Cloud NAT Not Enabled for Private Subnets
ID: gcloud-nat-private-subnet-disabled
Severity: medium
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,google-cloud-nat,gcp-cloud-config
Description
Section titled “Description”Ensure that Cloud NAT is enabled for all private VPC subnets that require outbound access. Cloud NAT enables your VMs and container pods to establish outbound connections to the Internet or other Virtual Private Cloud (VPC) networks. It utilizes a Cloud NAT gateway to manage these connections efficiently.
YAML Source
Section titled “YAML Source”id: gcloud-nat-private-subnet-disabled
info: name: Cloud NAT Not Enabled for Private Subnets author: princechaddha severity: medium description: | Ensure that Cloud NAT is enabled for all private VPC subnets that require outbound access. Cloud NAT enables your VMs and container pods to establish outbound connections to the Internet or other Virtual Private Cloud (VPC) networks. It utilizes a Cloud NAT gateway to manage these connections efficiently. impact: | If Cloud NAT is not enabled, private subnets may not have outbound access, leading to connectivity issues and potential misconfigurations for workloads requiring internet or inter-network communication. remediation: | Configure Cloud NAT for all private subnets that require outbound access. Use Compute Engine routers to define NAT configuration and associate them with your VPC subnets. reference: - https://cloud.google.com/nat/docs/overview tags: cloud,devops,gcp,gcloud,google-cloud-nat,gcp-cloud-config
flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) for(let networkName of iterate(template.networks)){ set("networkName", networkName) code(3) for(let subnetDetail of iterate(template.subnets)){ set("subnetDetail", subnetDetail) code(4) } code(5) for(let natGateway of iterate(template.natGateways)){ set("natGateway", natGateway) javascript(1) } } }
self-contained: true
code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)"
extractors: - type: json name: projectIds internal: true json: - '.[].projectId'
- engine: - sh - bash source: | gcloud compute networks list --project $projectId --format="json(name)"
extractors: - type: json name: networks internal: true json: - '.[].name'
- engine: - sh - bash source: | gcloud compute networks subnets list --network=$networkName --project=$projectId --format="json(selfLink,privateIpGoogleAccess)"
extractors: - type: json name: subnets internal: true json: - '.[] | {selfLink, privateIpGoogleAccess}'
- engine: - sh - bash source: | gcloud compute routers list --project=$projectId --filter="network:($networkName)" --format="json(name,region)"
extractors: - type: json name: routers internal: true json: - '.[] | {name, region}'
- engine: - sh - bash source: | gcloud compute routers nats list --router=$router.name --region=$router.region --format="json(name,subnetworks)"
extractors: - type: json name: natGateways internal: true json: - '.[] | {name, subnetworks}'
javascript: - code: | let subnet = template.subnetDetail; let natGateways = template.natGateways; let privateIpGoogleAccess = subnet.privateIpGoogleAccess;
if (privateIpGoogleAccess === "true") { let natEnabled = natGateways.some(gw => gw.subnetworks.includes(subnet.selfLink)); if (!natEnabled) { Export(`Cloud NAT is not enabled for private subnet: ${subnet.selfLink} in project: ${template.projectId}`); } }
extractors: - type: dsl dsl: - response# digest: 490a00463044022010d2a3557469225826eba4a0c8fba27724c5a25126213da6293371db9dd971e90220316e982fbec97caa7003b86431b4cd4226fe0c54be0893ff5fd2dd06cf541b4b:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/nat/gcloud-nat-private-subnet-disabled.yaml"