界: Environment

このセクションには、ソースコード以外のものでも、作成中の製品のセキュリティにとって重要なものがすべて含まれています。この分野が対象とする問題は、ソースコードに直接関係しないため、この分野の他の部分と分けました。

633 見つかった項目

脆弱性

GCP Terraform Misconfiguration: GKE Cluster HTTP Basic Authentication

Abstract

Terraform 構成は、GKE クラスターでの HTTP 基本認証を有効にします。

Explanation

クラスターの中央管理エンティティである Kubernetes API サーバーは、HTTP 基本認証を受け入れてユーザーを認証します。HTTP 基本認証は非推奨であり、ブルートフォース攻撃の影響を受けやすく、誤って設定された環境では攻撃者にユーザー資格情報を漏らす可能性があります。

例 1: 次の例は、master_auth ブロックの username と password を空でない値に設定することにより、GKE クラスターで HTTP 基本認証を有効にする Terraform 構成を示しています。


resource "google_container_cluster" "container_cluster_demo" {
...
  master_auth {
    username = "foo"
    password = "bar"
  }
...
}

References

[1] HashiCorp google_container_cluster

[2] Google Cloud Leave legacy client authentication methods disabled

[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.8.1

[4] Standards Mapping - Common Weakness Enumeration CWE ID 287

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[10] Standards Mapping - FIPS200 IA

[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-5 Authenticator Management (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-5 Authenticator Management

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.3 Authentication Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II

desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_http_basic_authentication

GCP Terraform Misconfiguration: GKE Cluster Legacy Authorization

Abstract

Terraform 構成は、GKE クラスターでの従来の ABAC 認証を有効にします。

Explanation

デフォルトでは、属性ベースのアクセス制御 (ABAC) は、GKE バージョン 1.8 以降を実行する新しいクラスターでは無効になっています。ABAC は、ロールベースのアクセス制御 (RBAC) またはアイデンティティ/アクセス管理 (IAM) で提供される機能のほか、特定のユーザーまたはグループにリソースへのアクセスを静的に許可できます。これにより、承認管理が複雑になり、アクセス制御の集中管理がしにくくなります。

例 1: 次の例は、enable_legacy_abac を true に設定して GKE クラスターの ABAC 承認を有効にする Terraform 構成を示しています。


resource "google_container_cluster" "container_cluster_demo" {
...
  enable_legacy_abac = true
...
}

References

[1] HashiCorp google_container_cluster

[2] Google Cloud Setting the default node image type

[3] Google Cloud Configure role-based access control

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.8.4

[5] Standards Mapping - Common Weakness Enumeration CWE ID 637

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165

[7] Standards Mapping - FIPS200 AC

[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.4 Access Control Architectural Requirements (L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)

[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.1

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.1

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_legacy_authorization

GCP Terraform Misconfiguration: GKE Cluster Node Auto-Repair Disabled

Abstract

Terraform 構成は、GKE ノードプールのノード自動修復を無効にします。

Explanation

各クラウドサービスセキュリティ機能は、既知の脅威を防止または軽減するように設計されています。意図的にまたは誤って無効にされた場合、保護は提供されません。

デフォルトでは、GKE ノードが一定期間にわたって異常なステータスを繰り返し報告すると、GKE はそのノードの修復プロセスを開始します。ノードの自動修復を無効にすると、ミッションクリティカルなワークロードが実行される可能性のある異常なノードが適切なタイミングで自動交換されません。

例 1: 次の Terraform 構成では、management ブロックの auto_repair を false に設定して、ノードプールのノード自動修復を無効にします。


resource "google_container_node_pool" "node-pool-demo" {
...
  management {
    auto_repair = false
    ...
  }
...
}

References

[1] HashiCorp google_container_node_pool

[2] Google Cloud Auto-repairing nodes

[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.5.2

[4] Standards Mapping - FIPS200 CM

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities

[9] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3

[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services

desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_node_auto_repair_disabled

GCP Terraform Misconfiguration: GKE Cluster Publicly Accessible

Abstract

Terraform 構成は、パブリックインターネット経由で GKE クラスターへのアクセスを可能にします。

Explanation

不要なネットワークトラフィックのブロックに失敗すると、クラウドサービスの攻撃対象領域が拡大します。一般に公開されているサービスは、悪意のあるエンティティによるほぼ継続的なスキャンとプロービングの対象になります。

プライベート GKE ノードには外部 IP アドレスがありません。これらのノードで実行されるポッドは、クラスターの境界を超えて通信できません。パブリックエンドポイントを無効にすると、GKE クラスターの管理が内部のプライベート IP アドレスに制限されて、GKE クラスターが保護されます。プライベートエンドポイントとプライベートノードを強制しないと、クラスターがパブリックに公開されます。

例 1: 次の Terraform 構成では、enable_private_nodes および enable_private_endpoint が false に設定されているため、任意の IP アドレスがクラスターノードとコントロールプレーンにアクセスできます。


resource "google_container_cluster" "cluster-demo" {
...
  private_cluster_config {
    enable_private_endpoint = false
    enable_private_nodes = false
  }
...
}

