gcp_apikeys_keygcp_app_engine_applicationgcp_artifact_registry_repositorygcp_audit_policygcp_bigquery_datasetgcp_bigquery_jobgcp_bigquery_tablegcp_bigtable_instancegcp_billing_accountgcp_billing_budgetgcp_cloud_assetgcp_cloud_identity_groupgcp_cloud_identity_group_membershipgcp_cloud_run_servicegcp_cloudfunctions_functiongcp_compute_addressgcp_compute_autoscalergcp_compute_backend_bucketgcp_compute_backend_servicegcp_compute_diskgcp_compute_disk_metric_read_opsgcp_compute_disk_metric_read_ops_dailygcp_compute_disk_metric_read_ops_hourlygcp_compute_disk_metric_write_opsgcp_compute_disk_metric_write_ops_dailygcp_compute_disk_metric_write_ops_hourlygcp_compute_firewallgcp_compute_forwarding_rulegcp_compute_global_addressgcp_compute_global_forwarding_rulegcp_compute_ha_vpn_gatewaygcp_compute_imagegcp_compute_instancegcp_compute_instance_groupgcp_compute_instance_metric_cpu_utilizationgcp_compute_instance_metric_cpu_utilization_dailygcp_compute_instance_metric_cpu_utilization_hourlygcp_compute_instance_templategcp_compute_machine_imagegcp_compute_machine_typegcp_compute_networkgcp_compute_node_groupgcp_compute_node_templategcp_compute_project_metadatagcp_compute_regiongcp_compute_resource_policygcp_compute_routegcp_compute_routergcp_compute_snapshotgcp_compute_ssl_policygcp_compute_subnetworkgcp_compute_target_https_proxygcp_compute_target_poolgcp_compute_target_ssl_proxygcp_compute_target_vpn_gatewaygcp_compute_url_mapgcp_compute_vpn_tunnelgcp_compute_zonegcp_dataproc_clustergcp_dns_managed_zonegcp_dns_policygcp_dns_record_setgcp_iam_policygcp_iam_rolegcp_kms_keygcp_kms_key_ringgcp_kms_key_versiongcp_kubernetes_clustergcp_kubernetes_node_poolgcp_logging_bucketgcp_logging_exclusiongcp_logging_log_entrygcp_logging_metricgcp_logging_sinkgcp_monitoring_alert_policygcp_monitoring_groupgcp_monitoring_notification_channelgcp_organizationgcp_projectgcp_project_organization_policygcp_project_servicegcp_pubsub_snapshotgcp_pubsub_subscriptiongcp_pubsub_topicgcp_redis_instancegcp_service_accountgcp_service_account_keygcp_sql_backupgcp_sql_databasegcp_sql_database_instancegcp_sql_database_instance_metric_connectionsgcp_sql_database_instance_metric_connections_dailygcp_sql_database_instance_metric_connections_hourlygcp_sql_database_instance_metric_cpu_utilizationgcp_sql_database_instance_metric_cpu_utilization_dailygcp_sql_database_instance_metric_cpu_utilization_hourlygcp_storage_bucketgcp_storage_objectgcp_tag_bindinggcp_vertex_ai_endpointgcp_vertex_ai_model
Table: gcp_compute_firewall - Query Google Cloud Compute Engine Firewalls using SQL
Google Cloud Compute Engine Firewalls are a networking security feature that allows you to control the traffic to your virtual machine instances. They provide a flexible and robust tool for securing your instances by defining what traffic is allowed to and from your instances. Firewalls are implemented at the network level and apply to all traffic that crosses the perimeter of the network.
Table Usage Guide
The gcp_compute_firewall table can be used to gain insights into firewall rules within Google Cloud Compute Engine. As a network security administrator or a DevOps engineer, you can explore details about each firewall rule, including allowed and denied configurations, network associations, and priority. Utilize it to identify firewall rules that may be overly permissive or misconfigured, enhancing your network security posture.
Examples
Firewall rules basic info
Explore which firewall rules are in place for your Google Cloud Platform (GCP) compute instances. This allows you to understand the direction of traffic flow and assess the overall security configuration.
select name, id, description, directionfrom gcp_compute_firewall;select name, id, description, directionfrom gcp_compute_firewall;List of rules which are applied to TCP protocol
Explore which firewall rules are applied specifically to the TCP protocol in your Google Cloud Platform. This will help in assessing network security and identifying potential vulnerabilities.
select name, id, p ->> 'IPProtocol' as ip_protocol, p ->> 'ports' as portsfrom gcp_compute_firewall, jsonb_array_elements(allowed) as pwhere p ->> 'IPProtocol' = 'tcp';select f.name, f.id, json_extract(p.value, '$.IPProtocol') as ip_protocol, json_extract(p.value, '$.ports') as portsfrom gcp_compute_firewall as f, json_each(allowed) as pwhere json_extract(p.value, '$.IPProtocol') = 'tcp';List of disabled rules
Determine the areas in which firewall rules are disabled to strengthen your security posture in Google Cloud Platform. This can assist in identifying potential vulnerabilities and maintaining robust network security.
