🛡️ Google GCE Network allows unrestricted SSH traffic🟢

• Contextual name: 🛡️ GCE Network allows unrestricted SSH traffic🟢
• ID: /ce/ca/google/vpc/network-ssh-access
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GCE Network
  • 🔌 Google GCE Firewall Rule - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Check for Unrestricted SSH Access

Description

Open File

Description

This policy identifies Google GCE Networks that have Firewall Rules allowing unrestricted incoming traffic (0.0.0.0/0) from the internet to the Secure Shell (SSH) port, TCP/22.

In GCP, Firewall Rules are defined at the VPC Network level. Each rule either allows or denies traffic based on its configuration. These configurations specify the type of traffic (e.g., protocols and ports) and the source or destination (e.g., IP addresses, subnets, and instances).

Rationale

SSH is the primary protocol for remote administration of Linux-based virtual machines. Exposing the SSH port to the entire internet makes it a persistent target for automated attacks. Malicious actors continuously scan for open port 22 to launch brute-force password attacks, credential stuffing, or exploit known vulnerabilities in SSH daemons. A successful attack can lead to complete compromise of the virtual machine. Access should be restricted to trusted IP ranges, such as a corporate VPN or bastion host, or managed through more secure mechanisms like Google Cloud's Identity-Aware Proxy (IAP).

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to VPC Network.
2. Go to the Firewall Rules.
3. Click the Firewall Rule to be modified.
4. Click Edit.
5. Modify Source IP ranges to specific IP ranges.
6. Click Save.

From Google Cloud CLI

1. Identify Firewall Rules Allowing Public Access

   gcloud compute networks get-effective-firewalls default \
       --format="table(NAME, DIRECTION, {{ip-ranges}})" \
       --filter="{{ip-ranges}}:0.0.0.0/0 AND DIRECTION:INGRESS"

2. Restrict the Source Range

   Once you have identified the firewall rules, update each one to restrict access to trusted CIDR ranges:

   gcloud compute firewall-rules update {{firewall-rule-name}} \
       --source-ranges={{cidr-range1}},{{cidr-range2}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 3.6 Ensure that SSH access is restricted from the internet - Level 2 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 3.6 Ensure That SSH Access Is Restricted From the Internet - Level 2 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 3.6 Ensure That SSH Access Is Restricted From the Internet - Level 2 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 3.6 Ensure That SSH Access Is Restricted From the Internet - Level 2 (Automated)			1		no data
💼 CIS GCP v4.0.0 → 💼 3.6 Ensure That SSH Access Is Restricted From the Internet - Level 2 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Network Exposure			137		no data
💼 FedRAMP High Security Controls → 💼 CA-9 Internal System Connections (L)(M)(H)			1		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	88		no data
💼 FedRAMP Low Security Controls → 💼 CA-9 Internal System Connections (L)(M)(H)			1		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-9 Internal System Connections (L)(M)(H)			1		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		72		no data
💼 ISO/IEC 27001:2013 → 💼 A.13.1.1 Network controls			21		no data
💼 NIST CSF v1.1 → 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed		10	34		no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		19	63		no data
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed			22		no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44		no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		54	98		no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89		no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated			54		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			144		no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			44		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			196		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			167		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			197		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			129		no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-7 BOUNDARY PROTECTION	23	5	31		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9 Internal System Connections	1		55		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	8	98		no data
💼 PCI DSS v3.2.1 → 💼 1.1 Establish and implement firewall and router configuration standards	7	1	45		no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	67		no data
💼 PCI DSS v3.2.1 → 💼 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.	7	8	44		no data
💼 PCI DSS v4.0.1 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.			40		no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			67		no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			67		no data
💼 PCI DSS v4.0.1 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.			21		no data
💼 PCI DSS v4.0 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.		30	40		no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		9	67		no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			67		no data
💼 PCI DSS v4.0 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.		9	21		no data
💼 SOC 2 → 💼 CC6.6-1 Restricts Access		16	19		no data
💼 SOC 2 → 💼 CC6.6-4 Implements Boundary Protection Systems			4		no data