1437 개 항목 찾음
취약점

GCP Terraform Misconfiguration: Compute Engine Default Service Account

Abstract
이 Terraform ꡬ성은 κΈ°λ³Έ μ„œλΉ„μŠ€ κ³„μ •μœΌλ‘œ Compute Engine μΈμŠ€ν„΄μŠ€λ₯Ό λ§Œλ“­λ‹ˆλ‹€.
Explanation
Compute Engine μΈμŠ€ν„΄μŠ€κ°€ μ‚¬μš©μž 관리 μ„œλΉ„μŠ€ 계정 사양 없이 μƒμ„±λ˜λ©΄ Google CloudλŠ” κΈ°λ³Έ μ„œλΉ„μŠ€ 계정을 μΈμŠ€ν„΄μŠ€μ— ν• λ‹Ήν•©λ‹ˆλ‹€. κΈ°λ³Έ μ„œλΉ„μŠ€ κ³„μ •μ˜ μ•‘μ„ΈμŠ€ κΆŒν•œμ΄ μΈμŠ€ν„΄μŠ€κ°€ μž‘λ™ν•˜λŠ” 데 ν•„μš”ν•œ 것 이상일 λ•Œκ°€ μžˆμŠ΅λ‹ˆλ‹€. μ΄λŠ” μ΅œμ†Œ κΆŒν•œ 원칙에 μœ„λ°˜λ©λ‹ˆλ‹€.

예제 1: λ‹€μŒ μ˜ˆμ œλŠ” μ‚¬μš©μž 관리 μ„œλΉ„μŠ€ 계정 사양 없이 Compute Engine μΈμŠ€ν„΄μŠ€λ₯Ό λ§Œλ“œλŠ” Terraform ꡬ성을 λ³΄μ—¬μ€λ‹ˆλ‹€. service_account 블둝이 μ—†μŠ΅λ‹ˆλ‹€.

resource "google_compute_instance" "instance-demo" {
    name = "name-demo"
    machine_type = "e2-micro"
    boot_disk {
    ...
    }
    network_interface {
    ...
    }
}
References
[1] Dylan Ayrey & Allison Donovan Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation
[2] Google Cloud Best practices for securing service accounts
[3] HashiCorp google_compute_instance
[4] Google Cloud Service accounts
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.1
[6] Standards Mapping - Common Weakness Enumeration CWE ID 250
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000017, CCI-000381, CCI-002233, CCI-002235
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AC-6 Least Privilege, CM-7 Least Functionality
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.4 General Access Control Design (L1 L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000330 CAT II, APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000330 CAT II, APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_default_service_account

GCP Terraform Misconfiguration: Compute Engine IP Forwarding Enabled

Abstract
Terraform ꡬ성이 IP 전달이 κ°€λŠ₯ν•œ Compute Engine μΈμŠ€ν„΄μŠ€λ₯Ό μ„€μ •ν•©λ‹ˆλ‹€.
Explanation
λΆˆν•„μš”ν•œ λ„€νŠΈμ›Œν¬ νŠΈλž˜ν”½μ„ μ°¨λ‹¨ν•˜μ§€ μ•ŠμœΌλ©΄ ν΄λΌμš°λ“œ μ„œλΉ„μŠ€μ˜ 곡격 ν‘œλ©΄μ΄ ν™•μž₯λ©λ‹ˆλ‹€.

Compute Engine μΈμŠ€ν„΄μŠ€μ—μ„œλŠ” IP 전달이 기본적으둜 λΉ„ν™œμ„±ν™”λ©λ‹ˆλ‹€. IP 전달을 ν™œμ„±ν™”ν•˜λ©΄ μ†ŒμŠ€ λ˜λŠ” λŒ€μƒ IPκ°€ μΌμΉ˜ν•˜μ§€ μ•ŠλŠ” νŒ¨ν‚·μ„ 전솑 및 μˆ˜μ‹ ν•  수 μžˆμŠ΅λ‹ˆλ‹€. κ·ΈλŸ¬λ―€λ‘œ κ³΅κ²©μžκ°€ Compute Engine μΈμŠ€ν„΄μŠ€λ₯Ό 톡해 νŒ¨ν‚·μ„ λΌμš°νŒ…ν•˜μ—¬ λ„€νŠΈμ›Œν¬ μ•‘μ„ΈμŠ€ μ œμ–΄λ₯Ό μš°νšŒν•˜λŠ” λ°©μ‹μœΌλ‘œ IP 전달을 μ•…μš©ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

