GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Default VPC Should Not Be Used
More Info:
Determines whether the default VPC is being used for launching new services or artifacts. The default VPC should not be used in order to avoid launching multiple services in the same network which may not require connectivity. Each application, or network tier, should use its own VPC.
Risk Level
High
Address
Security
Compliance Standards
CISGCP, CBP, ISO27001, GDPR, SOC2, NISTCSF
Triage and Remediation
Remediation
To remediate the misconfiguration “Default VPC should not be used” for GCP using the GCP console, follow these steps:
- Login to the GCP console at https://console.cloud.google.com/
- Select the project that is using the default VPC.
- In the left navigation pane, select “VPC network” and then select “VPC network”.
- Click on the name of the default VPC.
- Click on “Edit” at the top of the screen.
- In the “Edit VPC network” screen, uncheck the “Default” checkbox.
- Click “Save” to apply the changes.
This will remove the default VPC from the project, which is a best practice for security and network segmentation. You can then create custom VPCs with specific configurations to meet your project’s needs.
To remediate the “Default VPC Should Not Be Used” misconfiguration in GCP using GCP CLI, you can follow these steps:
- Identify all the GCP projects that are using the default VPC. You can use the following command to list all the projects:
gcloud projects list
- For each project that is using the default VPC, create a new VPC network. You can use the following command to create a new VPC network:
gcloud compute networks create [NETWORK_NAME] --subnet-mode=auto --bgp-routing-mode=regional
- Once the new VPC network is created, you can move all the existing resources from the default VPC to the new VPC network. You can use the following command to move a resource to a new VPC network:
gcloud compute instances move [INSTANCE_NAME] --zone [ZONE] --network [NETWORK_NAME]
- Once all the resources are moved to the new VPC network, you can delete the default VPC network. You can use the following command to delete the default VPC network:
gcloud compute networks delete default
- Finally, you should update your organization’s policies to prevent the use of default VPCs in the future.
Note: Before making any changes to your GCP environment, it is recommended to test the changes in a non-production environment to ensure that there are no unintended consequences.
To remediate the “Default VPC Should Not Be Used” misconfiguration in GCP using Python, you can follow the below steps:
- Install the necessary Python packages:
pip install google-cloud-compute
- Authenticate to GCP:
from google.oauth2 import service_account
from google.cloud import compute_v1
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_key_file>')
compute_client = compute_v1.ComputeClient(credentials=credentials)
- Get the list of all VPCs:
vpcs = compute_client.networks().list(project='<project_id>').execute()
- Check if any of the VPCs are default:
for vpc in vpcs['items']:
if vpc['autoCreateSubnetworks'] == True:
print(f"{vpc['name']} is a default VPC and should be deleted.")
- Delete the default VPC:
compute_client.networks().delete(project='<project_id>', network='<default_vpc_name>').execute()
Note: Replace <path_to_service_account_key_file>, <project_id>, and <default_vpc_name> with the appropriate values for your GCP environment. Also, make sure to test the script in a non-production environment before running it in production.