Control: 3.6 Ensure that SSH access is restricted from the internet
GCP Firewall Rules
are specific to a VPC Network
. Each rule either allows
or denies
traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4
address or IPv4 block in CIDR
notation can be used. Generic (
incoming traffic from the internet to VPC or VM instance using SSH
on Port 22
can be avoided.
GCP Firewall Rules
within a VPC Network
apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network. Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified. This route simply defines the path to the Internet, to avoid the most general (
destination IP Range
specified from the Internet through SSH
with the default Port 22
. Generic access from the Internet to a specific IP Range needs to be restricted.
From Console
- Go to
VPC Network
. - Go to the
Firewall Rules
. - Click the
Firewall Rule
you want to modify. - Click
. - Modify
Source IP ranges
to specificIP
. - Click
From Command Line
- Update the Firewall rule with the new
from the below command:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_3_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_3_6 --share
This control uses a named query:
with ip_protocol_all as (select namefrom gcp_compute_firewallwhere direction = 'INGRESS' and action = 'Allow' and source_ranges ?& array[''] and (allowed @> '[{"IPProtocol":"all"}]' or allowed::text like '%!{"IPProtocol": "tcp"}%')),ip_protocol_tcp as ( select name from gcp_compute_firewall, jsonb_array_elements(allowed) as p, jsonb_array_elements_text(p -> 'ports') as port where direction = 'INGRESS' and action = 'Allow' and source_ranges ?& array[''] and p ->> 'IPProtocol' = 'tcp' and ( port = '22' or ( port like '%-%' and split_part(port, '-', 1) :: integer <= 22 and split_part(port, '-', 2) :: integer >= 22 ) ))select self_link resource, case when name in (select name from ip_protocol_tcp) then 'alarm' when name in (select name from ip_protocol_all) then 'alarm' else 'ok' end as status, case when name in (select name from ip_protocol_tcp) or name in (select name from ip_protocol_all) then title || ' allows SSH access from internet.' else title || ' restricts SSH access from internet.' end as reason , location as location, project as projectfrom gcp_compute_firewall;