Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block)
ID |
gcp_ssh_access_is_not_restricted |
Severity |
low |
Vendor |
GCP |
Resource |
AIM |
Tags |
reachable |
Description
Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges.
To fix it, you must avoid to allow port 22 with a source_ranges property using unrestricted range (0.0.0.0/0).
Learn more about this topic at Create a VPC-native cluster.
Examples
---
- name: ssh_unrestricted
google.cloud.gcp_compute_firewall:
name: test_object
allowed:
- ip_protocol: tcp
ports:
- '22'
target_tags:
- test-ssh-server
- staging-ssh-server
source_tags:
- test-ssh-clients
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
source_ranges:
- "0.0.0.0/0"Mitigation / Fix
---
- name: ssh_restricted
google.cloud.gcp_compute_firewall:
name: test_object
denied:
- ip_protocol: tcp
ports:
- '22'
target_tags:
- test-ssh-server
- staging-ssh-server
source_tags:
- test-ssh-clients
project: test_project
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present
source_ranges:
- 0.0.0.0