More Info:

Ensure that all the Google Cloud APIs and services restricted within your organization are defined using the “Restrict allowed Google Cloud APIs and services” organization policy. This constraint policy helps you achieve regulatory compliance by defining the set of cloud services and APIs that cannot be used within your GCP organization.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Remediation

Using Console

To remediate the misconfiguration of “Restrict Allowed Google Cloud APIs and Services” in GCP using the GCP console, please follow the below steps:

Step 1: Login to your Google Cloud Platform console.

Step 2: Select the project you want to remediate the misconfiguration for.

Step 3: Click on the Navigation menu, go to the “IAM & Admin” section, and select “IAM”.

Step 4: In the IAM page, select the role for which you want to restrict the allowed APIs and services.

Step 5: Click on the “Edit” button next to the selected role.

Step 6: Scroll down to the “Permissions” section and click on the “Add Condition” button.

Step 7: In the “Add Condition” dialog box, select the “APIs & Services” option from the dropdown menu.

Step 8: In the “APIs & Services” section, select the “APIs” tab and select the APIs and services you want to allow.

Step 9: Click on the “Save” button to apply the changes.

Step 10: Verify that the allowed APIs and services are restricted by checking the IAM page for the role you modified.

By following these steps, you can remediate the misconfiguration of “Restrict Allowed Google Cloud APIs and Services” in GCP using the GCP console.

Using CLI

To remediate the “Restrict Allowed Google Cloud APIs and Services” misconfiguration in GCP using GCP CLI, you can follow the below steps:

Step 1: Open the Cloud Shell in your GCP Console.

Step 2: Run the following command to list all the enabled APIs and services in your project:

gcloud services list --enabled

Step 3: Identify the APIs and services that are not required for your project and note down their service names. For example, if you want to restrict the Cloud SQL Admin API, note down its service name “sqladmin.googleapis.com”.

Step 4: Run the following command to disable the unnecessary APIs and services:

gcloud services disable [SERVICE_NAME]

Replace [SERVICE_NAME] with the service name that you want to disable. For example, to disable the Cloud SQL Admin API, run the following command:

gcloud services disable sqladmin.googleapis.com

Step 5: Verify that the API or service has been disabled by running the following command:

gcloud services list --enabled

This will list all the enabled APIs and services in your project. Make sure that the API or service that you have disabled is not listed.

By following the above steps, you can remediate the “Restrict Allowed Google Cloud APIs and Services” misconfiguration in GCP using GCP CLI.

Using Python

To restrict allowed Google Cloud APIs and Services in GCP using Python, you can follow the below steps:

  1. Import the required libraries:
from googleapiclient import discovery
from google.oauth2 import service_account
  1. Set up the credentials using the service account key file:
creds = service_account.Credentials.from_service_account_file('path/to/service_account_key.json')
  1. Set up the client for the Service Usage API:
service = discovery.build('serviceusage', 'v1', credentials=creds)
  1. Define the project ID and the list of APIs and Services to be restricted:
project_id = 'your-project-id'
restricted_services = ['storage-component.googleapis.com', 'bigquery.googleapis.com']
  1. Get the list of enabled services for the project:
enabled_services = service.services().list(parent=f'projects/{project_id}/services').execute()
  1. Disable the services that are not in the restricted list:
for service in enabled_services['services']:
    if service['config']['name'] not in restricted_services:
        service_name = service['config']['name']
        service_version = service['config']['title']
        print(f'Disabling service {service_name} ({service_version})...')
        service.services().disable(name=f'projects/{project_id}/services/{service_name}.{service_version}').execute()
  1. Verify that only the restricted services are enabled:
enabled_services = service.services().list(parent=f'projects/{project_id}/services').execute()
for service in enabled_services['services']:
    if service['config']['name'] not in restricted_services:
        print(f'Error: Service {service["config"]["name"]} is still enabled.')

This Python script will restrict the allowed Google Cloud APIs and Services for the specified project.