Event Information

  • The google.cloud.run.v1.Jobs.DeleteDomainMapping event in GCP for CloudRun indicates that a domain mapping has been deleted for a Cloud Run service.
  • This event is triggered when a user or an automated process removes a custom domain mapping from a Cloud Run service.
  • The event provides information about the specific Cloud Run service and the domain mapping that was deleted, allowing administrators to track changes and maintain an audit trail of domain mapping modifications.

Examples

  1. Unauthorized deletion: If security is impacted with google.cloud.run.v1.Jobs.DeleteDomainMapping in GCP for CloudRun, it could potentially allow unauthorized users to delete domain mappings. This could lead to disruption of services and unauthorized access to sensitive data.

  2. Domain hijacking: If security is impacted with google.cloud.run.v1.Jobs.DeleteDomainMapping in GCP for CloudRun, it could be exploited by attackers to hijack domain mappings. They could delete legitimate mappings and replace them with their own malicious mappings, redirecting traffic to unauthorized or malicious endpoints.

  3. Denial of Service (DoS): If security is impacted with google.cloud.run.v1.Jobs.DeleteDomainMapping in GCP for CloudRun, it could be used as part of a larger attack to perform a denial of service. Attackers could repeatedly delete domain mappings, causing disruption to the availability of the CloudRun service and potentially impacting other services relying on it.

Remediation

Using Console

  1. Enable VPC Service Controls:

    • Go to the GCP Console and navigate to the Cloud Run service.
    • Select the specific Cloud Run service you want to remediate.
    • Click on “Edit and Deploy New Revision” to access the service settings.
    • Scroll down to the “Security” section and click on “Enable VPC Service Controls”.
    • Follow the prompts to configure the VPC Service Controls for the Cloud Run service.
    • Save the changes and wait for the configuration to take effect.

  2. Implement Identity and Access Management (IAM) Roles:

    • Go to the GCP Console and navigate to the Cloud Run service.
    • Select the specific Cloud Run service you want to remediate.
    • Click on “Edit and Deploy New Revision” to access the service settings.
    • Scroll down to the “Security” section and click on “Show Info Panel”.
    • Click on “Add Member” to add the appropriate IAM roles for the service.
    • Assign the necessary roles to the relevant users or service accounts.
    • Save the changes and ensure that the IAM roles are properly configured.

  3. Enable Cloud Audit Logging:

    • Go to the GCP Console and navigate to the Cloud Run service.
    • Select the specific Cloud Run service you want to remediate.
    • Click on “Edit and Deploy New Revision” to access the service settings.
    • Scroll down to the “Security” section and click on “Show Info Panel”.
    • Enable the “Cloud Audit Logging” option to capture audit logs for the service.
    • Configure the desired log retention period and log sink destination.
    • Save the changes and verify that the Cloud Audit Logging is enabled and functioning correctly.

Using CLI

  1. Enable VPC Service Controls for Cloud Run:
  • Use the following command to enable VPC Service Controls for Cloud Run: 
    gcloud services vpc-peerings connect \
--service=servicenetworking.googleapis.com \
--network=projects/[PROJECT_ID]/global/networks/[NETWORK_NAME]
  1. Implement Identity and Access Management (IAM) roles and permissions:
  • Use the following command to grant the necessary IAM roles to the appropriate users or service accounts: 
    gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member=[MEMBER] \
--role=[ROLE]
  1. Enable Cloud Audit Logging for Cloud Run:
  • Use the following command to enable Cloud Audit Logging for Cloud Run: 
    gcloud logging sinks create [SINK_NAME] \
storage.googleapis.com/projects/[PROJECT_ID]/buckets/[BUCKET_NAME] \
--log-filter='resource.type="cloud_run_revision"'

Using Python

To remediate the issues mentioned in the previous response for GCP CloudRun using Python, you can follow these steps:

  1. Implement proper authentication and access controls:

    • Use the Google Cloud SDK and authenticate with a service account that has the necessary permissions to access and manage CloudRun resources.
    • Use the google-auth library in Python to authenticate requests to the CloudRun API.
    • Set up fine-grained IAM roles and permissions to restrict access to CloudRun resources based on the principle of least privilege.

  2. Enable logging and monitoring:

    • Use the google-cloud-logging library in Python to enable logging for your CloudRun services.
    • Configure log sinks to export logs to a centralized logging solution like Stackdriver or Cloud Logging.
    • Set up monitoring and alerting using tools like Cloud Monitoring or Prometheus to proactively detect and respond to any anomalies or issues in your CloudRun services.

  3. Implement secure communication:

    • Use HTTPS for all incoming requests to your CloudRun services by configuring SSL certificates.
    • Implement proper input validation and sanitization to prevent common security vulnerabilities like SQL injection or cross-site scripting (XSS).
    • Use the google-auth library in Python to authenticate and authorize requests from your CloudRun services to other Google Cloud services or external APIs.

Please note that the provided steps are high-level guidelines, and the actual implementation may vary based on your specific requirements and the structure of your Python code.