Default VPC Should Not Be Used

More Info:

Determines whether the default VPC is being used for launching new services or artifacts. The default VPC should not be used in order to avoid launching multiple services in the same network which may not require connectivity. Each application, or network tier, should use its own VPC.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP, ISO27001, GDPR, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Default VPC Should Not Be Used” misconfiguration in GCP using GCP CLI, you can follow these steps:

Identify all the GCP projects that are using the default VPC. You can use the following command to list all the projects:

gcloud projects list

For each project that is using the default VPC, create a new VPC network. You can use the following command to create a new VPC network:

gcloud compute networks create [NETWORK_NAME] --subnet-mode=auto --bgp-routing-mode=regional

Once the new VPC network is created, you can move all the existing resources from the default VPC to the new VPC network. You can use the following command to move a resource to a new VPC network:

gcloud compute instances move [INSTANCE_NAME] --zone [ZONE] --network [NETWORK_NAME]

Once all the resources are moved to the new VPC network, you can delete the default VPC network. You can use the following command to delete the default VPC network:

gcloud compute networks delete default

Finally, you should update your organization’s policies to prevent the use of default VPCs in the future.

Note: Before making any changes to your GCP environment, it is recommended to test the changes in a non-production environment to ensure that there are no unintended consequences.

Using Python

To remediate the “Default VPC Should Not Be Used” misconfiguration in GCP using Python, you can follow the below steps:

Install the necessary Python packages:

pip install google-cloud-compute

Authenticate to GCP:

from google.oauth2 import service_account
from google.cloud import compute_v1

credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_key_file>')
compute_client = compute_v1.ComputeClient(credentials=credentials)

Get the list of all VPCs:

vpcs = compute_client.networks().list(project='<project_id>').execute()

Check if any of the VPCs are default:

for vpc in vpcs['items']:
    if vpc['autoCreateSubnetworks'] == True:
        print(f"{vpc['name']} is a default VPC and should be deleted.")

Delete the default VPC:

compute_client.networks().delete(project='<project_id>', network='<default_vpc_name>').execute()

Note: Replace <path_to_service_account_key_file>, <project_id>, and <default_vpc_name> with the appropriate values for your GCP environment. Also, make sure to test the script in a non-production environment before running it in production.

Additional Reading:

https://cloud.google.com/vpc/docs/vpc

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Default VPC Should Not Be Used

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: