Ensure That SSH Access Is Restricted From the Internet
GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow you to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances. Firewall rules are defined at the VPC network level, and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, you can only use an IPv4 address or IPv4 block in CIDR notation. Generic (0.0.0.0/0) incoming traffic from internet to VPC or VM instance using SSH on Port 22 can be avoided
Risk Level: High
Cloud Entity: GCP Security Group
CloudGuard Rule ID: D9.GCP.NET.12
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
GcpSecurityGroup should not have inboundRules contain [ destinationPort=22 and source='0.0.0.0/0' ]
REMEDIATION
From Portal
- Go to VPC Network.
- Go to the Firewall Rules.
- Click the Firewall Rule you want to modify.
- Click Edit.
- Modify Source IP ranges to specific IP.
- Click Save.
From TF
Set deny bucket to be equal to protocol:ssh, port:22:
resource 'google_compute_firewall' 'default' {
...
deny {
protocol = 'ssh'
ports = ['22']
}
...
}
From Command Line
Run
gcloud compute firewall-rules update FIREWALL_NAME --rules=PROTOCOL:PORT-PORT
References
- https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall
GCP Security Group
Google Cloud Platform (GCP) firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify. GCP firewall rules are applied at the virtual networking level, so they provide effective protection and traffic control regardless of the operating system your instances use.
The concept of security group is created in Dome9 compliance engine as a more flexible firewall grouping mechanism. Firewall rules can be assigned in one of the following modes: all instances in the network; instances by target tags; instances by target service account. In the compliance engine we grouped these rules by tags.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.0.0
- GCP CIS Foundations v. 1.1.0
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP CloudGuard Network Security
- GCP GDPR Readiness
- GCP HIPAA
- GCP ISO 27001:2013
- GCP LGPD regulation
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 4
- GCP NIST 800-53 Rev 5
- GCP NIST CSF v1.1
- GCP PCI-DSS 3.2
- GCP PCI-DSS 4.0
Updated about 1 year ago