Benchmark: PR.IR-01
Description
Networks and environments are protected from unauthorized logical access and usage.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select PR.IR-01.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.nist_csf_v2_pr_ir_01
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.nist_csf_v2_pr_ir_01 --share
Controls
- Cloudfunction functions VPC connector should be enabled
- Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses
- Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
- Ensure no open default firewall rules allow ingress from 0.0.0.0/0 to any port
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to DNS port 53
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to FTP port 21
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to HTTP port 80
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to Microsoft DS port 445
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to MongoDB port 27017
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to MySQL DB port 3306
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to NetBIOS SSN port 139
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to Oracle DB port 1521
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to POP3 port 110
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port 10250
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port 10255
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to PostgreSQL port 5432
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to SMTP port 25
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 137 to 139
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 27017 to 27019
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 61620 or 6162
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 636
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 6379
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 7000 or 7001
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 7199
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 8888
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 9042
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 9090
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 9160
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 9200 or 9300
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to TCP or UDP port 11211
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to TCP or UDP port 11214 to 11215
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to TCP or UDP port 2483 to 24845
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to TCP or UDP port 389
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to Telnet port 23
- Ensure compute firewall rule have logging enabled
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to any port without any specific target
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to any port
- Compute Networks should have auto create subnetwork enabled
- Ensure that the default network does not exist in a project
- Ensure legacy networks do not exist for a project
- Ensure that Cloud DNS logging is enabled for all VPC networks
- Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
- Ensure VPC Flow logs is enabled for every subnet in VPC Network
- Ensure Private Google Access is enabled for all subnetworks in VPC
- GKE clusters network policy should be enabled
- GKE clusters should not use default network
- GKE clusters private nodes should be configured
- Ensure Private Google Access is enabled for all subnetworks in kubernetes cluster
- Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes
- Ensure that the log metric filter and alerts exist for VPC network changes
- Ensure that the log metric filter and alerts exist for VPC network route changes
- Check for open firewall rules allowing RDP from the internet
- Check for open firewall rules allowing SSH from the internet
- Check for open firewall rules allowing TCP/UDP from the internet