References

[1] HashiCorp google_container_cluster

[2] Google Cloud Access to cluster endpoints

[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.6.5

[4] Standards Mapping - Common Weakness Enumeration CWE ID 749

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[6] Standards Mapping - FIPS200 AC

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_publicly_accessible

GCP Terraform Misconfiguration: GKE Container-Optimized OS Not In Use

Abstract

Terraform 構成は、Container-Optimized OS を実行しない GKE ノードをセットアップします。

Explanation

デフォルトでは、GKE ノードは Container-Optimized OS (COS) を使用して実行されます。COS は、Google Compute Engine インスタンスで GKE ノードを実行するように最適化されたオペレーティングシステムイメージです。デフォルトをオプトアウトすると、セキュリティと効率が向上するというメリットがなくなります。

例 1: 次の Terraform 構成の例では、node_config ブロックで image_type が COS 以外のイメージに設定されているため、COS を実行しない GKE ノードのプールをセットアップしています。


resource "google_container_node_pool" "node_pool_demo" {
  ...
  node_config {
    image_type = "UBUNTU"
    ...
  }
  ...
}

References

[1] HashiCorp google_container_node_pool

[2] Google Cloud Setting the default node image type

[3] Google Cloud Container-Optimized OS Overview

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.5.1

[5] Standards Mapping - FIPS200 CM

[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities

[11] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services

desc.structural.hcl.gcp_terraform_misconfiguration_gke_container_optimized_os_not_in_use

GCP Terraform Misconfiguration: GKE Node Auto-Upgrade Disabled

Abstract

Terraform 構成は、Kubernetes ノードの自動アップグレードを無効にします。

Explanation

デフォルトでは、GKE は Kubernetes ノードを安定した新しいバージョンに自動的にアップグレードします。既知のソフトウェアの脆弱性にタイムリーにパッチを適用する自動アップグレードは無効になっています。

例 1: 次の Terraform 構成の例では、management ブロックの auto_upgrade を false に設定することで、Kubernetes ノードの自動アップグレードを無効にしています。


resource "google_container_node_pool" "node_pool_demo" {
...
  management {
    auto_upgrade = false
    ...
  }
...
}

References

[1] HashiCorp google_container_node_pool

[2] Google Cloud Auto-upgrading nodes

[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.5.3

[4] Standards Mapping - FIPS200 CM

[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation

[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[9] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities

[10] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3

[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services

desc.structural.hcl.gcp_terraform_misconfiguration_gke_node_auto_upgrade_disabled

GCP Terraform Misconfiguration: Google Project Network Access Control

Abstract

Terraform 構成は、アクセス制御が弱い、プロジェクト全体のネットワークの自動生成を許可します。

Explanation

新しい Google Cloud プロジェクトは、デフォルトで、プロジェクト全体のネットワークを開始します。デフォルトネットワークには、同一プロジェクト内の Compute Engine インスタンス間で行われる制限なしの通信を許可し、セキュリティが重要な全インスタンスのポートを公開するファイアウォールルールが事前に設定されます。影響を受けるポートには、TCP 22 (SSH) と TCP 3389 (RDP) が含まれます。十分に保護されていないインスタンスは、不正アクセスに対して脆弱になります。

例 1: 次の Terraform 構成の例では、auto_create_network を true に設定することで、プロジェクト全体のネットワークの自動生成を有効にしています。


resource "google_project" "project-demo" {
...
  auto_create_network = true
...
}

References

[1] HashiCorp google_project

[2] Google Cloud VPC network overview

[3] Google Cloud Pre-populated rules in the default network

[4] Google Cloud Organization policy constraints

[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 3.2

[6] Standards Mapping - Common Weakness Enumeration CWE ID 732

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165

[10] Standards Mapping - FIPS200 AC

[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3)

[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

desc.structural.hcl.gcp_terraform_misconfiguration_google_project_network_access_control

GCP Terraform Misconfiguration: Improper Compute Engine Access Control

Abstract

Terraform 構成は、ほとんどの Google Cloud API へのフルアクセスをサービスアカウントに許可します。

Explanation

Terraform 構成は、サービスアカウントのアクセススコープを cloud-platform に設定します。これにより、ほとんどの Google Cloud API へのアクセスが許可されます。その結果、侵害された Compute Engine インスタンスがアクセスできる攻撃対象領域が大幅に拡大し、最小特権の原則に違反することになります。

例 1: 次の例は、サービスアカウントのアクセススコープ (scopes) を cloud-platform に設定する Terraform 構成を示しています。


resource "google_compute_instance" "compute-instance-demo" {
    name         = "name-demo"
    machine_type = "e2-micro"
    ...
    service_account {
        email  = "foobar.service.account@example.com"
        scopes = ["cloud-platform"]
    }
}

References

[1] Dylan Ayrey & Allison Donovan Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation

[2] Google Cloud Best practices for securing service accounts

[3] HashiCorp google_compute_instance

[4] Google Cloud Service accounts

[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.2

[6] Standards Mapping - Common Weakness Enumeration CWE ID 250

[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235

[9] Standards Mapping - FIPS200 AC

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.4 General Access Control Design (L1 L2 L3)

