Remediation
From Google Cloud CLI
-
Create an Access Context Manager policy if one does not already exist:
gcloud access-context-manager policies create \
--organization={{organization-id}} \
--title="VPC Service Controls Policy" -
Create a service perimeter in dry-run mode for the sensitive projects and services:
gcloud access-context-manager perimeters create {{perimeter-name}} \
--title="{{perimeter-title}}" \
--resources=projects/{{project-number}} \
--restricted-services={{service-api}} \
--policy={{policy-id}} \
--perimeter-type=regular -
Add required ingress rules, egress rules, access levels, and perimeter bridges.
-
Review dry-run violations and application behavior.
-
Enforce the perimeter only after expected access paths are validated.