RDP Access Is Not Restricted

  • Query id: 678fd659-96f2-454a-a2a0-c2571f83a4a3
  • Query name: RDP Access Is Not Restricted
  • Platform: Terraform
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github


Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "google_compute_firewall" "positive1" {
  name    = "test-firewall"
  network = google_compute_network.default.name
  direction = "INGRESS"

  allow {
    protocol = "icmp"

  allow {
    protocol = "tcp"
    ports    = ["80", "8080", "1000-2000","3389"]

  source_tags = ["web"]
  source_ranges = [""]

resource "google_compute_firewall" "positive2" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "udp"
    ports    = ["80", "8080", "1000-2000","21-3390"]

  source_tags = ["web"]
  source_ranges = ["::/0"]

resource "google_compute_firewall" "positive3" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "all"

  source_tags = ["web"]
  source_ranges = ["::/0"]

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "google_compute_firewall" "negative1" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "icmp"

  allow {
    protocol = "tcp"
    ports    = ["80", "8080", "1000-2000"]

  source_tags = ["web"]