Ensure Global Firewall rule should not allows all traffic

Firewall Rules that are applied to all the VM instances - 'Global' should not allow protocol='TCP' and source = '0.0.0.0/0'

Risk Level: High
Cloud Entity: GCP Security Group
CloudGuard Rule ID: D9.GCP.NET.07
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

GcpSecurityGroup where name='Global' should not have inboundRules contain [ protocol='TCP' and source = '0.0.0.0/0' ]

REMEDIATION

From Portal 1. Go to VPC network. 2. Go to the Firewall Rules. 3. Select the relevant Firewall Rule and click on Edit. 3. Ensure Port is not equal to 22 and Action is not Allow. 4. Under Source ranges ensure IP Ranges is not equal to 0.0.0.0 .

From Command Line Note : If you need to change the name, network, or the action or direction component, you must delete the rule and create a new one instead.

  1. To update exist firewall rules, run:
``` 2. To delete firewall rules, run: 
```bash Terminalgcloud compute firewall-rules delete [FIREWALL_NAME]
``` 3. To create new firewall rules, run: 
```bash Terminalgcloud compute firewall-rules create FIREWALL_NAME [--priority=PRIORITY] [--description=DESCRIPTION] [--target-tags=TAG,...] [--target-service-accounts=IAM_SERVICE_ACCOUNT,_] [--source-ranges=CIDR_RANGE,...] [--source-tags=TAG,...] [--source-service-accounts=IAM_SERVICE_ACCOUNT,_] [--destination-ranges=CIDR_RANGE,...] [--rules=[JHY[:88[-88]],...]] [--disabled | --no-disabled] [--enable-logging | --no-enable-logging]

From TF

References 1. https://cloud.google.com/vpc/docs/firewalls#blockedtraffic 2. https://cloud.google.com/vpc/docs/using-firewalls

GCP Security Group

Google Cloud Platform (GCP) firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify. GCP firewall rules are applied at the virtual networking level, so they provide effective protection and traffic control regardless of the operating system your instances use.
The concept of security group is created in Dome9 compliance engine as a more flexible firewall grouping mechanism. Firewall rules can be assigned in one of the following modes: all instances in the network; instances by target tags; instances by target service account. In the compliance engine we grouped these rules by tags.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP CloudGuard Network Security
  • GCP GDPR Readiness
  • GCP HIPAA
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0