Kingdom: Environment

This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.

GCP Terraform Misconfiguration: Google Project Network Access Control

Abstract
A Terraform configuration allows the auto-creation of a project-wide network with weak access control.
Explanation
By default, a new Google Cloud project starts with a project-wide network. The default network is pre-populated with firewall rules that permit unrestricted communication among Compute Engine instances in the same project and expose security sensitive ports of all instances to the public. The affected ports include TCP 22 (SSH) and TCP 3389 (RDP). Any insufficiently protected instance is susceptible to unauthorized access.

Example 1: The following example Terraform configuration enables the auto-creation of a project-wide network by setting auto_create_network to true.

resource "google_project" "project-demo" {
...
  auto_create_network = true
...
}
References
[1] HashiCorp google_project
[2] Google Cloud VPC network overview
[3] Google Cloud Pre-populated rules in the default network
[4] Google Cloud Organization policy constraints
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 3.2
[6] Standards Mapping - Common Weakness Enumeration CWE ID 732
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3)
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_google_project_network_access_control