Event Information

  • The v1.compute.subnetworks.expandIpCidrRange event in GCP for Compute indicates that the IP CIDR range of a subnetwork is being expanded.
  • This event typically occurs when there is a need to increase the number of available IP addresses within a subnetwork.
  • The expansion of the IP CIDR range allows for more instances or resources to be deployed within the subnetwork, accommodating the growing needs of the environment.

Examples

  1. Unauthorized access: If the v1.compute.subnetworks.expandIpCidrRange API is misconfigured or misused, it can potentially expand the IP CIDR range of a subnetwork beyond what is intended. This can lead to unauthorized access to resources within the expanded IP range, as the expanded range may include IP addresses that were not originally intended to be part of the subnetwork.

  2. Network segmentation issues: Expanding the IP CIDR range of a subnetwork without proper planning and consideration can result in network segmentation issues. For example, if a subnetwork is expanded to include IP addresses that are already allocated to another subnetwork, it can lead to IP address conflicts and disrupt network connectivity.

  3. Compliance and regulatory concerns: Expanding the IP CIDR range of a subnetwork without proper authorization and documentation can raise compliance and regulatory concerns. Organizations may have specific requirements and restrictions on IP address allocation and network segmentation, and unauthorized expansion of IP ranges can violate these requirements, potentially leading to compliance issues and penalties.

Remediation

Using Console

To remediate the issues mentioned in the previous response for GCP Compute using the GCP console, you can follow these step-by-step instructions:

  1. Enable VPC Flow Logs:

    • Go to the GCP Console and navigate to the VPC network page.
    • Select the VPC network where you want to enable flow logs.
    • Click on “Edit” at the top of the page.
    • Scroll down to the “Flow logs” section and click on “Enable flow logs”.
    • Configure the desired flow log settings, such as the filter, destination, and sampling rate.
    • Click on “Save” to enable flow logs for the selected VPC network.

  2. Enable CloudTrail for GCP:

    • Go to the GCP Console and navigate to the CloudTrail page.
    • Click on “Create a new trail” to create a new CloudTrail configuration.
    • Provide a name for the trail and select the desired GCP project.
    • Choose the services for which you want to enable CloudTrail logging.
    • Configure the storage settings, such as the bucket name and object prefix.
    • Optionally, enable log file validation and data events.
    • Click on “Create” to enable CloudTrail for the selected GCP project.

  3. Enable Security Command Center:

    • Go to the GCP Console and navigate to the Security Command Center page.
    • Click on “Enable Security Command Center” to enable it for the selected GCP project.
    • Wait for the Security Command Center to be enabled.
    • Once enabled, navigate to the Security Command Center dashboard.
    • Review the security findings and recommendations provided by Security Command Center.
    • Take necessary actions to remediate the identified security issues.

Note: The above instructions assume that you have the necessary permissions and access to the GCP Console. Make sure to review the GCP documentation for detailed instructions and any additional steps specific to your environment.

Using CLI

To remediate the issues mentioned in the previous response for GCP Compute using GCP CLI, you can follow these steps:

  1. Disable public IP for an instance:

    • Use the gcloud compute instances describe command to get the details of the instance.
    • Note down the instance name and zone.
    • Run the gcloud compute instances delete-access-config command to remove the public IP from the instance: 
      gcloud compute instances delete-access-config [INSTANCE_NAME] --zone [ZONE] --access-config-name "External NAT"

  2. Enable OS Login for an instance:

    • Use the gcloud compute instances describe command to get the details of the instance.
    • Note down the instance name and zone.
    • Run the gcloud compute instances add-metadata command to enable OS Login for the instance: 
      gcloud compute instances add-metadata [INSTANCE_NAME] --zone [ZONE] --metadata enable-oslogin=TRUE

  3. Restrict SSH access to specific IP ranges:

    • Use the gcloud compute firewall-rules list command to get the list of firewall rules.
    • Note down the name of the firewall rule that allows SSH access.
    • Run the gcloud compute firewall-rules update command to restrict SSH access to specific IP ranges: 
      gcloud compute firewall-rules update [FIREWALL_RULE_NAME] --source-ranges [IP_RANGE_1],[IP_RANGE_2],... --direction INGRESS

Please replace the placeholders ([INSTANCE_NAME], [ZONE], [FIREWALL_RULE_NAME], [IP_RANGE_1], [IP_RANGE_2], …) with the actual values specific to your environment.

Using Python

To remediate the issues mentioned in the previous response for GCP Compute using Python, you can use the following approaches:

  1. Enforce secure OS configurations:

    • Use the google-cloud-sdk library to retrieve the list of GCP Compute instances.
    • Iterate through each instance and check the OS configuration settings.
    • Use the googleapiclient library to update the instance settings and enforce secure configurations.
    • Example Python script: 
      from google.cloud import compute_v1

def enforce_secure_os_config(project_id):
    compute_client = compute_v1.InstancesClient()
    instances = compute_client.list(project=project_id)
    
    for instance in instances:
        # Check OS configuration settings
        if instance.os_config.secure_boot == False:
            # Update instance settings to enforce secure boot
            instance.os_config.secure_boot = True
            compute_client.update(project=project_id, instance=instance)

  2. Implement network security controls:

    • Use the google-cloud-sdk library to retrieve the list of GCP Compute instances.
    • Iterate through each instance and check the network security controls.
    • Use the googleapiclient library to update the instance settings and implement necessary network security controls.
    • Example Python script: 
      from google.cloud import compute_v1

def implement_network_security_controls(project_id):
    compute_client = compute_v1.InstancesClient()
    instances = compute_client.list(project=project_id)
    
    for instance in instances:
        # Check network security controls
        if instance.network_config.firewall_rules == []:
            # Add necessary firewall rules
            firewall_rule = compute_v1.FirewallRule(...)
            compute_client.insert(project=project_id, firewall_rule=firewall_rule)

  3. Enable logging and monitoring:

    • Use the google-cloud-sdk library to retrieve the list of GCP Compute instances.

    • Iterate through each instance and enable logging and monitoring.

    • Use the googleapiclient library to update the instance settings and enable necessary logging and monitoring.

    • Example Python script:

      from google.cloud import compute_v1

def enable_logging_and_monitoring(project_id):
    compute_client = compute_v1.InstancesClient()
    instances = compute_client.list(project=project_id)
    
    for instance in instances:
        # Enable logging and monitoring
        instance.logging_config.enable = True
        instance.monitoring_config.enable = True
        compute_client.update(project=project_id, instance=instance)