Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
12Dashboards
536Benchmarks
201Queries
2Variables
GitHub

Control: 3.7 Ensure that RDP access is restricted from the Internet

Description

GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.

Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using RDP on Port 3389 can be avoided.

GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network. Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified. This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default Port 3389. Generic access from the Internet to a specific IP Range needs to be restricted.

Remediation

From Console

  1. Login to VPC Network.
  2. Navigate to Firewall from left side panel.
  3. Click the Firewall Rule you want to modify. Click Edit.
  4. Ensure that Port is not equal to 3389 and Action is not set to Allow.
  5. Ensure IP Ranges is not equal to 0.0.0.0/0 under Source filters.
  6. In case port 3389 is open to 0.0.0.0/0, modify Source IP ranges to specific IP.
  7. Click Save.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v130_3_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v130_3_7 --share

SQL

This control uses a named query:

with ip_protocol_all as (
  select
    name
  from
    gcp_compute_firewall
  where
    direction = 'INGRESS'
    and action = 'Allow'
    and source_ranges ?& array['0.0.0.0/0']
    and (allowed @> '[{"IPProtocol":"all"}]' or allowed::text like '%!{"IPProtocol": "tcp"}%')
),
ip_protocol_tcp as (
  select
    name
  from
    gcp_compute_firewall,
    jsonb_array_elements(allowed) as p,
    jsonb_array_elements_text(p -> 'ports') as port
  where
    direction = 'INGRESS'
    and action = 'Allow'
    and source_ranges ?& array['0.0.0.0/0']
    and p ->> 'IPProtocol' = 'tcp'
    and (
      port = '3389'
      or (
        port like '%-%'
        and split_part(port, '-', 1) :: integer <= 3389
        and split_part(port, '-', 2) :: integer >= 3389
      )
    )
)
select
  self_link resource,
  case
    when name in (select name from ip_protocol_tcp) then 'alarm'
    when name in (select name from ip_protocol_all) then 'alarm'
    else 'ok'
  end as status,
  case
    when name in (select name from ip_protocol_tcp) or name in (select name from ip_protocol_all)
      then title || ' allows RDP access from internet.'
    else title || ' restricts RDP access from internet.'
  end as reason
  , location as location, project as project
from
  gcp_compute_firewall;

Tags

benchmark = cis
category = Compliance
cis_item_id = 3.7
cis_level = 2
cis_section_id = 3
cis_type = automated
cis_version = v1.3.0
plugin = gcp
service = GCP/Compute