🛡️ Google GCE Network allows unrestricted traffic to all ports🟢

• Contextual name: 🛡️ GCE Network allows unrestricted traffic to all ports🟢
• ID: /ce/ca/google/vpc/network-all-ports-access
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GCE Network
  • 🔌 Google GCE Firewall Rule - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Google GCE Networks that have Firewall Rules allowing unrestricted incoming traffic (0.0.0.0/0) from the internet to all ports within a VPC Network.

In GCP, Firewall Rules are defined at the VPC Network level. Each rule either allows or denies traffic based on its configuration. These configurations specify the type of traffic (e.g., protocols and ports) and the source or destination (e.g., IP addresses, subnets, and instances).

Rationale

Allowing unrestricted access to all ports across a network drastically increases the attack surface of every resource within that environment. Such a configuration can unintentionally expose internal services to reconnaissance, brute-force attempts, and other malicious activity originating from the public internet. To maintain a strong security posture, firewall rules should restrict access to only required ports and trusted IP ranges.

Impact

External connections to the affected VPC(s) from untrusted sources may be blocked. If legitimate business needs require remote access, trusted source IP addresses should be explicitly defined in firewall rules to whitelist access only to the specific ports that are necessary for operation.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to VPC Network.
2. Go to the Firewall Rules.
3. Click the Firewall Rule to be modified.
4. Click Edit.
5. Modify Source IP ranges to specific IP.
6. Click Save.

From Google Cloud CLI

1. Identify Firewall Rules Allowing Public Access

   gcloud compute networks get-effective-firewalls default \
       --format="table(NAME, DIRECTION, IP_RANGES)" \
       --filter="IP_RANGES:0.0.0.0/0 AND DIRECTION:INGRESS"

2. Restrict the Source Range

   Once you have identified the firewall rules, update each one to restrict access to trusted CIDR ranges:

   gcloud compute firewall-rules update {{firewall-rule-name}} \
       -allow=[{{tcp:80-80}},{{icmp}}] \
       --source-ranges={{cidr-range1}},{{cidr-range2}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Public and Anonymous Access			101		no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	56		no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			56		no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			56		no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	56		no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			56		no data