📝 Google Project has a default network 🟢

• Contextual name: 📝 Project has a default network 🟢
• ID: /ce/ca/google/project/project-with-default-network
• Located in: 📁 Google Project

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Default VPC Network In Use

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Project
  • 🔌 Google GCE Network - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

To prevent use of default network, a project should not have a default network.

Rationale

The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:

• default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
• default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
• default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
• default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.

These automatically created firewall rules do not get audit logged by default.

Furthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.

Based on organization security and networking requirements, the organization should create a new network and delete the default network.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the VPC networks page by visiting: https://console.cloud.google.com/networking/networks/list.
2. Click the network named default.
3. On the network detail page, click EDIT.
4. Click DELETE VPC NETWORK.
5. If needed, create a new network to replace the default network.

From Google Cloud CLI

For each Google Cloud Platform project,

1. Delete the default network:

        gcloud compute networks delete default

2. If needed, create a new network to replace it:

        gcloud compute networks create NETWORK_NAME

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 3.1 Ensure That the Default Network Does Not Exist in a Project - Level 2 (Automated)			1
💼 Cloudaware Framework → 💼 Secure Access			43