Ensure that no VMInstance allows incoming traffic from '0.0.0.0/0' to all protocols and ports.
To implement the principle of least privilege and reduce the possibility of a breach, Always make sure that VMInstances are being accessed by expected traffic only. Make sure that the network, to which VMInstances belong, Should not have any enabled firewall rules with an 'allow' effect for incoming traffic from 0.0.0.0/0 to all protocols and ports.
Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.NET.32
Covered by Spectral: No
Category: Compute
GSL LOGIC
VMInstance where isPublic=true should not have nics contain [ inboundRules contain [ enabled=true and action='ALLOW' and source='0.0.0.0/0' and destinationPort>=0 and destinationPortTo<=65535 and protocol='ALL' ] ]
REMEDIATION
From Portal
- Sign in to the GCP console and navigate to the affected VM instance https://console.cloud.google.com/compute/instances
- In the network interfaces section, Click on the network the VMInstance belongs to.
- Edit the firewall rules of that network with appropriate IP ranges, Ports and Protocol.
From Command Line
Find out the Network to which VMInstance belongs and update its firewall rules with appropriate IP ranges. Use the link from references to edit the Firewall rules.
From TF
Find out the Network to which VMInstance belongs and update its firewall rules with appropriate IP ranges. Use the link from references to edit the Firewall rules.
References
- https://cloud.google.com/vpc/docs/using-firewalls#updating_firewall_rules
- https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/update
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall
Virtual Machine Instances
Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.
You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
- GCP PCI-DSS 4.0
Updated about 1 year ago