예제 1: λ‹€μŒ Terraform ꡬ성은 can_ip_forwardλ₯Ό true둜 μ„€μ •ν•˜μ—¬ IP 전달을 ν™œμ„±ν™”ν•©λ‹ˆλ‹€.

resource "google_compute_instance" "compute_instance_demo" {
  ...
  can_ip_forward = true
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Enabling IP forwarding for instances
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.6
[4] Standards Mapping - Common Weakness Enumeration CWE ID 441
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CA-3 System Interconnections (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CA-3 Information Exchange
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_ip_forwarding_enabled

GCP Terraform Misconfiguration: Compute Engine Missing Confidential Computing Features

Abstract
Terraform ꡬ성이 Confidential VM을 ν™œμ„±ν™”ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
기본적으둜 Compute Engine μΈμŠ€ν„΄μŠ€λŠ” Confidential VM이 μ•„λ‹™λ‹ˆλ‹€. Confidential VM은 ν•˜λ“œμ›¨μ–΄ 기반 μ•”ν˜Έν™”λ₯Ό μ‚¬μš©ν•˜μ—¬ μ‚¬μš© 쀑인 데이터λ₯Ό λ³΄ν˜Έν•˜κ³  원격 증λͺ…을 μ§€μ›ν•©λ‹ˆλ‹€. 내보내기가 λΆˆκ°€λŠ₯ν•œ VM μΈμŠ€ν„΄μŠ€λ³„ μ „μš© ν‚€λ₯Ό μ‚¬μš©ν•˜λŠ” 경우 VM λ©”λͺ¨λ¦¬κ°€ μ•”ν˜Έν™”λœ μƒνƒœλ‘œ μœ μ§€λ©λ‹ˆλ‹€. κ·ΈλŸ¬λ―€λ‘œ κΆŒν•œ μˆ˜μ€€μ΄ 더 높은 ν•˜μ΄νΌλ°”μ΄μ €λ₯Ό ν†΅ν•œ ν΄λΌμš°λ“œ κ³΅κΈ‰μžμ˜ μ•‘μ„ΈμŠ€λ₯Ό μ°¨λ‹¨ν•˜μ—¬ VM의 κΈ°λ°€μ„±κ³Ό 무결성을 λ³΄ν˜Έν•  수 μžˆμŠ΅λ‹ˆλ‹€.

예제 1: λ‹€μŒ μ˜ˆμ œμ—λŠ” enable_confidential_computeλ₯Ό false둜 μ„€μ •ν•˜μ—¬ Confidential VM을 λΉ„ν™œμ„±ν™”ν•˜λŠ” Terraform ꡬ성이 λ‚˜μ™€ μžˆμŠ΅λ‹ˆλ‹€.

resource "google_compute_instance" "default" {
  ...
  confidential_instance_config {
    enable_confidential_compute = false
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Confidential VM
[3] Confidential Computing Consortium A Technical Analysis of Confidential Computing
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.11
[5] Standards Mapping - Common Weakness Enumeration CWE ID 311
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[7] Standards Mapping - FIPS200 SC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_missing_confidential_computing_features

GCP Terraform Misconfiguration: Compute Engine Missing Customer-Managed Encryption Key

Abstract
Compute Engine μΈμŠ€ν„΄μŠ€λŠ” λ””μŠ€ν¬ μ•”ν˜Έν™” ν‚€λ₯Ό λ³΄ν˜Έν•˜κΈ° μœ„ν•΄ 고객 제곡 μ•”ν˜Έν™” ν‚€λ₯Ό μ‚¬μš©ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
기본적으둜 Google Cloud Compute Engine은 λ―Έμ‚¬μš© 데이터λ₯Ό λͺ¨λ‘ μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. CSEK(고객 제곡 μ•”ν˜Έν™” ν‚€)κ°€ μ§€μ •λ˜μ–΄ 있으면 CSEKκ°€ 데이터 μ•”ν˜Έν™” ν‚€λ₯Ό μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. Google은 Compute Engine μΈμŠ€ν„΄μŠ€μ— CSEKλ₯Ό μ €μž₯ν•˜μ§€ μ•ŠμœΌλ©° λ”°λΌμ„œ μ˜¬λ°”λ₯Έ CSEKλ₯Ό μ œκ³΅ν•˜μ§€ μ•ŠμœΌλ©΄ 보호된 데이터에 μ•‘μ„ΈμŠ€ν•  수 μ—†μŠ΅λ‹ˆλ‹€.

