Legacy Authorization Should Be Disabled

More Info:

Ensure legacy authorization is set to disabled on Kubernetes clusters. The legacy authorizer in Kubernetes grants broad, statically defined permissions.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Legacy Authorization Should Be Disabled” misconfiguration for GCP using GCP CLI, you can follow the below steps:

Open the Google Cloud Console and go to the Cloud Shell.
In the Cloud Shell, run the following command to check if legacy authorization is enabled:
```
gcloud projects get-iam-policy <project-id>
```
Replace <project-id> with your GCP project ID.
If the output shows that legacy authorization is enabled, run the following command to disable it:
```
gcloud beta iam service-accounts disable-legacy-iam <service-account-email>
```
Replace <service-account-email> with the email address of the service account that you want to disable legacy authorization for.
After running the above command, you can verify that legacy authorization has been disabled by running the following command:
```
gcloud projects get-iam-policy <project-id>
```
The output should show that legacy authorization is now disabled.

Note: You need to have the necessary permissions to disable legacy authorization for a service account.

Using Python

To remediate the “Legacy Authorization Should Be Disabled” misconfiguration in GCP using Python, you can follow these steps:

Install the Google Cloud IAM API client library for Python using pip:

pip install --upgrade google-cloud-iam

Create a Python script and import the necessary libraries:

from google.oauth2 import service_account
from google.cloud import iam_v1

Set up authentication by creating a service account and downloading the JSON key file. Then, create a credentials object using the JSON key file:

key_path = '/path/to/key.json'
creds = service_account.Credentials.from_service_account_file(key_path)

Create an instance of the IAM client:

client = iam_v1.IAMClient(credentials=creds)

Get the current IAM policy for the project:

project_id = 'your-project-id'
resource = f'projects/{project_id}'
policy = client.get_iam_policy(request={'resource': resource})

Check if the “allUsers” or “allAuthenticatedUsers” member exists in any of the IAM policy’s bindings:

for binding in policy.bindings:
    if 'allUsers' in binding.members or 'allAuthenticatedUsers' in binding.members:
        binding.members = [m for m in binding.members if m not in ['allUsers', 'allAuthenticatedUsers']]

Update the IAM policy with the modified bindings:

policy = client.set_iam_policy(request={'resource': resource, 'policy': policy})

Print a message indicating that the remediation is complete:

print('Legacy authorization has been disabled.')

Save the script and run it using the command:

python script.py

This will remediate the “Legacy Authorization Should Be Disabled” misconfiguration in GCP by removing the “allUsers” and “allAuthenticatedUsers” members from any IAM policy bindings that contain them.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Legacy Authorization Should Be Disabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: