Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckDiskEncryptionCustomerKey = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0034", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "disk-encryption-customer-key", Summary: "Disks should be encrypted with customer managed encryption keys", Impact: "Using unmanaged keys does not allow for proper key management.", Resolution: "Use managed keys to encrypt disks.", Explanation: `Using unmanaged keys makes rotation and general management difficult.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformDiskEncryptionCustomerKeyGoodExamples, BadExamples: terraformDiskEncryptionCustomerKeyBadExamples, Links: terraformDiskEncryptionCustomerKeyLinks, RemediationMarkdown: terraformDiskEncryptionCustomerKeyRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, disk := range s.Google.Compute.Disks { if disk.Metadata.IsUnmanaged() { continue } if disk.Encryption.KMSKeyLink.IsEmpty() { results.Add( "Disk is not encrypted with a customer managed key.", disk.Encryption.KMSKeyLink, ) } else { results.AddPassed(&disk) } } return }, )
View Source
var CheckDiskEncryptionRequired = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0037", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "disk-encryption-no-plaintext-key", Summary: "The encryption key used to encrypt a compute disk has been specified in plaintext.", Impact: "The encryption key should be considered compromised as it is not stored securely.", Resolution: "Reference a managed key rather than include the key in raw format.", Explanation: `Sensitive values such as raw encryption keys should not be included in your Terraform code, and should be stored securely by a secrets manager.`, Links: []string{ "https://cloud.google.com/compute/docs/disks/customer-supplied-encryption", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformDiskEncryptionNoPlaintextKeyGoodExamples, BadExamples: terraformDiskEncryptionNoPlaintextKeyBadExamples, Links: terraformDiskEncryptionNoPlaintextKeyLinks, RemediationMarkdown: terraformDiskEncryptionNoPlaintextKeyRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { for _, disk := range append(instance.BootDisks, instance.AttachedDisks...) { if disk.Encryption.RawKey.Len() > 0 { results.Add( "Instance disk has encryption key provided in plaintext.", disk.Encryption.RawKey, ) } else { results.AddPassed(&disk) } } } for _, disk := range s.Google.Compute.Disks { if disk.Encryption.RawKey.Len() > 0 { results.Add( "Disk encryption key is supplied in plaintext.", disk.Encryption.RawKey, ) } else { results.AddPassed(&disk) } } return }, )
View Source
var CheckEnableShieldedVMIntegrityMonitoring = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0045", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "enable-shielded-vm-im", Summary: "Instances should have Shielded VM integrity monitoring enabled", Impact: "No visibility of VM instance boot state.", Resolution: "Enable Shielded VM Integrity Monitoring", Explanation: `Integrity monitoring helps you understand and make decisions about the state of your VM instances.`, Links: []string{ "https://cloud.google.com/security/shielded-cloud/shielded-vm#integrity-monitoring", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableShieldedVmImGoodExamples, BadExamples: terraformEnableShieldedVmImBadExamples, Links: terraformEnableShieldedVmImLinks, RemediationMarkdown: terraformEnableShieldedVmImRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.ShieldedVM.IntegrityMonitoringEnabled.IsFalse() { results.Add( "Instance does not have shielded VM integrity monitoring enabled.", instance.ShieldedVM.IntegrityMonitoringEnabled, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEnableShieldedVMSecureBoot = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0067", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "enable-shielded-vm-sb", Summary: "Instances should have Shielded VM secure boot enabled", Impact: "Unable to verify digital signature of boot components, and unable to stop the boot process if verificaiton fails.", Resolution: "Enable Shielded VM secure boot", Explanation: `Secure boot helps ensure that the system only runs authentic software.`, Links: []string{ "https://cloud.google.com/security/shielded-cloud/shielded-vm#secure-boot", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableShieldedVmSbGoodExamples, BadExamples: terraformEnableShieldedVmSbBadExamples, Links: terraformEnableShieldedVmSbLinks, RemediationMarkdown: terraformEnableShieldedVmSbRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.ShieldedVM.SecureBootEnabled.IsFalse() { results.Add( "Instance does not have shielded VM secure boot enabled.", instance.ShieldedVM.SecureBootEnabled, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEnableShieldedVMVTPM = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0041", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "enable-shielded-vm-vtpm", Summary: "Instances should have Shielded VM VTPM enabled", Impact: "Unable to prevent unwanted system state modification", Resolution: "Enable Shielded VM VTPM", Explanation: `The virtual TPM provides numerous security measures to your VM.