예제 1: λ‹€μŒ μ˜ˆμ œλŠ” Compute Engine μΈμŠ€ν„΄μŠ€μ˜ 영ꡬ λ””μŠ€ν¬λ₯Ό μ •μ˜ν•˜λŠ” Terraform ꡬ성을 λ³΄μ—¬μ€λ‹ˆλ‹€. disk_encryption_key 블둝이 μ—†μœΌλ―€λ‘œ 데이터 μ•”ν˜Έν™” ν‚€λ₯Ό λ³΄ν˜Έν•˜κΈ° μœ„ν•œ CSEKκ°€ μ—†μŠ΅λ‹ˆλ‹€.

resource "google_compute_disk" "compute-disk-demo" {
    name  = "test-disk"
    type  = "pd-ssd"
}
References
[1] HashiCorp google_compute_disk
[2] Google Cloud Persistent disk encryption
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.7
[4] Standards Mapping - Common Weakness Enumeration CWE ID 311
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[12] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_missing_customer_managed_encryption_key

GCP Terraform Misconfiguration: Compute Engine Project-Wide SSH

Abstract
이 Terraform ꡬ성은 ν”„λ‘œμ νŠΈ 전체 SSH λ‘œκ·ΈμΈμ„ μ°¨λ‹¨ν•˜μ§€ μ•Šκ³  Compute Engine μΈμŠ€ν„΄μŠ€λ₯Ό μ„€μ •ν•©λ‹ˆλ‹€.
Explanation
기본적으둜 ν”„λ‘œμ νŠΈ 메타데이터에 μ €μž₯된 SSH ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ ν”„λ‘œμ νŠΈμ˜ λͺ¨λ“  Compute Engine μΈμŠ€ν„΄μŠ€μ— μ•‘μ„ΈμŠ€ν•  수 μžˆμŠ΅λ‹ˆλ‹€. 이둜 인해 μ†μƒλœ SSH 킀에 μ•‘μ„ΈμŠ€ν•  수 μžˆλŠ” 곡격 ν‘œλ©΄μ΄ 크게 ν™•μž₯되고 μ΅œμ†Œ κΆŒν•œ 원칙에 μœ„λ°˜λ©λ‹ˆλ‹€.

예제 1: λ‹€μŒ μ˜ˆμ œλŠ” metadata μΈμˆ˜μ—μ„œ block-project-ssh-keysλ₯Ό false둜 μ„€μ •ν•˜μ—¬ ν”„λ‘œμ νŠΈ 전체 SSH λ‘œκ·ΈμΈμ„ ν—ˆμš©ν•˜λŠ” Terraform ꡬ성을 λ³΄μ—¬μ€λ‹ˆλ‹€.

resource "google_compute_instance" "compute_instance_demo" {
  ...
  metadata = {
    block-project-ssh-keys = false
    ...
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Restrict SSH keys from VMs
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 250
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.4 General Access Control Design (L1 L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_project_wide_ssh

GCP Terraform Misconfiguration: Compute Engine Serial Console Enabled

Abstract
Terraform ꡬ성이 λŒ€ν™”ν˜• 직렬 μ½˜μ†” μ•‘μ„ΈμŠ€κ°€ κ°€λŠ₯ν•œ Compute Engine μΈμŠ€ν„΄μŠ€λ₯Ό μ„€μ •ν•©λ‹ˆλ‹€.
Explanation
λΆˆν•„μš”ν•œ λ„€νŠΈμ›Œν¬ νŠΈλž˜ν”½μ„ μ°¨λ‹¨ν•˜μ§€ μ•ŠμœΌλ©΄ ν΄λΌμš°λ“œ μ„œλΉ„μŠ€μ˜ 곡격 ν‘œλ©΄μ΄ ν™•μž₯λ©λ‹ˆλ‹€. 곡개 μƒν˜Έ μž‘μš©μ΄ κ°€λŠ₯ν•œ μ„œλΉ„μŠ€λŠ” μ•…μ˜μ μΈ μ—”ν„°ν‹°μ˜ 거의 지속적인 검색 및 쑰사에 λ…ΈμΆœλ©λ‹ˆλ‹€.

기본적으둜 Compute Engine μΈμŠ€ν„΄μŠ€μ˜ 직렬 ν¬νŠΈμ—μ„œλŠ” μ½˜μ†”μ— μ•‘μ„ΈμŠ€ν•  수 μ—†μŠ΅λ‹ˆλ‹€. 직렬 μ½˜μ†” μ•‘μ„ΈμŠ€λ₯Ό ν™œμ„±ν™”ν•˜λ©΄ κ³΅κ²©μžκ°€ λͺ¨λ“  IP μ£Όμ†Œμ—μ„œ Compute Engine μΈμŠ€ν„΄μŠ€μ— μ—°κ²°ν•  수 μžˆμŠ΅λ‹ˆλ‹€. 직렬 ν¬νŠΈμ—μ„œλŠ” IP 기반 μ•‘μ„ΈμŠ€ μ œν•œμ΄ μ§€μ›λ˜μ§€ μ•ŠκΈ° λ•Œλ¬Έμž…λ‹ˆλ‹€.

예제 1: λ‹€μŒ Terraform ꡬ성은 metadata μΈμˆ˜μ—μ„œ serial-port-enable을 true둜 μ„€μ •ν•˜μ—¬ λŒ€ν™”ν˜• 직렬 μ½˜μ†” μ•‘μ„ΈμŠ€λ₯Ό ν—ˆμš©ν•©λ‹ˆλ‹€.

resource "google_compute_instance" "compute_instance_demo" {
  ...
  metadata = {
    serial-port-enable = true
    ...
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Disabling interactive serial console access
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.5
[4] Standards Mapping - Common Weakness Enumeration CWE ID 749
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CA-3 System Interconnections (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CA-3 Information Exchange
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_serial_console_enabled

GCP Terraform Misconfiguration: Compute Engine Shielded VM Option Disabled

Abstract
Terraform ꡬ성이 λͺ¨λ“  ꢌμž₯ Shield VM μ˜΅μ…˜μ„ ν™œμ„±ν™”ν•˜μ§€ μ•Šκ³  Compute Engine μΈμŠ€ν„΄μŠ€λ₯Ό μ„€μ •ν•©λ‹ˆλ‹€.
Explanation
λͺ¨λ“  ν΄λΌμš°λ“œ μ„œλΉ„μŠ€ λ³΄μ•ˆ κΈ°λŠ₯은 κ³ μœ ν•œ λ°©μ‹μœΌλ‘œ μ•Œλ €μ§„ μœ„ν˜‘μ„ λ°©μ§€ν•˜κ±°λ‚˜ μ™„ν™”ν•©λ‹ˆλ‹€. μ˜λ„μ μœΌλ‘œ λ˜λŠ” μ‹€μˆ˜λ‘œ λΉ„ν™œμ„±ν™”λœ κΈ°λŠ₯은 보호 κΈ°λŠ₯을 μ œκ³΅ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

Shield VM μ˜΅μ…˜μ„ λΉ„ν™œμ„±ν™”ν•˜λ©΄ κ³΅κ²©μžκ°€ Compute Engine μΈμŠ€ν„΄μŠ€μ˜ 게슀트 운영 체제λ₯Ό λŒ€μƒμœΌλ‘œ κ΅¬ν˜„λœ λ³΄μ•ˆ μ œν•œμ„ μš°νšŒν•  수 μžˆμŠ΅λ‹ˆλ‹€. ꢌμž₯ Shield VM μ˜΅μ…˜ 및 ν•΄λ‹Ή Terraform ꡬ성 μ‹λ³„μžλŠ” λ‹€μŒκ³Ό κ°™μŠ΅λ‹ˆλ‹€.

- 무결성 λͺ¨λ‹ˆν„°λ§(enable_integrity_monitoring)
- λ³΄μ•ˆ λΆ€νŒ…(enable_secure_boot)
- 가상 μ‹ λ’°ν•  수 μžˆλŠ” ν”Œλž«νΌ λͺ¨λ“ˆ(enable_vtpm)

예제 1: λ‹€μŒ Terraform ꡬ성은 shielded_instance_config λΈ”λ‘μ—μ„œ enable_integrity_monitoring을 false둜 μ„€μ •ν•©λ‹ˆλ‹€. κ·ΈλŸ¬λ―€λ‘œ ꢌμž₯ Shield VM μ˜΅μ…˜ 쀑 μΌλΆ€λ§Œ ν™œμ„±ν™”λ©λ‹ˆλ‹€.

resource "google_compute_instance" "compute_instance_demo" {
  ...
  shielded_instance_config {
    enable_integrity_monitoring = false
    enable_secure_boot = true
    enable_vtpm = true
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Modifying Shielded VM options on a VM instance
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.8
[4] Standards Mapping - Common Weakness Enumeration CWE ID 320, CWE ID 693, CWE ID 922
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000803, CCI-001749, CCI-002235
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-6 Configuration Settings (P1), IA-7 Cryptographic Module Authentication (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-6 Configuration Settings, CM-14 Signed Components, IA-7 Cryptographic Module Authentication
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2, Requirement 6.5.3
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.3.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.3.3
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_shielded_vm_option_disabled

GCP Terraform Misconfiguration: Edge Cache Service Missing HTTP-to-HTTPS Redirect

