Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restricting the Use of Images

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that only images from trusted Google Cloud Platform (GCP) projects are allowed as the source for boot disks for new virtual machine instances. To enforce this constraint, enable and configure the "Define Trusted Image Projects" policy at the GCP organization level. The allowed list of publisher projects must be configured in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

Security

By default, the GCP project members can create persistent disks or copy images using any of the public and private images that they can access through their Cloud IAM roles. However, in some situations you might want to restrict access to disk images so that your project members can create boot disks only from images that contain approved software that meets strict security requirements.

Audit

To determine if the virtual machine disk image restriction is enabled within your GCP organizations, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the complete list of the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Name and Define trusted image projects to return the "Define Trusted Image Projects" policy.

06 Click on the name of the GCP organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Allowed configuration attribute value. If the Allowed attribute value is set to All, the policy constraints are not enforced for the entire organization, therefore the use of virtual machine disk images is not restricted within your Google Cloud organization.

08 Repeat steps no. 2 – 7 for each organization available in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each organization available within your Google Cloud account: 

gcloud organizations list
    --format="table(name)"

02 The command output should return the requested organization identifiers (IDs): 

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter, to describe the enforcement configuration of the "Define Trusted Image Projects" policy (i.e. "compute.trustedImageProjects" constraint), available for the selected GCP organization: 

gcloud alpha resource-manager org-policies describe
"compute.trustedImageProjects"
    --effective
    --organization=112233441122
    --format="value(listPolicy.allValues)"

04 The command request should return the requested configuration information: 

ALLOW

If the resource-manager org-policies describe command output returns ALLOW, the "Define Trusted Image Projects" policy constraints are not enforced for the entire organization, therefore the use of virtual machine disk images is not restricted within your Google Cloud Platform (GCP) organization.

05 Repeat step no. 3 and 4 for each organization created within your Google Cloud account.

Remediation / Resolution

By default, virtual machine instances can be created from images in any Google Cloud project that shares images publicly or explicitly with the user. To enforce the creation of instances from images shared within trusted projects only, enable and configure the "Define Trusted Image Projects" organization policy by performing the following actions:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Restricting the Use of Images conformity rule settings and note the list of Google Cloud projects that share trusted virtual machine disk images within your GCP organization.

02 Sign in to Google Cloud Management Console with the organizational unit credentials.

03 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

04 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

05 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your organization.

06 Click inside the Filter by policy name or ID filter box, select Name and Define trusted image projects to return only the "Define Trusted Image Projects" policy.

07 Click on the name of the GCP organization policy returned at the previous step.

08 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

09 On the Edit policy configuration page, perform the following operations:

  1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
  2. To override the inherited policies completely, select Replace under Policy enforcement.
  3. To use explicit values, select Custom from the Policy values dropdown list.
  4. For Policy type, select Allow to specify that the listed values will be the only allowed values, and all other values will be denied.
  5. In the Custom values section, use the configuration controls to specify the Google Cloud projects that share trusted disk images only, identified at step no. 1. Use the following format to define the allowed/trusted GCP projects: projects/<project-id> where <project-id> is the ID of the trusted Google Cloud project.
  6. (Optional) To set a recommendation for other users, click SET RECOMMENDATION, enter a string value into the Recommended value text box, and click SET to apply the recommendation. This string value will be displayed in the Google Cloud console to provide guidance to users about this organization policy. This is just a communication tool, and does not affect the policy configuration.
  7. Click SAVE to apply the changes and enforce the "Define Trusted Image Projects" policy constraints.

10 If required, repeat steps no. 3 – 9 to enable the necessary policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Restricting the Use of Images conformity rule settings and note the list of Google Cloud projects that share trusted virtual machine disk images within your GCP organization.

02 Define the "Define Trusted Image Projects" policy constraints and save the YAML policy document to a file named cc-trusted-projects-policy.yaml. Use the list of trusted Google Cloud projects identified at step no. 1 to configure the allowed_values list. The following policy example allows the creation of virtual machine instances from images shared only by the GCP project identified by projects/cc-prod-project, where cc-prod-project is the ID of the Google Cloud project defined as trusted source for images: 

constraint: constraints/compute.trustedImageProjects
listPolicy:
  allowed_values:
    projects/cc-prod-project

03 Run resource-manager org-policies set-policy command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the "Define Trusted Image Projects" policy (i.e. "compute.trustedImageProjects" constraint), using the policy docuemnt defined at the previous step, for the selected organization: 

gcloud beta resource-manager org-policies set-policy cc-trusted-projects-policy.yaml
    --organization=112233441122

04 The command request should return the enforced organization policy metadata: 

constraint: constraints/compute.trustedImageProjects
etag: abcdabcdabcd
listPolicy:
  allowedValues:
  - projects/cc-project5
updateTime: '2020-09-03T08:00:00.000Z'

05 If required, repeat step no. 3 and 4 to enforce the necessary policy for other organizations created within your Google Cloud account.

References

Publication date May 10, 2021

Related ResourceManager rules