Ensure GCP Firewall rule does not allow all traffic on RDP port 3389

Error: GCP Firewall rule allows all traffic on RDP port 3389

Bridgecrew Policy ID: BC_GCP_NETWORKING_2
Checkov Check ID: CKV_GCP_3
Severity: CRITICAL

GCP Firewall rule allows all traffic on RDP port 3389

Description

Firewall rules setup fine grained allow/deny traffic policies to and from a virtual machine (VM). Enabled rules are always enforced, and help protecting instances from unwanted traffic. Firewall rules are defined at the network level, and only apply to the network where they are created.

Every VPC functions as a distributed firewall. While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis. A default network is pre-populated with firewall rules that allow incoming traffic to instances. The default-allow-rdp rule permits ingress connections on TCP port 3389 from any source to any instance in the network.

We recommend you restrict or remove the default-allow-rdp rule when you no longer need it.

Fix - Runtime

Procedure

  1. List your firewall rules. You can view a list of all rules or just those in a particular network.
  2. Click the rule "default-allow-rdp" to delete.
  3. Click Delete.
  4. Click Delete again to confirm.

CLI Command

gcloud compute firewall-rules delete default-allow-rdp

Fix - Buildtime

Terraform

  • Resource: google_compute_firewall
  • Argument: deny. The deny block supports:
    protocol (Required) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip), or the IP protocol number.
    ports (Optional) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
resource "google_compute_firewall" "default" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "icmp"
  }

  deny {
    protocol = "tcp"
    ports    = ["3389"]
  }