`, Links: []string{ "https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableShieldedVmVtpmGoodExamples, BadExamples: terraformEnableShieldedVmVtpmBadExamples, Links: terraformEnableShieldedVmVtpmLinks, RemediationMarkdown: terraformEnableShieldedVmVtpmRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.ShieldedVM.VTPMEnabled.IsFalse() { results.Add( "Instance does not have VTPM for shielded VMs enabled.", instance.ShieldedVM.VTPMEnabled, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEnableVPCFlowLogs = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0029", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "enable-vpc-flow-logs", Summary: "VPC flow logs should be enabled for all subnetworks", Impact: "Limited auditing capability and awareness", Resolution: "Enable VPC flow logs", Explanation: `VPC flow logs record information about all traffic, which is a vital tool in reviewing anomalous traffic.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableVpcFlowLogsGoodExamples, BadExamples: terraformEnableVpcFlowLogsBadExamples, Links: terraformEnableVpcFlowLogsLinks, RemediationMarkdown: terraformEnableVpcFlowLogsRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, network := range s.Google.Compute.Networks { for _, subnetwork := range network.Subnetworks { if subnetwork.EnableFlowLogs.IsFalse() { results.Add( "Subnetwork does not have VPC flow logs enabled.", subnetwork.EnableFlowLogs, ) } else { results.AddPassed(&subnetwork) } } } return }, )
View Source
var CheckInstancesDoNotHavePublicIPs = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0031", Provider: providers.GoogleProvider, Service: service, ShortCode: "no-public-ip", Summary: "Instances should not have public IP addresses", Impact: "Direct exposure of an instance to the public internet", Resolution: "Remove public IP", Explanation: `Instances should not be publicly exposed to the internet`, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicIpGoodExamples, BadExamples: terraformNoPublicIpBadExamples, Links: terraformNoPublicIpLinks, RemediationMarkdown: terraformNoPublicIpRemediationMarkdown, }, Severity: severity.High, Links: []string{ "https://cloud.google.com/compute/docs/ip-addresses#externaladdresses", }, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { for _, networkInterface := range instance.NetworkInterfaces { if networkInterface.HasPublicIP.IsTrue() { results.Add( "Instance has a public IP allocated.", networkInterface.HasPublicIP, ) } else { results.AddPassed(&networkInterface) } } } return results }, )
View Source
var CheckNoDefaultServiceAccount = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0044", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "no-default-service-account", Summary: "Instances should not use the default service account", Impact: "Instance has full access to the project", Resolution: "Remove use of default service account", Explanation: `The default service account has full project access. Instances should instead be assigned the minimal access they need.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoDefaultServiceAccountGoodExamples, BadExamples: terraformNoDefaultServiceAccountBadExamples, Links: terraformNoDefaultServiceAccountLinks, RemediationMarkdown: terraformNoDefaultServiceAccountRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.ServiceAccount.IsDefault.IsTrue() { results.Add( "Instance uses the default service account.", instance.ServiceAccount.Email, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoIpForwarding = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0043", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "no-ip-forwarding", Summary: "Instances should not have IP forwarding enabled", Impact: "Instance can send/receive packets without the explicit instance address", Resolution: "Disable IP forwarding", Explanation: `Disabling IP forwarding ensures the instance can only receive packets addressed to the instance and can only send packets with a source address of the instance.