GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Read Replica Instances Should Not Be public
More Info:
Ensure that Read Replica Instances are not publicly accessible to prevent private data from being exposed.
Risk Level
High
Address
Security
Compliance Standards
HITRUST, GDPR, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration “Read Replica Instances Should Not Be Public” for GCP using the GCP console:
- Open the GCP Console and navigate to the Cloud SQL Instances page.
- Click on the name of the Cloud SQL instance that has the public read replica.
- In the left-hand menu, click on “Replicas”.
- Identify the public read replica instance and click on its name.
- In the left-hand menu, click on “Connections”.
- Under “Authorized networks”, click on the “Edit” button.
- Remove any IP addresses or ranges that are not authorized to access the replica instance.
- Click “Save” to save the changes.
Once you have completed these steps, the read replica instance will no longer be public and will only be accessible by authorized networks.
To remediate the misconfiguration “Read Replica Instances Should Not Be Public” in GCP using GCP CLI, you can follow the below steps:
-
Open the GCP Cloud Console and authenticate with your credentials.
-
Open the Cloud Shell by clicking on the icon in the top right corner of the console.
-
Run the following command to list all the read replica instances in your project:
gcloud sql instances list -
Identify the read replica instance that is public.
-
Run the following command to update the instance to not be public:
gcloud sql instances patch [INSTANCE_NAME] --no-assign-ipReplace [INSTANCE_NAME] with the name of the instance you identified in step 4.
-
Verify that the instance is no longer public by running the following command:
gcloud sql instances describe [INSTANCE_NAME]Replace [INSTANCE_NAME] with the name of the instance you identified in step 4.
Look for the “ipAddresses” field in the output. If it says “None”, then the instance is not public.
By following these steps, you can remediate the “Read Replica Instances Should Not Be Public” misconfiguration in GCP using GCP CLI.
To remediate the misconfiguration “Read Replica Instances Should Not Be Public” for GCP using Python, you can follow the below steps:
- First, you need to identify all the read replica instances that are public. You can use the GCP Python SDK to retrieve the list of all read replica instances and check if they are public or not. You can use the following code snippet to retrieve the list of all read replica instances:
from google.cloud import bigquery
client = bigquery.Client()
# List all read replica instances
query = """
SELECT *
FROM `project_id.region`.INFORMATION_SCHEMA.REPLICA_INFO
WHERE ROLE = 'READ_REPLICA';
"""
query_job = client.query(query)
for row in query_job:
print(row)
- Once you have identified the public read replica instances, you can update their access controls to make them private. You can use the GCP Python SDK to update the instance’s access controls and remove the public IP address. You can use the following code snippet to update the access control of a read replica instance:
from google.cloud import compute_v1
compute_client = compute_v1.InstancesClient()
# Set instance access control to private
access_config = compute_v1.AccessConfig(name="External NAT", type_="ONE_TO_ONE_NAT")
network_interface = compute_v1.NetworkInterface(access_configs=[access_config])
instance = compute_v1.Instance(network_interfaces=[network_interface])
# Update the instance with new access control
project_id = 'my-project'
zone = 'us-central1-a'
instance_name = 'my-instance'
operation = compute_client.update_network_interface(
project=project_id,
zone=zone,
instance=instance_name,
network_interface=network_interface,
)
# Wait for the operation to complete
operation.result()
- Finally, you can verify that the read replica instances are no longer public by checking their access controls. You can use the GCP Python SDK to retrieve the instance’s access controls and verify that it is private. You can use the following code snippet to retrieve the access control of an instance:
from google.cloud import compute_v1
compute_client = compute_v1.InstancesClient()
# Get instance access control
project_id = 'my-project'
zone = 'us-central1-a'
instance_name = 'my-instance'
instance = compute_client.get(project=project_id, zone=zone, instance=instance_name)
access_config = instance.network_interfaces[0].access_configs[0]
if access_config.type_ == "ONE_TO_ONE_NAT":
print("Instance access control is private")
else:
print("Instance access control is public")
By following these steps, you can remediate the misconfiguration “Read Replica Instances Should Not Be Public” for GCP using Python.