Check if the Google compute firewall allows unrestricted RDP access

ID

gcp_rdp_access_is_not_restricted

Severity

low

Vendor

GCP

Resource

AIM

Tags

reachable

Description

Allowed ports should not contain RDP port 3389

To fix it, you must configure the ip_allocation_policy.use_ip_aliases property to true.

Learn more about this topic at Create a VPC-native cluster.

Examples

---
- name: rdp_in_port
  google.cloud.gcp_compute_firewall:
    name: test_object
    source_ranges:
      - "0.0.0.0/0"
    allowed:
      - ip_protocol: tcp
        ports:
          - "22"
          - "80"
          - "3389"
    target_tags:
      - test-ssh-server
      - staging-ssh-server
    source_tags:
      - test-ssh-clients
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Mitigation / Fix

---
- name: create a firewall
  google.cloud.gcp_compute_firewall:
    name: test_object
    allowed:
    - ip_protocol: tcp
      ports:
      - '80'
    target_tags:
    - test-ssh-server
    - staging-ssh-server
    source_tags:
    - test-ssh-clients
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present