Abstract
Terraform ꡬ성이 HTTPμ—μ„œ HTTPS둜 Edge Cache 톡신을 λ¦¬λ””λ ‰μ…˜ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
기본적으둜 Edge Cache μ„œλΉ„μŠ€λŠ” μ•”ν˜Έν™”λ˜μ§€ μ•Šμ€ μ—°κ²°κ³Ό λ³΄μ•ˆλ˜μ§€ μ•Šμ€ 연결을 ν—ˆμš©ν•©λ‹ˆλ‹€. μ΄λŸ¬ν•œ μ—°κ²°λ‘œ 인해 데이터가 무단 μ•‘μ„ΈμŠ€, λ„λ‚œ 및 λ³€μ‘° μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.

예제 1: λ‹€μŒ μ˜ˆμ œμ—λŠ” Edge Cache μ„œλΉ„μŠ€λ₯Ό μ •μ˜ν•˜λŠ” Terraform ꡬ성이 λ‚˜μ™€ μžˆμŠ΅λ‹ˆλ‹€. 이 κ΅¬μ„±μ—μ„œλŠ” https_redirectλ₯Ό false둜 μ„€μ •ν•˜μ—¬ ν΄λΌμ΄μ–ΈνŠΈκ°€ 톡신에 HTTPλ₯Ό μƒλ‘‰ν•˜λ„λ‘ ν—ˆμš©ν•©λ‹ˆλ‹€.

resource "google_network_services_edge_cache_service" "srv_demo" {
...
  routing {
...
    path_matcher {
...
      route_rule {
...
        url_redirect {
          https_redirect = false
        }
      }
    }
  }
}
References
[1] HashiCorp google_network_services_edge_cache_service
[2] Google Cloud Redirect all requests to HTTPS
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[5] Standards Mapping - FIPS200 SC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_edge_cache_service_missing_http_to_https_redirect

GCP Terraform Misconfiguration: Filestore Missing Customer-Managed Encryption Key

Abstract
Terraform ꡬ성이 λ―Έμ‚¬μš© λ°μ΄ν„°μš© 고객 κ΄€λ¦¬ν˜• μ•”ν˜Έν™” ν‚€λ₯Ό μ§€μ •ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
λ―Έμ‚¬μš© λ°μ΄ν„°μ—λŠ” CMEK(고객 κ΄€λ¦¬ν˜• μ•”ν˜Έν™” ν‚€)κ°€ ν™œμ„±ν™”λ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

기본적으둜 Google CloudλŠ” μž„μ˜λ‘œ μƒμ„±λœ DEK(데이터 μ•”ν˜Έν™” ν‚€)λ₯Ό μ‚¬μš©ν•˜μ—¬ λ―Έμ‚¬μš© 데이터λ₯Ό μ•”ν˜Έν™”ν•©λ‹ˆλ‹€. CMEK κΈ°λŠ₯을 μ‚¬μš©ν•˜λŠ” 쑰직은 μ›ν•˜λŠ” μ•”ν˜Έν™” ν‚€λ₯Ό μ‚¬μš©ν•˜μ—¬ DEKλ₯Ό μ•”ν˜Έν™”ν•  수 μžˆμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ μ•”ν˜Έν™” ν”„λ‘œμ„ΈμŠ€λ₯Ό λ”μš± 효율적으둜 μ œμ–΄ν•˜κ³  λ‘œκΉ…ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ΄λŸ¬ν•œ 이유둜 인해 CMEKλŠ” λ‹€μŒμ„ λΉ„λ‘―ν•œ μ—¬λŸ¬ μš”κ΅¬ 사항을 μΆ©μ‘±ν•˜λŠ” μ†”λ£¨μ…˜μ— ν¬ν•¨λ˜λŠ” κ²½μš°κ°€ λ§ŽμŠ΅λ‹ˆλ‹€.
- λ―Όκ°ν•œ 데이터 μ•‘μ„ΈμŠ€ κ΄€λ ¨ 감사 둜그
- 데이터 보쑴
- ν‚€ ꡐ체, λΉ„ν™œμ„±ν™” λ˜λŠ” μ‚­μ œ
- λ³€μ‘° 방지 ν•˜λ“œμ›¨μ–΄ λ³΄μ•ˆ λͺ¨λ“ˆ
References
[1] Google Cloud Customer-managed encryption keys (CMEK)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.hcl.iac.gcp_bad_practices_missing_customer_managed_encryption_key.base

GCP Terraform Misconfiguration: GKE Cluster Administrative Interface Access Control

Abstract
이 Terraform ꡬ성은 GKE μ œμ–΄ μ˜μ—­ μ•‘μ„ΈμŠ€λ₯Ό μ œν•œν•˜κΈ° μœ„ν•œ 승인된 λ„€νŠΈμ›Œν¬λ₯Ό μ •μ˜ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
Explanation
GKE μ œμ–΄ μ˜μ—­μ€ ν΄λŸ¬μŠ€ν„°μ— λŒ€ν•œ μ „μ—­ μ˜μ‚¬ 결정을 내리며 API 끝점 λŒ€λΆ€λΆ„μ€ 곡개적으둜 μ•‘μ„ΈμŠ€ν•  수 μžˆμŠ΅λ‹ˆλ‹€. ν—ˆμš© λͺ©λ‘μ„ μ‚¬μš©ν•˜μ—¬ 승인된 λ„€νŠΈμ›Œν¬λ₯Ό μΆ”κ°€ν•˜λ©΄ μ œμ–΄ μ˜μ—­ μ•‘μ„ΈμŠ€μ— λŒ€ν•œ λ„€νŠΈμ›Œν¬ μˆ˜μ€€ 보호λ₯Ό μ œκ³΅ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

예제 1: λ‹€μŒ 예제 Terraform ꡬ성은 master_authorized_networks_config λΈ”λ‘μ—μ„œ 승인된 λ„€νŠΈμ›Œν¬λ₯Ό μ •μ˜ν•˜μ§€ μ•Šκ³  곡용 ν΄λŸ¬μŠ€ν„°λ₯Ό μ„€μ •ν•©λ‹ˆλ‹€. λ”°λΌμ„œ, GKE μ œμ–΄ μ˜μ—­ API 끝점에 곡개적으둜 μ•‘μ„ΈμŠ€ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

resource "google_container_cluster" "cluster_demo" {
  name = "name-demo"
}
References
[1] HashiCorp google_container_cluster
[2] Google Cloud Add authorized networks for control plane access
[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.6.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 749
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001082, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-2 Application Partitioning (P1), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users), SC-2 Separation of System and User Functionality, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3), 14.5.1 Validate HTTP Request Header Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_administrative_interface_access_control

GCP Terraform Misconfiguration: GKE Cluster Certificate-Based Authentication

Abstract
이 Terraform ꡬ성은 GKE ν΄λŸ¬μŠ€ν„°μ—μ„œ μΈμ¦μ„œ 기반 인증을 ν™œμ„±ν™”ν•©λ‹ˆλ‹€.
Explanation
기본적으둜 μΈμ¦μ„œ 기반 인증은 GKE 버전 1.12 이상을 μ‹€ν–‰ν•˜λŠ” μƒˆ ν΄λŸ¬μŠ€ν„°μ—μ„œλŠ” λΉ„ν™œμ„±ν™”λ©λ‹ˆλ‹€. μΈμ¦μ„œ 기반 μΈμ¦μ—μ„œλŠ” μ‚¬μš©μžκ°€ Kubernetes API μ„œλ²„κ°€ μ§€μ •λœ 인증 κΈ°κ΄€μœΌλ‘œ ν™•μΈν•˜λŠ” μΈμ¦μ„œλ₯Ό μ œμ‹œν•©λ‹ˆλ‹€. κ·ΈλŸ¬λ‚˜ μ‚¬μš©μžκ°€ λ– λ‚˜κ±°λ‚˜ 자격 증λͺ…을 λΆ„μ‹€ν•œ 경우 μΈμ¦μ„œλ₯Ό μ·¨μ†Œν•  수 μžˆλŠ” 방법이 μ—†μŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ μΈμ¦μ„œ 기반 인증은 μ΅œμ’… μ‚¬μš©μžμ—κ²Œ μ ν•©ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

예제 1: λ‹€μŒ 예제 Terraform ꡬ성은 master_auth λΈ”λ‘μ—μ„œ issue_client_certificateλ₯Ό true둜 μ„€μ •ν•˜μ—¬ GKE ν΄λΌμ΄μ–ΈνŠΈ μΈμ¦μ„œ 기반 인증을 ν™œμ„±ν™”ν•©λ‹ˆλ‹€.

resource "google_container_cluster" "container_cluster_demo" {
...
  master_auth {
    client_certificate_config {
      issue_client_certificate = true
      ...
    }
    ...
  }
...
}
References
[1] HashiCorp google_container_cluster
[2] Google Cloud Leave legacy client authentication methods disabled
[3] Standards Mapping - Common Weakness Enumeration CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-5 Authenticator Management (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-5 Authenticator Management
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.3 Authentication Architectural Requirements (L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_certificate_based_authentication

