SSH Access Is Not Restricted
- Query id: c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0
- Query name: SSH Access Is Not Restricted
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_compute_firewall" "positive1" {
name = "test-firewall"
network = google_compute_network.default.name
direction = "INGRESS"
source_ranges = ["0.0.0.0/0"]
allow {
protocol = "icmp"
}
allow {
protocol = "tcp"
ports = ["22", "80", "3389", "8080", "1000-2000"]
}
source_tags = ["web"]
}
resource "google_compute_firewall" "positive2" {
name = "test-firewall"
network = google_compute_network.default.name
source_ranges = ["0.0.0.0/0"]
allow {
protocol = "icmp"
}
allow {
protocol = "tcp"
ports = ["80", "8080", "1000-2000","21-3390"]
}
source_tags = ["web"]
}
resource "google_compute_firewall" "positive3" {
name = "test-firewall"
network = google_compute_network.default.name
source_ranges = ["0.0.0.0/0"]
allow {
protocol = "icmp"
}
allow {
protocol = "all"
}
source_tags = ["web"]
}