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoIpForwardingGoodExamples, BadExamples: terraformNoIpForwardingBadExamples, Links: terraformNoIpForwardingLinks, RemediationMarkdown: terraformNoIpForwardingRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.CanIPForward.IsTrue() { results.Add( "Instance has IP forwarding allowed.", instance.CanIPForward, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoOsloginOverride = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0036", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "no-oslogin-override", Summary: "Instances should not override the project setting for OS Login", Impact: "Access via SSH key cannot be revoked automatically when an IAM user is removed.", Resolution: "Enable OS Login at project level and remove instance-level overrides", Explanation: `OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoOsloginOverrideGoodExamples, BadExamples: terraformNoOsloginOverrideBadExamples, Links: terraformNoOsloginOverrideLinks, RemediationMarkdown: terraformNoOsloginOverrideRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.OSLoginEnabled.IsFalse() { results.Add( "Instance has OS Login disabled.", instance.OSLoginEnabled, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoProjectWideSshKeys = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0030", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "no-project-wide-ssh-keys", Summary: "Disable project-wide SSH keys for all instances", Impact: "Compromise of a single key pair compromises all instances", Resolution: "Disable project-wide SSH keys", Explanation: `Use of project-wide SSH keys means that a compromise of any one of these key pairs can result in all instances being compromised. It is recommended to use instance-level keys.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoProjectWideSshKeysGoodExamples, BadExamples: terraformNoProjectWideSshKeysBadExamples, Links: terraformNoProjectWideSshKeysLinks, RemediationMarkdown: terraformNoProjectWideSshKeysRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.EnableProjectSSHKeyBlocking.IsFalse() { results.Add( "Instance allows use of project-level SSH keys.", instance.EnableProjectSSHKeyBlocking, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoPublicEgress = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0035", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "no-public-egress", Summary: "An outbound firewall rule allows traffic to /0.", Impact: "The port is exposed for egress to the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Network security rules should not use very broad subnets. Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.`, Links: []string{ "https://cloud.google.com/vpc/docs/using-firewalls", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicEgressGoodExamples, BadExamples: terraformNoPublicEgressBadExamples, Links: terraformNoPublicEgressLinks, RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, network := range s.Google.Compute.Networks { if network.Firewall == nil { continue } for _, rule := range network.Firewall.EgressRules { if !rule.IsAllow.IsTrue() { continue } if rule.Enforced.IsFalse() { continue } for _, destination := range rule.DestinationRanges { if cidr.IsPublic(destination.Value()) && cidr.CountAddresses(destination.Value()) > 1 { results.Add( "Firewall rule allows egress traffic to multiple addresses on the public internet.", destination, ) } else { results.AddPassed(destination) } } } } return }, )
View Source
var CheckNoPublicIngress = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0027", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "no-public-ingress", Summary: "An inbound firewall rule allows traffic from /0.", Impact: "The port is exposed for ingress from the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Network security rules should not use very broad subnets. Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.`, Links: []string{ "https://cloud.google.com/vpc/docs/using-firewalls", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicIngressGoodExamples, BadExamples: terraformNoPublicIngressBadExamples, Links: terraformNoPublicIngressLinks, RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, network := range s.Google.Compute.Networks { if network.Firewall == nil { continue } if len(network.Firewall.SourceTags) > 0 && len(network.Firewall.TargetTags) > 0 { continue } for _, rule := range network.Firewall.IngressRules { if !rule.IsAllow.IsTrue() { continue } if rule.Enforced.IsFalse() { continue } for _, source := range rule.SourceRanges { if cidr.IsPublic(source.Value()) && cidr.CountAddresses(source.Value()) > 1 { results.Add( "Firewall rule allows ingress traffic from multiple addresses on the public internet.", source, ) } else { results.AddPassed(source) } } } } return }, )
View Source
