Skip to main content

Insecure Configuration

Why is this important?

Google Deployment Manager is a tool for building, changing, and versioning infrastructure safely and efficiently. It is also a well-known tool for implementing infrastructure-as-code in Google Cloud Platform (GCP). While official examples often follow best security practices by default, this is not always the case. For example, when there is a lack of holistic information Google Deployment Manager may not understand the larger picture. There are also instances where the configuration may not be optimally configured with security in mind.

Check out this video for a high-level explanation:

Security Misconfiguration

SSH Access Is Not Restricted

Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).

Option A: Make sure the default SSH port is not open

properties should not have an ingress rule with:

  • Unrestricted sourceRanges (by being specific or not having a sourceRanges defined)
  • and with allowed array containing an object with ports array containing 22

Detailed Instructions

  1. Locate one of the following vulnerable patterns:

    Vulnerable pattern:

    resources:
    - name: firewall
    type: compute.v1.firewall
    properties:
    name: my-firewall
    sourceRanges:
    - "0.0.0.0/0"
    allowed:
    - IPProtocol: icmp
    ports:
    - "80"
    - "8080"
    - "1000-2000"
    - "22"

    Vulnerable pattern:

    resources:
    - name: firewall
    type: compute.v1.firewall
    properties:
    name: my-firewall
    sourceRanges:
    - "0.0.0.0/0"
    allowed:
    - IPProtocol: icmp
    ports:
    - "80"
    - "8080"
    - "1000-2000"
    - "21-3390"
  2. Modify the config to something like the following:

    Replacement pattern:

    resources:
    - name: firewall
    type: compute.v1.firewall
    properties:
    name: my-firewall
    allowed:
    - IPProtocol: icmp
    ports:
    - "80"
    - "8080"
    - "1000-2000"
  3. Test it

  4. Ship it 🚢 and relax 🌴

References

More information: