Master Authorized Network Should Be Enabled

More Info:

Ensures master authorized networks is set to enabled on Kubernetes clusters

Risk Level

Low

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Master Authorized Network Should Be Enabled” misconfiguration for GCP using GCP CLI, follow these steps:

Open the Google Cloud SDK Shell or any terminal with the GCP CLI installed.

Run the following command to enable the Master Authorized Network feature:

gcloud beta compute project-info add-metadata --metadata=enable-master-authorized-networks=TRUE

After running the command, you will receive a confirmation message indicating that the metadata was updated successfully.
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID].
```
Note: Replace PROJECT_ID with your GCP project ID.
Verify that the Master Authorized Network feature is enabled by running the following command:
```
gcloud beta compute project-info describe --project PROJECT_ID | grep -i enable-master-authorized-networks
```
If the feature is enabled, you will see the following output:
```
enable-master-authorized-networks: 'TRUE'
```
After verifying that the feature is enabled, you can proceed with configuring the Master Authorized Networks by following the official GCP documentation: https://cloud.google.com/vpc/docs/configure-private-google-access#configuring_master_authorized_networks_for_private_google_access Note: This step is optional but highly recommended to ensure the security of your GCP resources.

By following these steps, you should have successfully remediated the “Master Authorized Network Should Be Enabled” misconfiguration for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Master Authorized Network Should Be Enabled” in Google Cloud Platform (GCP) using Python, you can follow the below steps:

Import the required libraries:

from google.cloud import bigtable
from google.oauth2 import service_account

Authenticate and create a client object:

credentials = service_account.Credentials.from_service_account_file('path/to/service_account.json')
client = bigtable.Client(project='project-id', credentials=credentials)

Get the instance object:

instance_id = 'instance-id'
instance = client.instance(instance_id)

Get the current cluster object:

cluster_id = 'cluster-id'
cluster = instance.cluster(cluster_id)

Check if the Master Authorized Networks is enabled or not:

if not cluster.encryption_config:
    print('Master Authorized Networks is not enabled')
else:
    print('Master Authorized Networks is enabled')

If it is not enabled, enable it by updating the cluster object:

if not cluster.encryption_config:
    cluster.encryption_config = bigtable.EncryptionInfo(
        encryption_type=bigtable.EncryptionInfo.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION
    )
    cluster.update()
    print('Master Authorized Networks is enabled now')
else:
    print('Master Authorized Networks is already enabled')

Run the Python script to remediate the misconfiguration.

Note: Make sure to replace the ‘path/to/service_account.json’, ‘project-id’, ‘instance-id’ and ‘cluster-id’ with the actual values. Also, ensure that the service account has the necessary permissions to update the cluster object.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Master Authorized Network Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: