Reino: Environment

Esta sección incluye todo lo que está fuera del código fuente pero aun así es importante para la seguridad del producto que se está creando. Dado que todas las cuestiones incluidas en esta sección no están directamente relacionadas con el código fuente, las hemos separado de las demás secciones.

GCP Terraform Misconfiguration: Insufficient VPC Flow Logging

Abstract

Una configuración de Terraform crea una subred de máquina virtual sin especificar opciones para el registro de flujo de nube privada virtual.

Explanation

La configuración de Terraform establece una subred de máquina virtual sin especificar opciones de registro. Estos registros contienen datos valiosos para el monitoreo de la red, análisis forense, análisis de seguridad en tiempo real y optimización de gastos.

References

[1] Google Cloud VPC Flow Logs overview

[2] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 3.8

[3] Standards Mapping - Common Weakness Enumeration CWE ID 778

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[5] Standards Mapping - FIPS200 CM

[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II

desc.structural.hcl.gcp_terraform_misconfiguration_insufficient_vpc_flow_logging