GCP Terraform Misconfiguration: GKE Cluster HTTP Basic Authentication

Abstract
이 Terraform ꡬ성은 GKE ν΄λŸ¬μŠ€ν„°μ—μ„œ HTTP κΈ°λ³Έ 인증을 ν™œμ„±ν™”ν•©λ‹ˆλ‹€.
Explanation
ν΄λŸ¬μŠ€ν„°μ˜ 쀑앙 관리 엔터티인 Kubernetes API μ„œλ²„κ°€ HTTP κΈ°λ³Έ 인증을 μˆ˜λ½ν•˜μ—¬ μ‚¬μš©μžλ₯Ό μΈμ¦ν•©λ‹ˆλ‹€. HTTP κΈ°λ³Έ 인증은 더 이상 μ‚¬μš©λ˜μ§€ μ•ŠμœΌλ©° 무차별 λŒ€μž… 곡격에 μ·¨μ•½ν•˜κ³  잘λͺ» κ΅¬μ„±λœ ν™˜κ²½μ—μ„œ κ³΅κ²©μžμ—κ²Œ μ‚¬μš©μž 자격 증λͺ…이 λ…ΈμΆœλ©λ‹ˆλ‹€.

예제 1: λ‹€μŒ μ˜ˆμ œλŠ” master_auth λΈ”λ‘μ—μ„œ usernameκ³Ό passwordλ₯Ό λΉ„μ–΄ μžˆμ§€ μ•Šμ€ κ°’μœΌλ‘œ μ„€μ •ν•˜μ—¬ GKE ν΄λŸ¬μŠ€ν„°μ—μ„œ HTTP κΈ°λ³Έ 인증을 ν™œμ„±ν™”ν•˜λŠ” Terraform ꡬ성을 λ³΄μ—¬μ€λ‹ˆλ‹€.

resource "google_container_cluster" "container_cluster_demo" {
...
  master_auth {
    username = "foo"
    password = "bar"
  }
...
}
References
[1] HashiCorp google_container_cluster
[2] Google Cloud Leave legacy client authentication methods disabled
[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.8.1
[4] Standards Mapping - Common Weakness Enumeration CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-5 Authenticator Management (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-5 Authenticator Management
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.3 Authentication Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_http_basic_authentication

GCP Terraform Misconfiguration: GKE Cluster Legacy Authorization

Abstract
이 Terraform ꡬ성은 GKE ν΄λŸ¬μŠ€ν„°μ—μ„œ κΈ°μ‘΄ ABAC μŠΉμΈμ„ ν™œμ„±ν™”ν•©λ‹ˆλ‹€.
Explanation
기본적으둜 ABAC(속성 기반 μ•‘μ„ΈμŠ€ μ œμ–΄)λŠ” GKE 버전 1.8 이상을 μ‹€ν–‰ν•˜λŠ” μƒˆ ν΄λŸ¬μŠ€ν„°μ—μ„œλŠ” λΉ„ν™œμ„±ν™”λ©λ‹ˆλ‹€. ABACλŠ” RBAC(μ—­ν•  기반 μ•‘μ„ΈμŠ€ μ œμ–΄) λ˜λŠ” Identity and Access Management(IAM)μ—μ„œ μ œκ³΅ν•˜λŠ” 것 외에 λ¦¬μ†ŒμŠ€μ— λŒ€ν•œ μ•‘μ„ΈμŠ€ κΆŒν•œμ„ νŠΉμ • μ‚¬μš©μž λ˜λŠ” 그룹에 μ •μ μœΌλ‘œ λΆ€μ—¬ν•  수 μžˆμŠ΅λ‹ˆλ‹€. μ΄λŠ” κΆŒν•œ λΆ€μ—¬ 관리λ₯Ό λ³΅μž‘ν•˜κ²Œ λ§Œλ“€κ³  쀑앙 집쀑식 μ•‘μ„ΈμŠ€ μ œμ–΄λ₯Ό μ•½ν™”μ‹œν‚΅λ‹ˆλ‹€.