[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

desc.structural.hcl.gcp_terraform_misconfiguration_improper_compute_engine_access_control

GCP Terraform Misconfiguration: Insecure App Engine Domain Transport

Abstract

Terraform 構成は、HTTPS をサポートしない App Engine アプリケーションのドメインをセットアップします。

Explanation

デフォルトでは、App Engine アプリケーションのドメインは、暗号化されていない接続やセキュリティ保護されていない接続を受け入れます。このような接続では、データが不正アクセス、盗難、改ざんの危険にさらされます。

例 1: 次の例は、example.com という名前のドメインについて、ssl_settings ブロックを含まない Terraform 構成を示しています。その結果、App Engine アプリケーションのカスタムドメインは HTTPS をサポートしていません。


resource "google_app_engine_domain_mapping" "domain_mapping" {
  domain_name = "example.com"
}

References

[1] HashiCorp google_app_engine_domain_mapping

[2] Google Cloud Securing Custom Domains with SSL

[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.10

[4] Standards Mapping - Common Weakness Enumeration CWE ID 311

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[6] Standards Mapping - FIPS200 SC

[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[12] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[13] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

desc.structural.hcl.gcp_terraform_misconfiguration_insecure_app_engine_domain_transport

GCP Terraform Misconfiguration: Insecure App Engine Transport

Abstract

Terraform 構成は、すべての接続に SSL を強制することなく App Engine をセットアップします。

Explanation

デフォルトでは、App Engine アプリケーションは、暗号化されていない接続やセキュリティ保護されていない接続を受け入れます。このような接続では、データが不正アクセス、盗難、改ざんの危険にさらされます。

References

[1] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.10

[2] Standards Mapping - Common Weakness Enumeration CWE ID 311

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[4] Standards Mapping - FIPS200 SC

[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity

[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

desc.structural.hcl.gcp_terraform_misconfiguration_insecure_app_engine_transport

GCP Terraform Misconfiguration: Insecure Cloud Function HTTP Trigger Transport

Abstract

Terraform 構成は、安全でない HTTP リクエストによる Cloud Function のトリガーを許可します。

Explanation

デフォルトでは、HTTP のトリガーにより、Cloud Function は HTTPS リクエストへの応答に対して実行することのみが可能になります。安全でない HTTP リクエストを許可すると、データが不正アクセス、盗難、改ざんの危険にさらされます。

例 1: 次の例は、https_trigger_security_level を SECURE_OPTIONAL に設定することで、HTTPS エンドポイントの強制に失敗する HTTP トリガーを定義する Terraform 構成を示しています。


resource "google_cloudfunctions_function" "demo_function" {
...
  trigger_http = true
  https_trigger_security_level = "SECURE_OPTIONAL"
...
}

References

[1] HashiCorp google_cloudfunctions_function

[2] Google Cloud HTTP triggers

[3] Standards Mapping - Common Weakness Enumeration CWE ID 311

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[5] Standards Mapping - FIPS200 SC

[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

desc.structural.hcl.gcp_terraform_misconfiguration_insecure_cloud_function_http_trigger_transport

GCP Terraform Misconfiguration: Insecure Cloud SQL Transport

Abstract

Terraform 構成は、すべての接続に SSL を強制することなくデータベースインスタンスを設定します。

Explanation

デフォルトでは、Cloud SQL インスタンスは、暗号化されていない接続やセキュリティ保護されていない接続を受け入れます。このような接続では、データが不正アクセス、盗難、改ざんの危険にさらされます。

例 1: 次の例は、require_ssl を false に設定することで、すべての接続への SSL の強制をデータベースインスタンスに要求しない Terraform 構成を示しています。


resource "google_sql_database_instance" "database_instance_demo" {
  ...
  settings {
    ip_configuration {
      require_ssl = false
      ...
    }
    ...
  }
}

References

[1] HashiCorp google_sql_database_instance

[2] Google Cloud Enforce SSL/TLS encryption

[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 6.4

[4] Standards Mapping - Common Weakness Enumeration CWE ID 311

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[6] Standards Mapping - FIPS200 SC

[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[12] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[13] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

desc.structural.hcl.gcp_terraform_misconfiguration_insecure_cloud_sql_transport

GCP Terraform Misconfiguration: Insecure Edge Cache Service Transport

Abstract

Terraform 構成は、HTTP または HTTPS を使用した、クライアントによる Edge Cache サービスへの接続を許可します。

Explanation

デフォルトでは、Edge Cache サービスは、暗号化されていない接続やセキュリティ保護されていない接続を受け入れます。このような接続では、データが不正アクセス、盗難、改ざんの危険にさらされます。

例 1: 次の例は、require_tls を false に設定することで、通信での TLS の使用をクライアントに要求しない Edge Cache サービスを定義する Terraform 構成を示しています。


resource "google_network_services_edge_cache_service" "srv_demo" {
...
  require_tls = false
...
}

References

[1] HashiCorp google_network_services_edge_cache_service

[2] Google Cloud Redirect all requests to HTTPS