_interface])

# Update the instance with new access control
project_id = 'my-project'
zone = 'us-central1-a'
instance_name = 'my-instance'

operation = compute_client.update_network_interface(
    project=project_id,
    zone=zone,
    instance=instance_name,
    network_interface=network_interface,
)

# Wait for the operation to complete
operation.result()

Finally, you can verify that the read replica instances are no longer public by checking their access controls. You can use the GCP Python SDK to retrieve the instance’s access controls and verify that it is private. You can use the following code snippet to retrieve the access control of an instance:

from google.cloud import compute_v1

compute_client = compute_v1.InstancesClient()

# Get instance access control
project_id = 'my-project'
zone = 'us-central1-a'
instance_name = 'my-instance'

instance = compute_client.get(project=project_id, zone=zone, instance=instance_name)
access_config = instance.network_interfaces[0].access_configs[0]

if access_config.type_ == "ONE_TO_ONE_NAT":
    print("Instance access control is private")
else:
    print("Instance access control is public")

By following these steps, you can remediate the misconfiguration “Read Replica Instances Should Not Be Public” for GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Read Replica Instances Should Not Be public

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation