🛡️ Google GCE Network has no egress deny Firewall Rule🟢

• Contextual name: 🛡️ GCE Network has no egress deny Firewall Rule🟢
• ID: /ce/ca/google/vpc/network-egress-deny-rule
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GCE Network
  • 🔌 Google GCE Firewall Rule - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Google GCE Networks that lack at least one egress firewall rule configured to explicitly deny outbound traffic.

Rationale

Implementing a default-deny posture for egress traffic is a fundamental security best practice. By default, VPC networks permit all outbound traffic. Creating a low-priority firewall rule that denies all egress traffic ensures that network administrators must deliberately define higher-priority rules to allow only necessary outbound connections. This approach helps prevent data exfiltration, restricts compromised instances from communicating with external servers, and enforces the principle of least privilege for network traffic.

Impact

Enforcing this policy may disrupt legitimate outbound traffic that currently relies on unrestricted firewall rules.

Audit

This policy flags a Google GCE Network as INCOMPLIANT if it does not have at least one associated Google GCE Firewall Rule that meets the following criteria:

• Direction: EGRESS
• Destination Ranges: 0.0.0.0/0

... see more

Remediation

Open File

Remediation

Create a Default-Deny Egress Firewall Rule

Creating a firewall rule that denies all egress traffic ensures that no outbound connections are allowed unless explicitly permitted by higher-priority rules.

From gcloud CLI

```sh
gcloud compute firewall-rules create {{firewall-rule-name}} \
    --network={{network-name}} \
    --action=DENY \
    --direction=EGRESS \
    --priority=65534 \
    --rules=all \
    --destination-ranges=0.0.0.0/0 \
    --enable-logging
```

Notes:

• The priority is set high (65534) to ensure it acts as a default-deny rule, allowing higher-priority rules to override it.
• --enable-logging is optional but recommended for audit and troubleshooting purposes.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Secure Access			57		no data
💼 PCI DSS v3.2.1 → 💼 7.2 Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed.	3		8		no data