Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'

IAP authenticates the user requests to your apps via a Google single sign in. You can then manage these users with permissions to control access. It is recommended to use both IAP permissions and firewalls to restrict this access to your apps with sensitive information.

Risk Level: High
Cloud Entity: GCP VPC Network
CloudGuard Rule ID: D9.GCP.NET.25
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

Network should have firewallRules contain-all [ sourceRanges length()=2 and sourceRanges with ['35.235.240.0/20'] and sourceRanges with ['130.211.0.0/22'] and TargetServiceAccounts isEmpty() and targetTags isEmpty() and  SourceServiceAccounts isEmpty() and allowed contain [ ipProtocol='tcp' and ports contain-all ['80' and '443']]]

REMEDIATION

From Portal

  1. Go to the Cloud Console, VPC network and then Firewall rules https://console.cloud.google.com/networking/firewalls/list.
  2. Select the checkbox next to the following rules.
  • default-allow-http
  • default-allow-https
  • default-allow-internal
  1. Click 'Delete'.
  2. Click 'Create firewall rule' and set the following values.
  • Name - 'allow-iap-traffic'
  • Targets - All instances in the network
  • Source IP ranges - press Enter after you paste each value in the box copy the value below the bold text including the dash
    i) 35.235.240.0/20 - IAP Proxy Addresses
    ii) 130.211.0.0/22 - Google Health Check
  • Protocols and ports -
    i) Specified protocols and ports required for access and management of your app. For example most health check connection protocols would be covered by;
    ii) tcp:80 (Default HTTP Health Check port)
    iii) tcp:443 (Default HTTPS Health Check port)
    Note: if you have custom ports used by your load balancers, you will need to list them here
  1. When you're finished updating values, click Create.

From TF

  1. To delete existing default Firewall rules import them to Terraform by defining same resources.
    for example.
resource "google_compute_firewall" "firewall-rule" {
	name        = "default-allow-http"
	network     = "default"
	project     = "PROJECT_ID"
	
	allow {
		protocol = "tcp"
	}
	
	source_ranges = ["0.0.0.0/0"]
}
  1. After importing use below commands sequentially.
terraform import google_compute_firewall.firewall-rule default-allow-http

terraform destroy
  1. Using above approach delete below firewall rules:
  • default-allow-http
  • default-allow-https
  • default-allow-internal.
  1. Create new Firewall rule for existing network.
data "google_compute_network" "my-network" {
	name = "NETWORK_NAME"
}

resource "google_compute_firewall" "firewall-rule" {
	name        = "allow-iap-traffic"
	network     = data.google_compute_network.mynetwork.name
	project     = "PROJECT-ID"
	description = "Allow IAP Traffic"
	
	allow {
		protocol = "tcp"
		ports    = ["80", "443"]
	}
	
	source_ranges = ["130.211.0.0/22", "35.235.240.0/20"]
}

From Command Line

  1. To delete below firewall rules:
  • default-allow-http
  • default-allow-https
  • default-allow-internal.
gcloud compute firewall-rules delete [FIREWALL-NAME]
  1. Create a new Firewall rule with using below details.
  • Name: 'allow-iap-traffic'
  • Targets: All instances in the network
  • Source IP ranges (press Enter after you paste each value in the box).
    i) 130.211.0.0/22
    ii) 35.235.240.0/20
  • Protocols and ports:
    i)Specified protocols and ports
    ii)tcp:80
    iii)tcp:443
    Use below command as reference
gcloud compute firewall-rules create NAME
[--network NETWORK; default="default"]
[--priority PRIORITY;default=1000]
[--direction (ingress|egress|in|out); default="ingress"]
[--action (deny | allow )]
[--target-tags TAG[,TAG,...]]
[--target-service-accounts=IAM_SERVICE_ACCOUNT[,IAM_SERVICE_ACCOUNT,...]]
[--source-ranges CIDR_RANGE[,CIDR_RANGE,...]]
[--source-tags TAG,TAG,]
[--source-service-accounts=IAM_SERVICE_ACCOUNT[,IAM_SERVICE_ACCOUNT,...]]
[--destination-ranges CIDR_RANGE[,CIDR_RANGE,...]]
[--rules (PROTOCOL[:PORT[-PORT]],[PROTOCOL[:PORT[-PORT]],...]] | all )
[--disabled | --no-disabled]
[--enable-logging | --no-enable-logging]
[--logging-metadata LOGGING_METADATA]

For Example:

gcloud compute --project=PROJECT_ID firewall-rules create RULE_NAME --description=allow-iap-traffic --direction=INGRESS --priority=1000 --network=NETWORK_NAME --action=ALLOW --rules=tcp:80 --source-ranges=130.211.0.0/22,35.235.240.0/20

References

  1. https://workbench.cisecurity.org/sections/507171/recommendations/858940
  2. https://cloud.google.com/vpc/docs/using-firewalls
  3. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#example-usage---firewall-basic

GCP VPC Network

A VPC network, sometimes just called a ���network,��� is a virtual version of a physical network, like a data center network. It provides connectivity for your Compute Engine virtual machine (VM) instances, Kubernetes Engine clusters, App Engine Flex instances, and other resources in your project.

Projects can contain multiple VPC networks. New projects start with a default network that has one subnet in each region (an auto mo

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0