VPN Peer IP Addresses Not Restricted
ID: gcloud-org-vpn-peer-ips
Severity: medium
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,resourcemanager,security,networking,vpn,gcp-cloud-config
Description
Section titled “Description”Ensure that only trusted IPv4 addresses can be configured as VPN peer IPs within your Google Cloud organization. By enforcing the “Restrict VPN Peer IPs” constraint policy, you can control the IP addresses that can be configured as VPN peer IPs within your Google Cloud organization in order to meet security and compliance requirements.
YAML Source
Section titled “YAML Source”id: gcloud-org-vpn-peer-ips
info: name: VPN Peer IP Addresses Not Restricted author: princechaddha severity: medium description: | Ensure that only trusted IPv4 addresses can be configured as VPN peer IPs within your Google Cloud organization. By enforcing the "Restrict VPN Peer IPs" constraint policy, you can control the IP addresses that can be configured as VPN peer IPs within your Google Cloud organization in order to meet security and compliance requirements. impact: | By default, any IP address can be a VPN peer IP for a Virtual Private Cloud (VPC) network. Without restrictions, this could allow unauthorized or malicious networks to establish VPN connections with your VPC. remediation: | Configure the "Restrict VPN Peer IPs" policy at the organization level to explicitly specify which IPv4 addresses can be configured as VPN peer IPs. Use space-separated IP addresses in the policy configuration. reference: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ResourceManager/restrict-vpn-peer-ips.html - https://cloud.google.com/vpc/docs/using-vpn tags: cloud,devops,gcp,gcloud,resourcemanager,security,networking,vpn,gcp-cloud-config
flow: | code(1) for(let orgId of iterate(template.orgIds)){ set("orgId", orgId) code(2) }
self-contained: true
code: - engine: - sh - bash source: | gcloud organizations list --format="json(name)"
extractors: - type: json name: orgIds internal: true json: - '.[].name'
- engine: - sh - bash source: | gcloud alpha resource-manager org-policies describe compute.restrictVpnPeerIPs --organization=$orgId --effective --format="json(listPolicy.allValues)"
matchers: - type: word words: - "ALLOW"
extractors: - type: dsl dsl: - '"Organization " + orgId + " has not restricted VPN peer IP addresses, allowing any IP to be configured as a VPN peer"'# digest: 4a0a004730450220760c65072a3b56239cad505050dab2d14e235acfd25afad31ee03cfbe7be2747022100ceb3ce394ae0c2de1dc76a84edaa0a8ec9d6a304606712cdd0e6507bb66b9dfa:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/resourcemanager/gcloud-org-vpn-peer-ips.yaml"