Google Compute Network Using Firewall Rule that Allows All Ports
- Query id: 3602d273-3290-47b2-80fa-720162b1a8af
- Query name: Google Compute Network Using Firewall Rule that Allows All Ports
- Platform: Ansible
- Severity: Medium
- Category: Networking and Firewall
- CWE: 732
- URL: Github
Description¶
Google Compute Network should not use a firewall rule that allows all ports
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: create a firewall2
google.cloud.gcp_compute_firewall:
name: test_object
allowed:
- ip_protocol: tcp
ports:
- '0-65535'
target_tags:
- test-ssh-server
- staging-ssh-server
source_tags:
- test-ssh-clients
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
network: "{{ my_network2 }}"
- name: create a network2
google.cloud.gcp_compute_network:
name: test_object
auto_create_subnetworks: 'true'
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
register: my_network2
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: create a firewall
google.cloud.gcp_compute_firewall:
name: test_object
allowed:
- ip_protocol: tcp
ports:
- '22'
target_tags:
- test-ssh-server
- staging-ssh-server
source_tags:
- test-ssh-clients
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
network: "{{ my_network }}"
- name: create a network
google.cloud.gcp_compute_network:
name: test_object
auto_create_subnetworks: 'true'
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
register: my_network