Private Service Connect Endpoints Not Configured
ID: gcloud-vpc-private-service-connect
Severity: medium
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,vpc,networking,security,psc,gcp-cloud-config
Description
Section titled “Description”Ensure that Private Service Connect (PSC) endpoints are configured for your Virtual Private Cloud (VPC) networks. Private Service Connect creates a secure, private tunnel between your VPC network and Google’s services (or your own services in another VPC) so traffic never touches the public internet. This enhances security and avoids complexities of managing public connections.
YAML Source
Section titled “YAML Source”id: gcloud-vpc-private-service-connect
info: name: Private Service Connect Endpoints Not Configured author: princechaddha severity: medium description: | Ensure that Private Service Connect (PSC) endpoints are configured for your Virtual Private Cloud (VPC) networks. Private Service Connect creates a secure, private tunnel between your VPC network and Google's services (or your own services in another VPC) so traffic never touches the public internet. This enhances security and avoids complexities of managing public connections. impact: | Without Private Service Connect endpoints, traffic between your VPC and Google services may traverse the public internet, potentially exposing your services to security risks and performance issues. remediation: | Configure Private Service Connect endpoints for your VPC networks using either the Google Cloud Console or gcloud CLI. Use the 'gcloud compute forwarding-rules create' command with appropriate parameters to set up PSC endpoints. reference: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/VPC/vpc-with-private-service-connect-endpoints.html - https://cloud.google.com/vpc/docs/private-service-connect tags: cloud,devops,gcp,gcloud,vpc,networking,security,psc,gcp-cloud-config
flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) }
self-contained: true
code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)"
extractors: - type: json name: projectIds internal: true json: - '.[].projectId'
- engine: - sh - bash source: | gcloud compute forwarding-rules list --project=$projectId --filter="target~serviceAttachments" --format="json(name)"
matchers: - type: word words: - "[]"
extractors: - type: dsl dsl: - '"Project " + projectId + " has no Private Service Connect endpoints configured"'# digest: 490a004630440220193adfbc3ad89cd8cdf6ae8283d4f8c14948fae1710ed79e1612788016f8e6d802200aa8ebf5f629f456af0fe3212421be9d01ab0da62c12d0b6cd9ef0f21c895b6c:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/vpc/gcloud-vpc-private-service-connect.yaml"