VM IP Forwarding Not Restricted
ID: gcloud-org-ip-forwarding
Severity: medium
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,resourcemanager,security,networking,ip-forwarding,gcp-cloud-config
Description
Section titled “Description”Ensure that the virtual machine (VM) instances allowed to use IP forwarding, that belong to your project, folder, or organization, are defined using the “Restrict VM IP Forwarding” policy. This constraint policy helps you improve security and achieve regulatory compliance by explicitly defining the resource name of the VM instances allowed to use IP forwarding.
YAML Source
Section titled “YAML Source”id: gcloud-org-ip-forwarding
info: name: VM IP Forwarding Not Restricted author: princechaddha severity: medium description: | Ensure that the virtual machine (VM) instances allowed to use IP forwarding, that belong to your project, folder, or organization, are defined using the "Restrict VM IP Forwarding" policy. This constraint policy helps you improve security and achieve regulatory compliance by explicitly defining the resource name of the VM instances allowed to use IP forwarding. impact: | By default, any virtual machine instance can enable IP forwarding in any VPC network. When IP forwarding is enabled on a VM's network interface, it allows the VM to act as a router and receive traffic addressed to other destinations, which could be exploited for malicious purposes. remediation: | Configure the "Restrict VM IP Forwarding" policy at the organization level to explicitly specify which VM instances can use IP forwarding. Use the format projects/<project-id>/zones/<instance-zone>/instances/<instance-name> or under: prefix for broader scopes. reference: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ResourceManager/enable-ip-forwarding-restriction-policy.html - https://cloud.google.com/vpc/docs/using-instance-ip-forwarding tags: cloud,devops,gcp,gcloud,resourcemanager,security,networking,ip-forwarding,gcp-cloud-config
flow: | code(1) for(let orgId of iterate(template.orgIds)){ set("orgId", orgId) code(2) }
self-contained: true
code: - engine: - sh - bash source: | gcloud organizations list --format="json(name)"
extractors: - type: json name: orgIds internal: true json: - '.[].name'
- engine: - sh - bash source: | gcloud alpha resource-manager org-policies describe compute.vmCanIpForward --organization=$orgId --effective --format="json(listPolicy.allValues)"
matchers: - type: word words: - "ALLOW"
extractors: - type: dsl dsl: - '"Organization " + orgId + " has not restricted VM IP forwarding, allowing any instance to act as a router"'# digest: 4b0a00483046022100a9c706069b51d6a531502e5a5c4a175fde39028e88cbbc0cbcbaed5904eafaa3022100ff33716ed3446d15482a57c2a5d1e4089dc0cb9f82b6711c2325192a5bf90717:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/resourcemanager/gcloud-org-ip-forwarding.yaml"