select name, id, description, disabledfrom gcp_compute_firewallwhere disabled;select name, id, description, disabledfrom gcp_compute_firewallwhere disabled = 1;List of Egress rules
Explore which firewall rules in your Google Cloud Platform are set to allow outbound traffic. This can help understand your network's security posture and identify potential vulnerabilities.
select name, id, direction, allowed, deniedfrom gcp_compute_firewallwhere direction = 'EGRESS';select name, id, direction, allowed, deniedfrom gcp_compute_firewallwhere direction = 'EGRESS';Query examples
- compute_firewalls_for_compute_instance
- compute_firewalls_for_compute_instance_group
- compute_firewalls_for_compute_network
- compute_firewalls_for_kubernetes_cluster
- compute_instance_firewall_detail
- network_firewall_rules_count
- source_compute_firewalls_for_iam_service_account
- target_compute_firewalls_for_iam_service_account
Control examples
- 3.10 Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses
- 3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
- 3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
- 3.6 Ensure that SSH access is restricted from the internet
- 3.6 Ensure that SSH access is restricted from the internet
- 3.6 Ensure that SSH access is restricted from the internet
- 3.7 Ensure that RDP access is restricted from the Internet
- 3.7 Ensure that RDP access is restricted from the Internet
- 3.7 Ensure that RDP access is restricted from the Internet
- Check for open firewall rules allowing RDP from the internet
- Check for open firewall rules allowing SSH from the internet
- Check for open firewall rules allowing TCP/UDP from the internet
- Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses
- Ensure no open default firewall rules allow ingress from 0.0.00/0 to any port
- Ensure no open firewall rules allow ingress from 0.0.00/0 to any port
- Ensure no open firewall rules allow ingress from 0.0.00/0 to any port without any specific target
- Ensure no open firewall rules allow ingress from 0.0.00/0 to DNS port 53
- Ensure no open firewall rules allow ingress from 0.0.00/0 to FTP port 21
- Ensure no open firewall rules allow ingress from 0.0.00/0 to HTTP port 80
- Ensure no open firewall rules allow ingress from 0.0.00/0 to Microsoft DS port 445
- Ensure no open firewall rules allow ingress from 0.0.00/0 to MongoDB port 27017
- Ensure no open firewall rules allow ingress from 0.0.00/0 to MySQL DB port 3306
- Ensure no open firewall rules allow ingress from 0.0.00/0 to NetBIOS SSN port 139
- Ensure no open firewall rules allow ingress from 0.0.00/0 to Oracle DB port 1521
- Ensure no open firewall rules allow ingress from 0.0.00/0 to POP3 port 110
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port 10250
- Ensure no open firewall rules allow ingress from 0.0.00/0 to port 10255
- Ensure no open firewall rules allow ingress from 0.0.00/0 to PostgreSQL port 5432
- Ensure no open firewall rules allow ingress from 0.0.00/0 to SMTP port 25
- Ensure no open firewall rules allow ingress from 0.0.00/0 to Telnet port 23
- GKE clusters should not allow incoming traffic from all sources across the internet
- Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
Schema for gcp_compute_firewall
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| action | text | Describes the type action specified by the rule. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| allowed | jsonb | The list of ALLOW rules specified by this firewall. | |
| creation_timestamp | timestamp with time zone | The creation timestamp of the resource. | |
| denied | jsonb | The list of DENY rules specified by this firewall. | |
| description | text | A user-specified, human-readable description of the firewall. | |
| destination_ranges | jsonb | A list of CIDR ranges. The firewall rule applies only to traffic that has destination IP address in these ranges. | |
| direction | text | !=, = | Direction of traffic to which this firewall applies. |
| disabled | boolean | !=, = | Indicates whether the firewall rule is disabled, or not. |
| id | bigint | The unique identifier for the resource. | |
| kind | text | Specifies the type of the resource. | |
| location | text | The GCP multi-region, region, or zone in which the resource is located. | |
| log_config_enable | boolean | Specifies whether to enable logging for a particular firewall rule, or not. | |
| log_config_metadata | text | Specifies whether to include or exclude metadata for firewall logs. | |
| name | text | = | A friendly name that identifies the resource. |
| network | text | The URL of the network resource for this firewall rule. | |
| priority | bigint | Specifies the priority for this rule. Relative priorities determine which rule takes effect if multiple rules apply. Lower values indicate higher priority. | |
| project | text | The GCP Project in which the resource is located. | |
| self_link | text | The server-defined URL for the resource. | |
| source_ranges | jsonb | A list of CIDR ranges. The firewall rule applies only to traffic originating from an instance with a service account in this list. | |
| source_service_accounts | jsonb | A list of service account. The firewall rule applies only to traffic that has a source IP address in these ranges. | |
| source_tags | jsonb | A list of tags. The firewall rule applies only to traffic with source IPs that match the primary network interfaces of VM instances that have the tag and are in the same VPC network. | |
| target_service_accounts | jsonb | A list of service accounts indicating sets of instances located in the network that may make network connections as specified in Allowed | |
| target_tags | jsonb | A list of tags that controls which instances the firewall rule applies to. | |
| title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_compute_firewall