Risk Level: High
Cloud Entity: GCP Security Group
CloudGuard Rule ID: D9.GCP.NET.07
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

GcpSecurityGroup where name='Global' should not have inboundRules contain [ protocol='TCP' and source = '0.0.0.0/0' ]

REMEDIATION

From Portal 1. Go to VPC network. 2. Go to the Firewall Rules. 3. Select the relevant Firewall Rule and click on Edit. 3. Ensure Port is not equal to 22 and Action is not Allow. 4. Under Source ranges ensure IP Ranges is not equal to 0.0.0.0.

From Command Line Note: If you need to change the name, network, or the action or direction component, you must delete the rule and create a new one instead.

To update exist firewall rules, run:

gcloud compute firewall-rules update FIREWALL_NAME --source-ranges=CIDR_RANGE --rules=[PROTOCOL[:PORT]]

To delete firewall rules, run:

gcloud compute firewall-rules delete [FIREWALL_NAME]

To create new firewall rules, run:

gcloud compute firewall-rules create FIREWALL_NAME [--priority=PRIORITY] [--description=DESCRIPTION] [--target-tags=TAG,...] [--target-service-accounts=IAM_SERVICE_ACCOUNT,_] [--source-ranges=CIDR_RANGE,...] [--source-tags=TAG,...] [--source-service-accounts=IAM_SERVICE_ACCOUNT,_] [--destination-ranges=CIDR_RANGE,...] [--rules=[JHY[:88[-88]],...]] [--disabled | --no-disabled] [--enable-logging | --no-enable-logging]

From TF

resource "google_compute_firewall" "allow-ssh" {
  name = "global"
  allow {
    protocol = "tcp"
  }
  source_ranges = ["0.0.0.0/0"]
}

References 1. https://cloud.google.com/vpc/docs/firewalls#blockedtraffic 2. https://cloud.google.com/vpc/docs/using-firewalls

GCP Security Group

Google Cloud Platform (GCP) firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify. GCP firewall rules are applied at the virtual networking level, so they provide effective protection and traffic control regardless of the operating system your instances use.
The concept of security group is created in Dome9 compliance engine as a more flexible firewall grouping mechanism. Firewall rules can be assigned in one of the following modes: all instances in the network; instances by target tags; instances by target service account. In the compliance engine we grouped these rules by tags.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CloudGuard Best Practices
GCP CloudGuard CheckUp
GCP CloudGuard Network Security
GCP GDPR Readiness
GCP HIPAA
GCP ISO 27001:2013
GCP LGPD regulation
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 4
GCP NIST 800-53 Rev 5
GCP NIST CSF v1.1
GCP PCI-DSS 3.2
GCP PCI-DSS 4.0