Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable critical service APIs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Very High (not tolerated)

Ensure that critical service APIs are enabled for your GCP projects in order to gain access to essential functionalities and services provided by Google Cloud Platform (GCP), manage your project resources efficiently, enhance the security of your cloud environment, and track your usage and billing. The critical service APIs that you can enable for your GCP projects include but are not limited to Identity and Access Management (IAM) API (iam.googleapis.com), Compute Engine API (compute.googleapis.com), Cloud Storage (storage-component.googleapis.com), Google Cloud Pub/Sub API (pubsub.googleapis.com), Cloud Key Management Service (KMS) API (cloudkms.googleapis.com), and Cloud Logging API (logging.googleapis.com).

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

In Google Cloud, most critical service APIs are disabled by default for projects. Enabling service APIs is vital as they provide the foundational functionality for various aspects of your Google Cloud projects. Service APIs enable you to store and retrieve data, manage cloud infrastructure, handle messaging and events, analyze images, and process text. By utilizing these APIs, you can leverage Google Cloud's powerful capabilities and build scalable, intelligent, and feature-rich cloud applications and services.

Audit

To determine if critical service APIs are enabled for your GCP projects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to the API Library page available at https://console.cloud.google.com/apis/library.

04 Use the Search for API & Services search box and search for the Google Cloud service API that you want to enable.

05 Click on the name of the service API to open the API overview page.

06 On the API overview page, search for the MANAGE button to determine the current status of the API. If the MANAGE button is not available, instead the ENABLE button is displayed, the API is currently disabled, therefore the selected service API is not enabled for your GCP project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account: 

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project identifier(s): 

PROJECT_ID
  cc-web-app-project-112233
  cc-bigdata-project-123123

03 Run services list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to determine if the specified service API is enabled for the selected project: 

gcloud services list
  --project cc-web-app-project-112233
  --enabled
  --filter=name:iam.googleapis.com

04 The command output should return the name and the title of the requested API: 

Listed 0 items.

If the services list command output returns Listed 0 items., as shown in the output example above, the API is currently disabled, therefore the selected service API is not enabled for the selected GCP project.

05 Repeat steps no. 3 and 4 for each project created within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To enable critical service APIs are enabled for your GCP projects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to API Library page available at https://console.cloud.google.com/apis/library.

04 Use the Search for API & Services search box and find the service API that you want to enable.

05 Click on the selected API to access the service API overview page.

06 On the API overview page, choose ENABLE to enable the selected Google Cloud service API for your GCP project.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run services enable command (Windows/macOS/Linux) using the ID of the GCP project that you want to access as the identifier parameter, to enable the required service API for the selected project: 

gcloud services enable iam.googleapis.com
  --project cc-web-app-project-112233

02 If successful, the command output should return the ID and status of the performed operation: 

Operation "operations/acat.p0-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234" finished successfully.

03 If successful, the command output should return the ID and status of the performed operation:

References

Publication date May 25, 2023

Related CloudAPI rules