Ensure that no VMInstace allows incoming traffic from 0.0.0.0/0 to a known TCP port.

To implement the principle of least privilege and reduce the possibility of a breach, Always make sure that VMInstances are being accessed by expected traffic only. Make sure that the network, to which VMInstances belong, Should not have any enabled firewall rules with an 'allow' effect for incoming traffic from 0.0.0.0/0 to the well-known TCP ports.

Risk Level: Medium
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.NET.34
Covered by Spectral: No
Category: Compute

GSL LOGIC

VMInstance where isPublic=true should not have nics contain [ inboundRules contain [ enabled=true and action='ALLOW' and source='0.0.0.0/0' and destinationPort in($CloudGuard_Known_TCP_Ports) and  protocol='TCP' ] ]

REMEDIATION

From Portal

  1. Sign in to the GCP console and navigate to the affected VM instance https://console.cloud.google.com/compute/instances
  2. In the network interfaces section, Click on the network the VMInstance belongs to.
  3. Edit the firewall rules of that network with appropriate IP ranges.

From Command Line
Find out the Network to which VMInstance belongs and update its firewall rules with appropriate IP ranges. Use the link from references to edit the Firewall rules.

From TF
Find out the Network to which VMInstance belongs and update its firewall rules with appropriate IP ranges. Use the link from references to edit the Firewall rules.

References

  1. https://cloud.google.com/vpc/docs/using-firewalls#updating_firewall_rules
  2. https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/update
  3. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP CloudGuard Network Security
  • GCP CloudGuard SOC2 based on AICPA TSC 2017
  • GCP GDPR Readiness
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0
  • GCP Security Risk Management