Benchmark: 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic
Description
Customers are responsible for implementing GCP firewall rules and limiting inbound/outbound traffic to only business justified and necessary traffic. Customers must define explicit GCP firewall rules and deny all other traffic. Customers are responsible for verifying inbound and outbound traffic for their CDE which includes GCP GCE and GCS, and GCP VPCs. Customers are responsible for denying any traffic that is not explicitly required for the GCP Product to function.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321_requirement_1_2_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321_requirement_1_2_1 --share
Controls
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to DNS port 53
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to FTP port 21
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to HTTP port 80
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to Microsoft DS port 445
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to MySQL DB port 3306
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to Oracle DB port 1521
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to POP3 port 110
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to PostgreSQL port 5432
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to SMTP port 25
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 137 to 139
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 27017 to 27019
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 61620 or 6162
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 636
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 6379
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 7000 or 7001
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 7199
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 8888
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 9042
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 9090
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 9160
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to port TCP 9200 or 9300
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to TCP or UDP port 11211
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to TCP or UDP port 11214 to 11215
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to TCP or UDP port 2483 to 24845
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to TCP or UDP port 389
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to Telnet port 23
- Ensure no open firewall rules allow ingress from 0.0.0.0/0 to any port
- Ensure that Compute instances do not have public IP addresses
- Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
- Check for open firewall rules allowing SSH from the internet
- Check for open firewall rules allowing TCP/UDP from the internet
- Ensure Instance IP assignment is set to private