Ensure GCP compute firewall ingress does not allow unrestricted access to all ports

Error: GCP Firewall with Inbound rule overly permissive to All Traffic
Bridgecrew Policy ID: BC_GCP_NETWORKING_20
Checkov Check ID: CKV2_GCP_12
Severity: HIGH

Suggest Edits

GCP Firewall with Inbound rule overly permissive to All Traffic

Description

This policy identifies GCP Firewall rules which allows inbound traffic on all protocols from public internet. Doing so, may allow a bad actor to brute force their way into the system and potentially get access to the entire network.

Fix - Runtime

Fix - Buildtime

Terraform

# pass
resource "google_compute_firewall" "compute-firewall-ok-1" {
  name    = "compute-firewall-ok-1"
  network = google_compute_network.example.name

  deny {
    protocol = "all"
  }
  source_ranges = ["0.0.0.0/0"]
  disabled = false
}

Updated 11 months ago