Reino: Environment
Esta sección incluye todo lo que está fuera del código fuente pero aun así es importante para la seguridad del producto que se está creando. Dado que todas las cuestiones incluidas en esta sección no están directamente relacionadas con el código fuente, las hemos separado de las demás secciones.
GCP Terraform Misconfiguration: Insufficient GKE Cluster Monitoring
Abstract
Un script de Terraform inhabilita el servicio de monitoreo de un clúster de Google Kubernetes Engine.
Explanation
De manera predeterminada, un clúster de Google Kubernetes Engine (GKE) envía métricas desde pods al servicio de monitoreo de Stackdriver Kubernetes Engine. El script de Terraform configura un clúster de GKE y deshabilita explícitamente el servicio de monitoreo. La ausencia de métricas socava la detección adecuada y la pronta respuesta a los eventos de seguridad.
Ejemplo 1: El siguiente ejemplo muestra una configuración de Terraform que deshabilita el servicio de monitoreo de un clúster de GKE al establecer
Ejemplo 1: El siguiente ejemplo muestra una configuración de Terraform que deshabilita el servicio de monitoreo de un clúster de GKE al establecer
monitoring_service en none.
resource "google_container_cluster" "cluster-demo" {
name = "name-demo"
location = "us-central1-a"
monitoring_service = "none"
...
}
References
[1] HashiCorp google_container_cluster
[2] Google Cloud Configuring Cloud Operations for GKE
[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.7.1
[4] Standards Mapping - Common Weakness Enumeration CWE ID 778
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_insufficient_gke_cluster_monitoring