Control: Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses
Description
Access to VMs should be restricted by firewall rules that allow only IAP traffic by ensuring only connections proxied by the IAP are allowed. To ensure that load balancing works correctly health checks should also be allowed.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.compute_firewall_allow_connections_proxied_by_iapSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.compute_firewall_allow_connections_proxied_by_iap --shareSQL
This control uses a named query:
select self_link resource, case when allowed @> '[{"IPProtocol":"tcp","ports":["80"]}]' and source_ranges ?& array['130.211.0.0/22', '35.191.0.0/16'] then 'ok' else 'alarm' end as status, case when allowed @> '[{"IPProtocol":"tcp","ports":["80"]}]' and source_ranges ?& array['130.211.0.0/22', '35.191.0.0/16'] then title || ' only allows traffic proxied by IAP.' else title || ' not configured to only allow connections proxied by IAP.' end as reason , location as location, project as projectfrom gcp_compute_firewall;