Benchmark: Public Network Access
This benchmark answers the following questions:
- Are any cloud functions publicly accessible?
- Are any Cloud Run services publicly accessible (not using VPC access with internal-only ingress)?
- Are any Cloud SQL instances configured with public IP addresses enabled?
- Are any GKE clusters using public nodes (not using private nodes with legacy endpoints disabled)?
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-perimeter
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Public Network Access.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_perimeter.benchmark.public_network_access
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_perimeter.benchmark.public_network_access --share
Controls
- Cloud Run services should not be publicly accessible
- Cloud SQL instances should not be publicly accessible
- Cloud Functions should not be publicly accessible
- GKE cluster master authorized networks should not allow access from 0.0.0.0/0
- GKE clusters nodes should not be publicly accessible