Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict Allowed Google Cloud APIs and Services

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that all the Google Cloud APIs and services restricted within your organization are defined using the "Restrict allowed Google Cloud APIs and services" organization policy. This constraint policy helps you achieve regulatory compliance by defining the set of cloud services and APIs that cannot be used within your GCP organization. The list of denied APIs and services must be configured in the conformity rule settings, on the Trend Cloud One™ – Conformity console.

Security

By default, all Google Cloud APIs and services are allowed. With "Restrict allowed Google Cloud APIs and services" policy you can restricts the set of cloud services (and their APIs) that can be utilized within your organization. The list of restricted services must be defined as the string name of an API and can only include explicitly denied values from the following list: compute.googleapis.com, deploymentmanager.googleapis.com, dns.googleapis.com, doubleclicksearch.googleapis.com, replicapool.googleapis.com, replicapoolupdater.googleapis.com, and resourceviews.googleapis.com. Explicitly denying APIs that are not included in the list above will result in an error. Enforcement of this service constraint is not retroactive, therefore if a cloud service is already enabled inside the organization when this constraint is enforced, it will remain enabled. With "Restrict allowed Google Cloud APIs and services" constraint policy in use, you can manage the access to Google Cloud APIs and services, control costs, and enforce security and compliance requirements for your organizations.

Audit

To determine if Google Cloud API and service restriction is enabled for your GCP organizations, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the complete list of the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Name and Restrict allowed Google Cloud APIs and services to return only the “Restrict allowed Google Cloud APIs and services” policy.

06 Click on the name of the GCP organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Allowed configuration attribute value. If the Allowed attribute value is set to All, the policy constraints are not enforced in your organization, therefore all Google Cloud APIs and services are allowed within the selected Google Cloud Platform (GCP) organization.

08 Repeat steps no. 2 – 7 for each organization available in in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each organization available within your Google Cloud account: 

gcloud organizations list
  --format="table(name)"

02 The command output should return the requested organization identifiers (IDs): 

ID
741929605805
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as identifier parameter, to describe the enforcement configuration of the “Restrict allowed Google Cloud APIs and services” policy (i.e. "serviceuser.services"), available for the selected GCP organization: 

gcloud alpha resource-manager org-policies describe "serviceuser.services"
  --effective
  --organization=741929605805
  --format="value(listPolicy.allValues)"

04 The command request should return the requested configuration information: 

ALLOW
cc-web-stack-network

If the resource-manager org-policies describe command output returns ALLOW, as shown in the example above, the “Restrict allowed Google Cloud APIs and services” policy constraints are not enforced within your organization, therefore all Google Cloud APIs and services are allowed in the selected Google Cloud Platform (GCP) organization.

05 Repeat step no. 3 and 4 for each organization created within in your Google Cloud account.

Remediation / Resolution

To implement the restriction of Google Cloud APIs and services within your GCP organizations, enable and configure the “Restrict allowed Google Cloud APIs and services” organization policy, by performing the following actions:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Restrict Allowed Google Cloud APIs and Services conformity rule settings and note the list of Google Cloud APIs and services denied within your GCP organization.

02 Sign in to Google Cloud Management Console with the organizational unit credentials.

03 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

04 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

05 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your organization.

06 Click inside the Filter by policy name or ID filter box, select Name and Restrict allowed Google Cloud APIs and services to return the “Restrict allowed Google Cloud APIs and services” policy.

07 Click on the name of the GCP organization policy returned at the previous step.

08 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

09 On the Edit policy configuration page, perform the following operations:

  1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
  2. To override the inherited policies completely, select Replace under Policy enforcement.
  3. To use explicit values, select Custom from the Policy values dropdown list.
  4. For Policy type, select Allow to specify that the listed values will be the only allowed values, and all other values will be denied.
  5. In the Custom values section, use the configuration controls to define the Google Cloud APIs and services to be denied within the selected organization, identified at step no. 1. Specifying an API that is not included in following list will result in an error: compute.googleapis.com, deploymentmanager.googleapis.com, dns.googleapis.com, doubleclicksearch.googleapis.com, replicapool.googleapis.com, replicapoolupdater.googleapis.com, resourceviews.googleapis.com.
  6. (Optional) To set a recommendation for other users, click SET RECOMMENDATION, enter a string value into the Recommended value text box, and click SET to apply the recommendation. This string value will be displayed in the Google Cloud console to provide guidance to users about this organization policy. This is only a communication tool, and does not affect the policy configuration.
  7. Click SAVE to apply the changes and enforce the “Restrict allowed Google Cloud APIs and services” policy constraints.

10 If required, repeat steps no. 3 – 9 to enable the policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Restrict Allowed Google Cloud APIs and Services conformity rule settings and note the list of Google Cloud APIs and services denied within your GCP organization.

02 Define the “Restrict allowed Google Cloud APIs and services” organization policy constraints and save the YAML policy document to a file named cc-restrict-apis-services-policy.yaml. Use the list of denied Google Cloud APIs and services identified at step no. 1 to configure the deniedValues list. Specifying an API that is not included in following list will result in an error: compute.googleapis.com, deploymentmanager.googleapis.com, dns.googleapis.com, doubleclicksearch.googleapis.com, replicapool.googleapis.com, replicapoolupdater.googleapis.com, resourceviews.googleapis.com. The following policy configuration example denies the use of Google Cloud DNS API within the specified GCP organization: 

constraint: constraints/serviceuser.services
listPolicy:
  deniedValues:
    "dns.googleapis.com"

03 Run resource-manager org-policies set-policy command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the “Restrict allowed Google Cloud APIs and services” policy, using the policy configuration defined at the previous step, for the selected organization: 

gcloud beta resource-manager org-policies set-policy cc-restrict-apis-services-policy.yaml
  --organization=741929605805

04 The command request should return the enforced organization policy metadata: 

constraint: constraints/serviceuser.services
etag: abcdabcdabcd
listPolicy:
  deniedValues:
  - dns.googleapis.com
updateTime: '2020-07-17T10:00:00.000Z

05 If required, repeat step no. 3 and 4 to enforce the policy for other organizations created within your Google Cloud account.

References

Publication date May 4, 2021

Related ResourceManager rules