Control: 3.6 Ensure that SSH access is restricted from the internet
GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.
Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using SSH on Port 22 can be avoided.
GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network. Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified. This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default Port 22. Generic access from the Internet to a specific IP Range needs to be restricted.
- Login to VPC Network.
- Navigate to Firewall from left side panel.
- Click the
Firewall Ruleyou want to modify. Click Edit.
- Ensure that Port is not equal to
22and Action is not set to
- Ensure IP Ranges is not equal to
0.0.0.0/0under Source filters.
- In case port
22is open to
Source IP rangesto specific IP.
- Click Save.
steampipe check gcp_compliance.control.cis_v120_3_6
This control uses a named query:compute_firewall_rule_ssh_access_restricted