|
| 1 | +export default { |
| 2 | + id: 'gcp-cis-1.3.0-3.10', |
| 3 | + title: |
| 4 | + 'Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are \'Allowed\'', |
| 5 | + description: `IAP authenticates the user requests to your apps via a Google single sign in. You can then |
| 6 | + manage these users with permissions to control access. It is recommended to use both IAP |
| 7 | + permissions and firewalls to restrict this access to your apps with sensitive information.`, |
| 8 | + |
| 9 | + audit: `**From Console:** |
| 10 | +
|
| 11 | + 1. For each of your apps that have IAP enabled go to the Cloud Console VPC network > Firewall rules. |
| 12 | + 2. Verify that the only rules correspond to the following values: |
| 13 | + o *Targets:* All instances in the network |
| 14 | + o *Source IP ranges IAP Proxy Addresses* |
| 15 | + ▪ 35.235.240.0/20 Google Health Check |
| 16 | + o 130.211.0.0/22 Google Health Check |
| 17 | + o 35.191.0.0/16 |
| 18 | + o Protocols and ports: |
| 19 | + ▪ Specified protocols and ports required for access and management of your app. For example most health check connection protocols would be covered by; |
| 20 | + ▪ tcp:80 (Default HTTP Health Check port) |
| 21 | + o tcp:443--(Default HTTPS Health Check port) |
| 22 | + |
| 23 | + Note: if you have custom ports used by your load balancers, you will need to list them here`, |
| 24 | + rationale: `IAP ensure that access to VMs is controlled by authenticating incoming requests. Access to |
| 25 | + your apps and the VMs should be restricted by firewall rules that allow only the proxy IAP |
| 26 | + IP addresses contained in the 35.235.240.0/20 subnet. Otherwise, unauthenticated |
| 27 | + requests can be made to your apps. To ensure that load balancing works correctly health |
| 28 | + checks should also be allowed.`, |
| 29 | + remediation: `**From Console:** |
| 30 | +
|
| 31 | + 1. Go to the Cloud Console VPC network > Firewall rules. |
| 32 | + 2. Select the checkbox next to the following rules: |
| 33 | + o default-allow-http |
| 34 | + o default-allow-https |
| 35 | + o default-allow-internal |
| 36 | + 3. Click *Delete.* |
| 37 | + 4. Click *Create firewall rule* and set the following values: |
| 38 | + o *Name:* allow-iap-traffic |
| 39 | + o *Targets:* All instances in the network |
| 40 | + • Source IP ranges (press Enter after you paste each value in the box, copy the value below the bold text including the dash): |
| 41 | + *IAP Proxy Addresses* |
| 42 | + - 35.235.240.0/20 |
| 43 | + *Google Health Check* |
| 44 | + o 130.211.0.0/22 Google Health Check |
| 45 | + o Protocols and ports: |
| 46 | + ▪ Specified protocols and ports required for access and management of your app. For example most health check connection protocols would be covered by; |
| 47 | + ▪ tcp:80 (Default HTTP Health Check port) |
| 48 | + o tcp:443--(Default HTTPS Health Check port) |
| 49 | + *Note: if you have custom ports used by your load balancers, you will need to list them here* |
| 50 | + 5. When you're finished updating values, click Create. |
| 51 | + |
| 52 | + *Default Value:* |
| 53 | +
|
| 54 | + By default all traffic is allowed.`, |
| 55 | + references: [ |
| 56 | + 'https://cloud.google.com/iap/docs/concepts-overview', |
| 57 | + 'https://cloud.google.com/iap/docs/concepts-overview', |
| 58 | + 'https://cloud.google.com/iap/docs/load-balancer-howto', |
| 59 | + 'https://cloud.google.com/load-balancing/docs/health-checks', |
| 60 | + 'https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts', |
| 61 | + ], |
| 62 | + severity: 'medium', |
| 63 | +} |
0 commit comments