Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Labels for Resource Management

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Ensure that user-defined labels are being used to tag, collect, and organize API Gateway APIs within your Google Cloud Platform (GCP) projects. User-defined labels are a lightweight and efficient way to group together related or associated cloud resources.

Security
Reliability
Performance
efficiency
Cost
optimisation

As your Google Cloud Platform (GCP) projects grow increasingly complex, effective management strategies become essential. User-defined labels can significantly enhance visibility and organization across your Google Cloud resources. By strategically labeling your API Gateway APIs, you can streamline organization, simplify search queries, and optimize resource management. This lightweight yet powerful approach allows you to group related services, such as production, staging, and development environments, for efficient identification and control.

Audit

To determine if your API Gateway APIs are labeled for better resource management, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to API Gateway console available at https://console.cloud.google.com/api-gateway/.

04 On the APIs listing page, click on the name (link) of the API Gateway API that you want to examine, available in the Name column.

05 Select the DETAILS tab to view the configuration information available for the selected API.

06 Check the Labels attribute value to determine if any user-defined labels are defined for the selected API. If the Labels value is None, the selected Google Cloud API Gateway API is not labeled with user-defined labels for resource management.

07 Repeat steps no. 4 - 6 for each API Gateway API available in the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run api-gateway apis list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID of each API Gateway API created for the selected project: 

gcloud api-gateway apis list
	--project cc-web-project-123123
	--format="table(NAME)"

04 The command output should return the fully qualified identifier for each API: 

NAME: projects/cc-web-project-123123/locations/global/apis/tm-project5-api
NAME: projects/cc-web-project-123123/locations/global/apis/tm-map-app-api

05 Run api-gateway apis describe command (Windows/macOS/Linux) with the ID of the API Gateway API that you want to examine as the identifier parameter and custom output filters to describe the user-defined resource labels configured for the selected API: 

gcloud api-gateway apis describe projects/cc-web-project-123123/locations/global/apis/tm-project5-api
	--format="json(labels)"

06 The command output should return the requested resource labels: 

null

If the api-gateway apis describe command output returns null, as shown in the example above, the selected Google Cloud API Gateway API is not labeled with user-defined labels for resource management.

07 Repeat steps no. 5 and 6 for each API Gateway API that you want to configure, created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that all your Google Cloud API Gateway APIs are labeled with user-defined labels for better resource management, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to API Gateway console available at https://console.cloud.google.com/api-gateway/.

04 On the APIs listing page, click on the name (link) of the API Gateway API that you want to configure, available in the Name column.

05 Select the DETAILS tab and choose EDIT to modify the API configuration.

06 On the Edit API configuration page, choose ADD LABEL, and use the Key and Value text fields to define your own user-defined labels for the selected API. You can use labels such as: environment (e.g., prod, test, dev), team (e.g., frontend, backend, secops), billing (e.g., project5, engineering), version (e.g., v1.3, v2.1) or owner (e.g., john-doe, team-lead). Choose SAVE to apply the changes.

07 Repeat steps no. 4 - 6 for each API Gateway API available in the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run api-gateway apis update command (Windows/macOS/Linux) with the name of the API Gateway API that you want to configure as the identifier parameter, to set user-defined labels for the selected API. Use the --update-labels command parameter to supply your own labels. If the specified label exists, its value is modified. Otherwise, a new label is created. You can use labels such as: environment (e.g., prod, test, dev), team (e.g., frontend, backend, secops), billing (e.g., project5, engineering), version (e.g., v1.5, v2.1) or owner (e.g., john-doe, team-lead): 

gcloud api-gateway apis update projects/cc-web-project-123123/locations/global/apis/tm-project5-api
	--update-labels=environment=prod,team=engineering

02 The command output should return the update operation status: 

Waiting for API [tm-project5-api] to be updated... done.

03 Repeat steps no. 1 and 2 for each API Gateway API that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Jan 16, 2025

Related APIGateway rules