Event Information

  1. The v1.compute.firewalls.delete event in GCP for Compute indicates that a firewall rule has been deleted in the specified project.
  2. This event signifies that the firewall rule, which controls inbound and outbound traffic to and from virtual machine instances, has been removed from the network.
  3. It is important to monitor this event to ensure that the deletion of firewall rules is intentional and does not impact the security or connectivity of the virtual machines in the project.

Examples

  • Unauthorized deletion of a firewall rule: If security is impacted with v1.compute.firewalls.delete in GCP for Compute, it could potentially allow an unauthorized user to delete a firewall rule. This could lead to a security breach as the deleted rule might have been providing necessary protection to the resources within the network.

  • Exposure of resources to unauthorized access: Deleting a firewall rule without proper authorization could expose resources within the network to unauthorized access. This could allow malicious actors to gain entry into the network and compromise sensitive data or disrupt services.

  • Increased risk of network attacks: Removing a firewall rule without proper consideration can increase the risk of network attacks. Without the necessary firewall protection, the network becomes more vulnerable to various types of attacks such as DDoS, brute force, or unauthorized access attempts.

Remediation

Using Console

To remediate the issues mentioned in the previous response for GCP Compute using the GCP console, you can follow these step-by-step instructions:

  1. Restricting SSH access:

    • Go to the GCP Console and navigate to the Compute Engine section.
    • Select the instance for which you want to restrict SSH access.
    • Click on the “Edit” button at the top of the page.
    • Scroll down to the “Firewalls” section and click on “Add firewall rule”.
    • Provide a name for the firewall rule and set the “Targets” to “All instances in the network”.
    • In the “Source IP ranges” field, enter the IP range from which you want to allow SSH access (e.g., your organization’s IP range).
    • Set the “Protocols and ports” to allow SSH (port 22) traffic.
    • Click on the “Create” button to save the firewall rule.

  2. Enabling VPC Flow Logs:

    • Go to the GCP Console and navigate to the VPC Network section.
    • Select the VPC network for which you want to enable flow logs.
    • Click on the “Edit” button at the top of the page.
    • Scroll down to the “Flow logs” section and click on “Add flow log”.
    • Provide a name for the flow log and select the desired configuration options (e.g., sampling rate, metadata inclusion).
    • Choose the desired destination for the flow logs (e.g., Stackdriver Logging, Cloud Storage).
    • Click on the “Create” button to enable flow logs for the VPC network.

  3. Implementing IAM best practices:

    • Go to the GCP Console and navigate to the IAM & Admin section.
    • Select the project for which you want to implement IAM best practices.
    • Click on the “IAM” tab to view the project’s IAM policies.
    • Review the existing IAM policies and identify any potential issues or misconfigurations.
    • Make necessary changes to the IAM policies to align with best practices (e.g., removing unnecessary roles, granting least privilege).
    • Regularly monitor and audit the IAM policies to ensure compliance with security requirements.

Note: The above instructions provide a general guideline for remediating the mentioned issues in GCP Compute using the GCP console. The specific steps may vary depending on your specific environment and requirements.

Using CLI

To remediate the issues mentioned in the previous response for GCP Compute using GCP CLI, you can follow these steps:

  1. Disable SSH access for the default service account:

    • Use the following command to get the email address of the default service account: 
      gcloud iam service-accounts list --filter="displayName:Compute Engine default service account"
    • Once you have the email address, use the following command to remove the roles associated with SSH access: 
      gcloud projects remove-iam-policy-binding PROJECT_ID --member=serviceAccount:EMAIL_ADDRESS --role=roles/compute.osLogin

  2. Enable VPC Flow Logs for network monitoring:

    • Use the following command to enable VPC Flow Logs for a specific subnet: 
      gcloud compute networks subnets update SUBNET_NAME --region=REGION --enable-flow-logs

  3. Restrict public access to Cloud Storage buckets:

    • Use the following command to update the bucket ACL and remove all public access: 
      gsutil iam ch allUsers:legacyObjectReader gs://BUCKET_NAME

Please note that you need to replace the placeholders (PROJECT_ID, EMAIL_ADDRESS, SUBNET_NAME, REGION, and BUCKET_NAME) with the actual values specific to your GCP environment.

Using Python

To remediate the issues mentioned in the previous response for GCP Compute using Python, you can use the following approaches:

  1. Enforce strong passwords:
    • Use the Google Cloud Identity and Access Management (IAM) API to create a custom password policy for your GCP project.
    • Write a Python script to programmatically enforce the password policy by setting the minimum password length, complexity requirements, and expiration period for user accounts.
from googleapiclient import discovery

def set_password_policy(project_id, min_length, complexity, max_age):
    service = discovery.build('cloudresourcemanager', 'v1')
    policy = {
        'updateMask': 'passwordPolicy',
        'passwordPolicy': {
            'minLength': min_length,
            'requireSymbols': complexity,
            'maxAgeDays': max_age
        }
    }
    request = service.projects().update(projectId=project_id, body=policy)
    response = request.execute()
    print('Password policy updated successfully.')

# Usage example
set_password_policy('your-project-id', 10, True, 90)
  1. Enable VPC Flow Logs:
    • Use the Google Cloud Logging API to enable VPC Flow Logs for your GCP project.
    • Write a Python script to programmatically enable VPC Flow Logs for the desired VPC network.
from googleapiclient import discovery

def enable_vpc_flow_logs(project_id, network_name):
    service = discovery.build('compute', 'v1')
    request = service.networks().get(project=project_id, network=network_name)
    response = request.execute()
    if 'logConfig' not in response:
        response['logConfig'] = {}
    response['logConfig']['enable'] = True
    request = service.networks().update(project=project_id, network=network_name, body=response)
    response = request.execute()
    print('VPC Flow Logs enabled successfully.')

# Usage example
enable_vpc_flow_logs('your-project-id', 'your-network-name')
  1. Implement network security groups:
    • Use the Google Cloud Firewall API to create and manage network security groups (firewall rules) for your GCP project.
    • Write a Python script to programmatically create firewall rules to allow or deny specific traffic based on source/destination IP, port, and protocol.
from googleapiclient import discovery

def create_firewall_rule(project_id, rule_name, network_name, source_ip, destination_port, protocol, action):
    service = discovery.build('compute', 'v1')
    firewall_rule = {
        'name': rule_name,
        'network': f'projects/{project_id}/global/networks/{network_name}',
        'sourceRanges': [source_ip],
        'allowed': [{
            'IPProtocol': protocol,
            'ports': [destination_port]
        }],
        'direction': 'INGRESS',
        'priority': 1000,
        'action': action
    }
    request = service.firewalls().insert(project=project_id, body=firewall_rule)
    response = request.execute()
    print('Firewall rule created successfully.')

# Usage example
create_firewall_rule('your-project-id', 'allow-http', 'your-network-name', '0.0.0.0/0', '80', 'TCP', 'ALLOW')

Please note that the above scripts are just examples and may need to be modified based on your specific requirements and environment.