More Info:

Ensures Private Google Access is enabled for all Subnets. Private Google Access allows VM instances on a subnet to reach Google APIs and services without an IP address. This creates a more secure network for the internal communication.

Risk Level

Medium

Address

Security

Compliance Standards

GDPR

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Private Access Should Be Enabled For Subnets” in GCP using GCP console, follow these steps:
  1. Login to your GCP console.
  2. Navigate to the VPC network page by clicking on the hamburger menu on the top left corner and selecting “VPC network” under the “NETWORKING” section.
  3. Click on the name of the VPC network that contains the subnet you want to edit.
  4. Click on the “Edit” button at the top of the page.
  5. Scroll down to the “Private Google access” section.
  6. Enable the “Private Google access” toggle switch.
  7. Click on the “Save” button at the bottom of the page.
By performing these steps, you have enabled private access for your subnets in GCP. This ensures that your resources running in the subnets can access Google APIs and services privately without going over the internet.

To remediate the misconfiguration “Private Access Should Be Enabled For Subnets” for GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP Console by clicking on the terminal icon in the top right corner.
  2. Run the following command to list all the subnets in your project: 
gcloud compute networks subnets list
  1. Identify the subnet that needs to be remediated.
  2. Run the following command to enable private access for the identified subnet: 
gcloud compute networks subnets update [SUBNET_NAME] --enable-private-ip-google-access
Replace [SUBNET_NAME] with the name of the subnet that needs to be remediated.
  1. Verify that private access has been enabled for the subnet by running the following command:
gcloud compute networks subnets describe [SUBNET_NAME] | grep privateIpGoogleAccess
The output should show “privateIpGoogleAccess: true”.
  1. Repeat steps 3-5 for any other subnets that need to be remediated.
Once you have completed these steps, private access will be enabled for the specified subnets in your GCP project.
To remediate the misconfiguration “Private Access Should Be Enabled For Subnets” in GCP using Python, you can follow the below steps:
  1. Import the necessary libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
  1. Authenticate and create the GCP compute API client:
credentials = GoogleCredentials.get_application_default()
compute = discovery.build('compute', 'v1', credentials=credentials)
  1. Get the list of all subnetworks in the project:
project = 'your-project-id'
zone = 'your-zone'
subnetworks = compute.subnetworks().list(project=project, region=zone).execute()
  1. Iterate through each subnetwork and check if Private Google Access is enabled or not:
for subnetwork in subnetworks['items']:
    subnetwork_name = subnetwork['name']
    subnetwork_selflink = subnetwork['selfLink']
    subnetwork_response = compute.subnetworks().get(project=project, region=zone, subnetwork=subnetwork_name).execute()
    if subnetwork_response['privateIpGoogleAccess'] == False:
        print(f"Private Google Access is not enabled for subnetwork {subnetwork_name}")
  1. If Private Google Access is not enabled, enable it using the following code:
subnetwork_response['privateIpGoogleAccess'] = True
request = compute.subnetworks().patch(project=project, region=zone, subnetwork=subnetwork_name, body=subnetwork_response)
response = request.execute()
print(f"Private Google Access is enabled for subnetwork {subnetwork_name}")
Note: Replace ‘your-project-id’ and ‘your-zone’ with your actual project ID and zone name.This code will loop through all subnetworks in the specified project and zone and enable Private Google Access for each subnetwork that doesn’t have it enabled.

Additional Reading: