Skip to main content

⭐ Repository β†’ πŸ“ Compliance Engine β†’ πŸ“ CloudAware β†’ πŸ“ Google β†’ πŸ“ VPC

πŸ›‘οΈ Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet🟒

  • Contextual name: πŸ›‘οΈ GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet🟒
  • ID: /ce/ca/google/vpc/network-ssh-access
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.

Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided.

Rationale​

GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network. Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified. This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default Port 22. Generic access from the Internet to a specific IP Range needs to be restricted.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to VPC Network.
  2. Go to the Firewall Rules.
  3. Click the Firewall Rule you want to modify.
  4. Click Edit.
  5. Modify Source IP ranges to specific IP.
  6. Click Save.

From Google Cloud CLI​

1.Update the Firewall rule with the new SOURCE_RANGE from the below command:

    gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 3.6 Ensure that SSH access is restricted from the internet - Level 2 (Automated)1no data
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 3.6 Ensure That SSH Access Is Restricted From the Internet - Level 2 (Automated)1no data
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 3.6 Ensure That SSH Access Is Restricted From the Internet - Level 2 (Automated)1no data
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 3.6 Ensure That SSH Access Is Restricted From the Internet - Level 2 (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access55no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CA-9 Internal System Connections (L)(M)(H)1no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10848no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CA-9 Internal System Connections (L)(M)(H)1no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)33no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CA-9 Internal System Connections (L)(M)(H)1no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)742no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.13.1.1 Network controls1no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed1014no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1841no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-3: Remote access is managed1no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)1022no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1631no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-4: Communications and control networks are protected1022no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events118no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained48no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated32no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties91no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk22no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected117no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected97no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected111no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage69no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-7 BOUNDARY PROTECTION23510no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9 Internal System Connections122no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7 Boundary Protection29450no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7139no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1035no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7826no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.35no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.35no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.17no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.735no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.35no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.717no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-1 Restricts Access1619no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-4 Implements Boundary Protection Systems4no data