Benchmark: 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment
Description
Customers are responsible for implementing firewall rules and limiting ingress traffic to defined ports and protocols necessary for GCE instances within their DMZ.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321_requirement_1_3
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321_requirement_1_3 --share
Benchmarks
- 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ
- 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet
- 1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties
Controls
- GKE clusters network policy should be enabled
- Ensure Private Google Access is enabled for all subnetworks in kubernetes cluster