GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
PostgreSQL Port Should Not Be Open
More Info:
Determines if TCP port 5432 for PostgreSQL is open to the public
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, GDPR, HITRUST, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the PostgreSQL port being open on GCP using the GCP console, follow these steps:
-
Open the GCP Console and navigate to the GCP project where the PostgreSQL instance is located.
-
In the left-hand menu, click on “SQL” to open the Cloud SQL Instances page.
-
Locate the PostgreSQL instance that has the open port and click on its name to open the instance details page.
-
Click on the “Edit” button at the top of the page to open the Edit instance page.
-
Scroll down to the “Connections” section and locate the “Authorized networks” field.
-
Click on the “Add network” button to add a new network.
-
In the “Network” field, enter the IP address range or CIDR block that you want to authorize to access the instance.
-
Click on the “Save” button to save the changes.
-
Repeat steps 6-8 for any additional networks that need to be authorized.
-
Scroll down to the bottom of the Edit instance page and click on the “Save” button to apply the changes.
By following the above steps, you have successfully remediated the PostgreSQL port being open on GCP using the GCP console.
The following are the step-by-step instructions to remediate the PostgreSQL port open misconfiguration for GCP using GCP CLI:
-
Open the Google Cloud Console and select the project where the PostgreSQL instance is running.
-
Open the Cloud Shell by clicking on the button located on the top right corner of the console.
-
Run the following command to list all the instances in the project:
gcloud compute instances list -
Identify the instance running PostgreSQL and note down its name.
-
Run the following command to SSH into the instance:
gcloud compute ssh [INSTANCE_NAME]Replace [INSTANCE_NAME] with the name of the instance running PostgreSQL.
-
Once you are logged into the instance, open the PostgreSQL configuration file using the following command:
sudo nano /etc/postgresql/[POSTGRESQL_VERSION]/main/postgresql.confReplace [POSTGRESQL_VERSION] with the version of PostgreSQL installed on the instance.
-
Look for the following line in the configuration file:
#listen_addresses = 'localhost'Uncomment the line by removing the ’#’ at the beginning and change the value to ‘localhost’ as shown below:
listen_addresses = 'localhost' -
Save the changes to the configuration file by pressing Ctrl+O and then exit the editor by pressing Ctrl+X.
-
Restart the PostgreSQL service using the following command:
sudo service postgresql restart -
Exit the SSH session by typing ‘exit’ in the terminal.
-
Finally, run the following command to verify that the PostgreSQL port is not open:
nmap -p 5432 localhostThe output should show that the port is closed.
By following these steps, you have successfully remediated the PostgreSQL port open misconfiguration for GCP using GCP CLI.
To remediate the PostgreSQL port open misconfiguration in GCP using Python, you can use the following steps:
-
Import the necessary libraries:
from google.cloud import compute_v1 import google.auth -
Authenticate with Google Cloud:
credentials, project = google.auth.default() compute = compute_v1.InstancesClient(credentials=credentials) -
Define the project ID, zone, and instance name:
project_id = 'your_project_id' zone = 'us-central1-a' instance_name = 'your_instance_name' -
Get the instance details:
instance = compute.get(project=project_id, zone=zone, instance=instance_name) -
Check if the PostgreSQL port is open:
postgresql_open = False for firewall in instance['networkInterfaces'][0]['accessConfigs'][0]['natIP']: if firewall['name'] == 'postgresql': postgresql_open = True break -
If the PostgreSQL port is open, delete the firewall rule:
if postgresql_open: firewall_body = { "name": "postgresql", "network": "global/networks/default", "direction": "INGRESS", "priority": 1000, "sourceRanges": ["0.0.0.0/0"], "allowed": [{ "IPProtocol": "tcp", "ports": ["5432"] }] } compute.firewalls().delete(project=project_id, firewall='postgresql').execute()This will delete the firewall rule named “postgresql” that allows traffic on port 5432.
-
If the PostgreSQL port is not open, no action is required.
else: print("PostgreSQL port is not open.")This will print a message indicating that the PostgreSQL port is not open.
The complete Python code to remediate the PostgreSQL port open misconfiguration in GCP is as follows:
from google.cloud import compute_v1 import google.auth credentials, project = google.auth.default() compute = compute_v1.InstancesClient(credentials=credentials) project_id = 'your_project_id' zone = 'us-central1-a' instance_name = 'your_instance_name' instance = compute.get(project=project_id, zone=zone, instance=instance_name) postgresql_open = False for firewall in instance['networkInterfaces'][0]['accessConfigs'][0]['natIP']: if firewall['name'] == 'postgresql': postgresql_open = True break if postgresql_open: firewall_body = { "name": "postgresql", "network": "global/networks/default", "direction": "INGRESS", "priority": 1000, "sourceRanges": ["0.0.0.0/0"], "allowed": [{ "IPProtocol": "tcp", "ports": ["5432"] }] } compute.firewalls().delete(project=project_id, firewall='postgresql').execute() else: print("PostgreSQL port is not open.")Replace the
your_project_idandyour_instance_nameplaceholders with the appropriate values for your GCP project and instance.