More Info:

Determines if TCP port 5432 for PostgreSQL is open to the public

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, HITRUST, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the PostgreSQL port being open on GCP using the GCP console, follow these steps:
  1. Open the GCP Console and navigate to the GCP project where the PostgreSQL instance is located.
  2. In the left-hand menu, click on “SQL” to open the Cloud SQL Instances page.
  3. Locate the PostgreSQL instance that has the open port and click on its name to open the instance details page.
  4. Click on the “Edit” button at the top of the page to open the Edit instance page.
  5. Scroll down to the “Connections” section and locate the “Authorized networks” field.
  6. Click on the “Add network” button to add a new network.
  7. In the “Network” field, enter the IP address range or CIDR block that you want to authorize to access the instance.
  8. Click on the “Save” button to save the changes.
  9. Repeat steps 6-8 for any additional networks that need to be authorized.
  10. Scroll down to the bottom of the Edit instance page and click on the “Save” button to apply the changes.
By following the above steps, you have successfully remediated the PostgreSQL port being open on GCP using the GCP console.

The following are the step-by-step instructions to remediate the PostgreSQL port open misconfiguration for GCP using GCP CLI:
  1. Open the Google Cloud Console and select the project where the PostgreSQL instance is running.
  2. Open the Cloud Shell by clicking on the button located on the top right corner of the console.
  3. Run the following command to list all the instances in the project:
    gcloud compute instances list
    
  4. Identify the instance running PostgreSQL and note down its name.
  5. Run the following command to SSH into the instance:
    gcloud compute ssh [INSTANCE_NAME]
    
    Replace [INSTANCE_NAME] with the name of the instance running PostgreSQL.
  6. Once you are logged into the instance, open the PostgreSQL configuration file using the following command:
    sudo nano /etc/postgresql/[POSTGRESQL_VERSION]/main/postgresql.conf
    
    Replace [POSTGRESQL_VERSION] with the version of PostgreSQL installed on the instance.
  7. Look for the following line in the configuration file:
    #listen_addresses = 'localhost'
    
    Uncomment the line by removing the ’#’ at the beginning and change the value to ‘localhost’ as shown below:
    listen_addresses = 'localhost'
    
  8. Save the changes to the configuration file by pressing Ctrl+O and then exit the editor by pressing Ctrl+X.
  9. Restart the PostgreSQL service using the following command:
    sudo service postgresql restart
    
  10. Exit the SSH session by typing ‘exit’ in the terminal.
  11. Finally, run the following command to verify that the PostgreSQL port is not open:
    nmap -p 5432 localhost
    
    The output should show that the port is closed.
By following these steps, you have successfully remediated the PostgreSQL port open misconfiguration for GCP using GCP CLI.
To remediate the PostgreSQL port open misconfiguration in GCP using Python, you can use the following steps:
  1. Import the necessary libraries:
    from google.cloud import compute_v1
    import google.auth
    
  2. Authenticate with Google Cloud:
    credentials, project = google.auth.default()
    compute = compute_v1.InstancesClient(credentials=credentials)
    
  3. Define the project ID, zone, and instance name:
    project_id = 'your_project_id'
    zone = 'us-central1-a'
    instance_name = 'your_instance_name'
    
  4. Get the instance details:
    instance = compute.get(project=project_id, zone=zone, instance=instance_name)
    
  5. Check if the PostgreSQL port is open:
    postgresql_open = False
    for firewall in instance['networkInterfaces'][0]['accessConfigs'][0]['natIP']:
        if firewall['name'] == 'postgresql':
            postgresql_open = True
            break
    
  6. If the PostgreSQL port is open, delete the firewall rule:
    if postgresql_open:
        firewall_body = {
            "name": "postgresql",
            "network": "global/networks/default",
            "direction": "INGRESS",
            "priority": 1000,
            "sourceRanges": ["0.0.0.0/0"],
            "allowed": [{
                "IPProtocol": "tcp",
                "ports": ["5432"]
            }]
        }
        compute.firewalls().delete(project=project_id, firewall='postgresql').execute()
    
    This will delete the firewall rule named “postgresql” that allows traffic on port 5432.
  7. If the PostgreSQL port is not open, no action is required.
    else:
        print("PostgreSQL port is not open.")
    
    This will print a message indicating that the PostgreSQL port is not open. The complete Python code to remediate the PostgreSQL port open misconfiguration in GCP is as follows:
    from google.cloud import compute_v1
    import google.auth
    
    credentials, project = google.auth.default()
    compute = compute_v1.InstancesClient(credentials=credentials)
    
    project_id = 'your_project_id'
    zone = 'us-central1-a'
    instance_name = 'your_instance_name'
    
    instance = compute.get(project=project_id, zone=zone, instance=instance_name)
    
    postgresql_open = False
    for firewall in instance['networkInterfaces'][0]['accessConfigs'][0]['natIP']:
        if firewall['name'] == 'postgresql':
            postgresql_open = True
            break
    
    if postgresql_open:
        firewall_body = {
            "name": "postgresql",
            "network": "global/networks/default",
            "direction": "INGRESS",
            "priority": 1000,
            "sourceRanges": ["0.0.0.0/0"],
            "allowed": [{
                "IPProtocol": "tcp",
                "ports": ["5432"]
            }]
        }
        compute.firewalls().delete(project=project_id, firewall='postgresql').execute()
    else:
        print("PostgreSQL port is not open.")
    
    Replace the your_project_id and your_instance_name placeholders with the appropriate values for your GCP project and instance.

Additional Reading: