Event Information

  • The v1.compute.subnetworks.delete event in GCP for Compute indicates that a subnetwork has been deleted in the specified project.
  • This event signifies that the subnetwork and all associated resources, such as instances and firewall rules, have been removed from the project.
  • It is important to note that deleting a subnetwork is an irreversible action and should be done with caution, as it can impact the connectivity and functionality of the instances within the network.

Examples

  • Unauthorized deletion of subnetworks: If security is impacted with v1.compute.subnetworks.delete in GCP for Compute, it could potentially allow unauthorized users or malicious actors to delete subnetworks. This could lead to disruption of network connectivity and potential data loss or service downtime.

  • Resource misconfiguration: If security is impacted with v1.compute.subnetworks.delete in GCP for Compute, it could result in misconfiguration of subnetworks. For example, accidental deletion of a subnetwork that is still in use by running instances or services could lead to network connectivity issues and potential security vulnerabilities.

  • Data exposure: If security is impacted with v1.compute.subnetworks.delete in GCP for Compute, it could potentially expose sensitive data. For instance, if a subnetwork containing instances hosting sensitive data is deleted, it could result in unauthorized access to that data. This could have serious implications for compliance and data privacy requirements.

Remediation

Using Console

To remediate the issues mentioned in the previous response for GCP Compute using the GCP console, you can follow these step-by-step instructions:

  1. Restricting SSH access:

    • Go to the GCP Console and navigate to the Compute Engine section.
    • Select the instance for which you want to restrict SSH access.
    • Click on the “Edit” button at the top of the page.
    • Scroll down to the “Firewalls” section and click on “Add firewall rule”.
    • Provide a name for the firewall rule and set the “Targets” to “All instances in the network”.
    • In the “Source IP ranges” field, enter the IP range from which you want to allow SSH access (e.g., your organization’s IP range).
    • Set the “Protocols and ports” to allow SSH (port 22) traffic.
    • Click on the “Create” button to save the firewall rule.

  2. Enabling VPC Flow Logs:

    • Go to the GCP Console and navigate to the VPC Network section.
    • Select the VPC network for which you want to enable flow logs.
    • Click on the “Edit” button at the top of the page.
    • Scroll down to the “Flow logs” section and click on “Add flow log”.
    • Provide a name for the flow log and select the desired configuration options (e.g., sampling rate, metadata inclusion).
    • Choose the desired destination for the flow logs (e.g., Stackdriver Logging, Cloud Storage).
    • Click on the “Create” button to enable flow logs for the VPC network.

  3. Implementing IAM best practices:

    • Go to the GCP Console and navigate to the IAM & Admin section.
    • Select the project for which you want to implement IAM best practices.
    • Click on the “IAM” tab to view the IAM roles and permissions.
    • Review the existing IAM roles and identify any unnecessary or overly permissive roles.
    • Remove any unnecessary roles and adjust the permissions of existing roles to follow the principle of least privilege.
    • Consider creating custom IAM roles with specific permissions tailored to the needs of different user groups.
    • Regularly review and audit the IAM roles and permissions to ensure they align with the organization’s security requirements.

Using CLI

To remediate the issues mentioned in the previous response for GCP Compute using GCP CLI, you can follow these steps:

  1. Disable public IP for an instance:

    • Use the gcloud compute instances describe command to get the details of the instance.
    • Note down the instance name and zone.
    • Run the gcloud compute instances delete-access-config command to remove the public IP from the instance: 
      gcloud compute instances delete-access-config [INSTANCE_NAME] --zone [ZONE] --access-config-name "External NAT"

  2. Enable OS Login for an instance:

    • Use the gcloud compute instances describe command to get the details of the instance.
    • Note down the instance name and zone.
    • Run the gcloud compute instances add-metadata command to enable OS Login for the instance: 
      gcloud compute instances add-metadata [INSTANCE_NAME] --zone [ZONE] --metadata enable-oslogin=TRUE

  3. Restrict SSH access to specific IP ranges:

    • Use the gcloud compute firewall-rules list command to get the list of firewall rules.
    • Note down the name of the firewall rule that allows SSH access.
    • Run the gcloud compute firewall-rules update command to restrict SSH access to specific IP ranges: 
      gcloud compute firewall-rules update [FIREWALL_RULE_NAME] --source-ranges [IP_RANGE_1],[IP_RANGE_2],... --direction INGRESS

Please replace the placeholders ([INSTANCE_NAME], [ZONE], [FIREWALL_RULE_NAME], [IP_RANGE_1], [IP_RANGE_2], …) with the actual values specific to your environment.

Using Python

To remediate the issues mentioned in the previous response for GCP Compute using Python, you can use the following approaches:

  1. Enforce strong password policies:

    • Use the Google Cloud Identity and Access Management (IAM) API to create a custom password policy for GCP Compute instances.
    • Write a Python script that utilizes the IAM API to enforce password complexity requirements, such as minimum length, special characters, and regular password rotation.

  2. Enable disk encryption:

    • Use the Google Cloud Key Management Service (KMS) API to create and manage encryption keys.
    • Write a Python script that utilizes the KMS API to enable disk encryption for GCP Compute instances. This script can be used to encrypt existing unencrypted disks or to ensure that new disks are automatically encrypted upon creation.

  3. Implement network security groups:

    • Use the Google Cloud Firewall API to create and manage network security groups for GCP Compute instances.

    • Write a Python script that utilizes the Firewall API to define and enforce network access rules, such as allowing only specific IP ranges or protocols to access the instances. This script can be used to create and update firewall rules for Compute instances.