var CheckNoSerialPort = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0032", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "no-serial-port", Summary: "Disable serial port connectivity for all instances", Impact: "Unrestricted network access to the serial console of the instance", Resolution: "Disable serial port access", Explanation: `When serial port access is enabled, the access is not governed by network security rules meaning the port can be exposed publicly.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoSerialPortGoodExamples, BadExamples: terraformNoSerialPortBadExamples, Links: terraformNoSerialPortLinks, RemediationMarkdown: terraformNoSerialPortRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.EnableSerialPort.IsTrue() { results.Add( "Instance has serial port enabled.", instance.EnableSerialPort, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckProjectLevelOslogin = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0042", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "project-level-oslogin", Summary: "OS Login should be enabled at project level", Impact: "Access via SSH key cannot be revoked automatically when an IAM user is removed.", Resolution: "Enable OS Login at project level", Explanation: `OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformProjectLevelOsloginGoodExamples, BadExamples: terraformProjectLevelOsloginBadExamples, Links: terraformProjectLevelOsloginLinks, RemediationMarkdown: terraformProjectLevelOsloginRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { if s.Google.Compute.ProjectMetadata.Metadata.IsManaged() { if s.Google.Compute.ProjectMetadata.EnableOSLogin.IsFalse() { results.Add( "OS Login is disabled at project level.", s.Google.Compute.ProjectMetadata.EnableOSLogin, ) } else { results.AddPassed(&s.Google.Compute.ProjectMetadata) } } return }, )
View Source
var CheckUseSecureTlsPolicy = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0039", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "use-secure-tls-policy", Summary: "SSL policies should enforce secure versions of TLS", Impact: "Data in transit is not sufficiently secured", Resolution: "Enforce a minimum TLS version of 1.2", Explanation: `TLS versions prior to 1.2 are outdated and insecure. You should use 1.2 as aminimum version.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformUseSecureTlsPolicyGoodExamples, BadExamples: terraformUseSecureTlsPolicyBadExamples, Links: terraformUseSecureTlsPolicyLinks, RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, policy := range s.Google.Compute.SSLPolicies { if policy.Metadata.IsUnmanaged() { continue } if policy.MinimumTLSVersion.NotEqualTo("TLS_1_2") { results.Add( "TLS policy does not specify a minimum of TLS 1.2", policy.MinimumTLSVersion, ) } else { results.AddPassed(&policy) } } return }, )
View Source
var CheckVmDiskEncryptionCustomerKey = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0033", Provider: providers.GoogleProvider, Service: "compute", ShortCode: "vm-disk-encryption-customer-key", Summary: "VM disks should be encrypted with Customer Supplied Encryption Keys", Impact: "Using unmanaged keys does not allow for proper management", Resolution: "Use managed keys ", Explanation: `Using unmanaged keys makes rotation and general management difficult.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformVmDiskEncryptionCustomerKeyGoodExamples, BadExamples: terraformVmDiskEncryptionCustomerKeyBadExamples, Links: terraformVmDiskEncryptionCustomerKeyLinks, RemediationMarkdown: terraformVmDiskEncryptionCustomerKeyRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.Compute.Instances { for _, disk := range append(instance.BootDisks, instance.AttachedDisks...) { if disk.Encryption.KMSKeyLink.IsEmpty() { results.Add( "Instance disk encryption does not use a customer managed key.", disk.Encryption.KMSKeyLink, ) } else { results.AddPassed(&disk) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
- disk_encryption_customer_key.go
- disk_encryption_customer_key.tf.go
- disk_encryption_no_plaintext_key.go
- disk_encryption_no_plaintext_key.tf.go
- enable_shielded_vm_im.go
- enable_shielded_vm_im.tf.go
- enable_shielded_vm_sb.go
- enable_shielded_vm_sb.tf.go
- enable_shielded_vm_vtpm.go
- enable_shielded_vm_vtpm.tf.go
- enable_vpc_flow_logs.go
- enable_vpc_flow_logs.tf.go
- no_default_service_account.go
- no_default_service_account.tf.go
- no_ip_forwarding.go
- no_ip_forwarding.tf.go
- no_oslogin_override.go
- no_oslogin_override.tf.go
- no_project_wide_ssh_keys.go
- no_project_wide_ssh_keys.tf.go
- no_public_egress.go
- no_public_egress.tf.go
- no_public_ingress.go
- no_public_ingress.tf.go
- no_public_ip.go
- no_public_ip.tf.go
- no_serial_port.go
- no_serial_port.tf.go
- project_level_oslogin.go
- project_level_oslogin.tf.go
- service.go
- use_secure_tls_policy.go
- use_secure_tls_policy.tf.go
- vm_disk_encryption_customer_key.go
- vm_disk_encryption_customer_key.tf.go
Click to show internal directories.
Click to hide internal directories.