GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
All Ports Should Not Be Open To Public
More Info:
Determines if all ports are open to the public.
Risk Level
Critical
Address
Security
Compliance Standards
SOC2, NIST, PCIDSS, GDPR
Triage and Remediation
Remediation
To remediate the misconfiguration of having all ports open to the public in GCP, you can follow the below steps using the GCP console:
- Open the Google Cloud Platform (GCP) Console and navigate to the project where the misconfiguration exists.
- In the left-hand menu, click on “Compute Engine” and then click on “VM instances”.
- Select the instance that needs to be remediated.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Firewall” section and click on “Networking”.
- In the “Firewall rules” section, click on “default-allow-ssh”.
- In the “Protocols and ports” section, select “Specified protocols and ports” and enter “tcp:22” in the text box.
- Click on “Save” to save the changes.
This will remediate the misconfiguration of having all ports open to the public by limiting access to only the SSH port (port 22).
To remediate the misconfiguration “All Ports Should Not Be Open To Public” in GCP using GCP CLI, follow these steps:
-
First, identify the project and the VM instance that has all ports open to the public. You can use the following command to list all the VM instances in the project:
gcloud compute instances list -
Once you have identified the VM instance, you can update its firewall rules to restrict access to only the required ports. You can use the following command to list all the firewall rules in the project:
gcloud compute firewall-rules list -
Identify the firewall rule that allows all ports to be open to the public. You can use the following command to describe the firewall rule:
gcloud compute firewall-rules describe [FIREWALL_RULE_NAME] -
Update the firewall rule to allow access only to the required ports. You can use the following command to update the firewall rule:
gcloud compute firewall-rules update [FIREWALL_RULE_NAME] --allow [PORTS_TO_ALLOW]Replace
[FIREWALL_RULE_NAME]with the name of the firewall rule that you want to update and[PORTS_TO_ALLOW]with the list of ports that you want to allow access to. For example, if you want to allow access only to ports 80 and 443, you can use the following command:gcloud compute firewall-rules update [FIREWALL_RULE_NAME] --allow tcp:80,tcp:443 -
Verify that the firewall rule has been updated by listing all the firewall rules again:
gcloud compute firewall-rules listEnsure that the firewall rule that you updated has the correct ports allowed.
By following these steps, you can remediate the misconfiguration “All Ports Should Not Be Open To Public” in GCP using GCP CLI.
To remediate the misconfiguration “All Ports Should Not Be Open To Public” in GCP using Python, you can follow the below steps:
-
First, you need to identify the VM instances that have all ports open to public. You can use the GCP Python SDK to list all VM instances and their firewall rules.
-
Once you have identified the VM instances with the misconfiguration, you can use the GCP Python SDK to update the firewall rules and restrict the open ports. You can create a new firewall rule to allow only the required ports and protocols and delete the existing firewall rule that allows all ports.
Here is the sample Python code to remediate the misconfiguration “All Ports Should Not Be Open To Public” in GCP:
from google.cloud import compute_v1
# Create a compute client
client = compute_v1.InstancesClient()
# Get a list of all VM instances
project = 'your-project-id'
zone = 'us-central1-a'
instances = client.list(project=project, zone=zone)
# Loop through each instance and update the firewall rules
for instance in instances:
# Get the current firewall rules for the instance
firewall = client.get_firewall(project=project, firewall='default-allow-ssh')
allowed = firewall.allowed
# Create a new firewall rule to allow only required ports and protocols
new_allowed = [
compute_v1.FirewallAllPorts(
IPProtocol='tcp',
ports=['80', '443'] # Add the required ports here
)
]
# Update the firewall rule with the new allowed ports
firewall.allowed = new_allowed
client.update_firewall(project=project, firewall='default-allow-ssh', firewall_resource=firewall)
# Delete the old firewall rule that allows all ports
client.delete_firewall(project=project, firewall='default-allow-ssh')
Note: This code is just a sample and may need to be modified based on your specific requirements.