Details
Access to VMs should be restricted by firewall rules that allow only IAP traffic by ensuring only connections proxied by the IAP are allowed. To ensure that load balancing works correctly health checks should also be allowed.
Rationale:
IAP ensure that access to VMs is controlled by authenticating incoming requests. However if the VM is still accessible from IP addresses other than the IAP it may still be possible to send unauthenticated requests to the instance. Care must be taken to ensure that loadblancer health checks are not blocked as this would stop the loadbalancer from correctly knowing the health of the VM and loadbalancing correctly.
Impact:
If firewall rules are not configured correctly, legitimate business services could be negatively impacted.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From the Console:
Go to the Cloud Console VPC network > Firewall rules.
Select the checkbox next to the following rules:
default-allow-http
default-allow-https
default-allow-internal
Click Delete.
Click Create firewall rule and set the following values:
Name: allow-iap-traffic
Targets: All instances in the network
Source IP ranges (press Enter after you paste each value in the box):
130.211.0.0/22
35.191.0.0/16
Protocols and ports:
Specified protocols and ports
tcp:80
When you’re finished updating values, click Create.
Default Value:
By default all traffic is allowed.
Supportive Information
The following resource is also helpful.
This control applies to the following type of system GCP.