예제 1: λ‹€μŒ μ˜ˆμ œλŠ” enable_legacy_abacλ₯Ό true둜 μ„€μ •ν•˜μ—¬ GKE ν΄λŸ¬μŠ€ν„°μ˜ κΈ°μ‘΄ ABAC 인증을 ν™œμ„±ν™”ν•˜λŠ” Terraform ꡬ성을 λ³΄μ—¬μ€λ‹ˆλ‹€.

resource "google_container_cluster" "container_cluster_demo" {
...
  enable_legacy_abac = true
...
}
References
[1] HashiCorp google_container_cluster
[2] Google Cloud Setting the default node image type
[3] Google Cloud Configure role-based access control
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.8.4
[5] Standards Mapping - Common Weakness Enumeration CWE ID 637
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.4 Access Control Architectural Requirements (L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.1
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_legacy_authorization

GCP Terraform Misconfiguration: GKE Cluster Node Auto-Repair Disabled

Abstract
Terraform ꡬ성이 GKE λ…Έλ“œ ν’€μ˜ λ…Έλ“œ μžλ™ 볡ꡬλ₯Ό λΉ„ν™œμ„±ν™”ν•©λ‹ˆλ‹€.
Explanation
λͺ¨λ“  ν΄λΌμš°λ“œ μ„œλΉ„μŠ€ λ³΄μ•ˆ κΈ°λŠ₯은 μ•Œλ €μ§„ μœ„ν˜‘μ„ λ°©μ§€ν•˜κ±°λ‚˜ μ™„ν™”ν•©λ‹ˆλ‹€. μ˜λ„μ μœΌλ‘œ λ˜λŠ” λΆ€μ£Όμ˜λ‘œ 인해 λΉ„ν™œμ„±ν™”λœ κΈ°λŠ₯은 보호 κΈ°λŠ₯을 μ œκ³΅ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

기본적으둜 μ§€μ •λœ κΈ°κ°„ λ™μ•ˆ GKE λ…Έλ“œμ—μ„œ 비정상 μƒνƒœκ°€ 반볡적으둜 보고되면 GKEλŠ” ν•΄λ‹Ή λ…Έλ“œμ˜ 볡ꡬ ν”„λ‘œμ„ΈμŠ€λ₯Ό μ‹œμž‘ν•©λ‹ˆλ‹€. λ…Έλ“œ μžλ™ 볡ꡬλ₯Ό λΉ„ν™œμ„±ν™”ν•˜λ©΄ 업무상 μ€‘μš”ν•œ μ›Œν¬λ‘œλ“œκ°€ 싀행될 μˆ˜λ„ μžˆλŠ” 비정상 μƒνƒœμ˜ λ…Έλ“œλ₯Ό μ œλ•Œ μžλ™μœΌλ‘œ ꡐ체할 수 μ—†μŠ΅λ‹ˆλ‹€.

예제 1: λ‹€μŒ Terraform ꡬ성은 management λΈ”λ‘μ—μ„œ auto_repairλ₯Ό false둜 μ„€μ •ν•˜μ—¬ λ…Έλ“œ ν’€μ˜ λ…Έλ“œ μžλ™ 볡ꡬλ₯Ό λΉ„ν™œμ„±ν™”ν•©λ‹ˆλ‹€.

resource "google_container_node_pool" "node-pool-demo" {
...
  management {
    auto_repair = false
    ...
  }
...
}
References
[1] HashiCorp google_container_node_pool
[2] Google Cloud Auto-repairing nodes
[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.5.2
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[9] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_node_auto_repair_disabled

GCP Terraform Misconfiguration: GKE Cluster Publicly Accessible

Abstract
Terraform ꡬ성이 곡용 인터넷을 톡해 GKE ν΄λŸ¬μŠ€ν„°μ— μ•‘μ„ΈμŠ€ν•  수 μžˆλ„λ‘ μ§€μ •ν•©λ‹ˆλ‹€.
Explanation
λΆˆν•„μš”ν•œ λ„€νŠΈμ›Œν¬ νŠΈλž˜ν”½μ„ μ°¨λ‹¨ν•˜μ§€ μ•ŠμœΌλ©΄ ν΄λΌμš°λ“œ μ„œλΉ„μŠ€μ˜ 곡격 ν‘œλ©΄μ΄ ν™•μž₯λ©λ‹ˆλ‹€. 곡개 μƒν˜Έ μž‘μš©μ΄ κ°€λŠ₯ν•œ μ„œλΉ„μŠ€λŠ” μ•…μ˜μ μΈ μ—”ν„°ν‹°μ˜ 거의 지속적인 검색 및 쑰사에 λ…ΈμΆœλ©λ‹ˆλ‹€.

λΉ„κ³΅κ°œ GKE λ…Έλ“œμ—λŠ” μ™ΈλΆ€ IP μ£Όμ†Œκ°€ μ—†μŠ΅λ‹ˆλ‹€. μ΄λŸ¬ν•œ λ…Έλ“œμ—μ„œ μ‹€ν–‰λ˜λŠ” PodλŠ” ν΄λŸ¬μŠ€ν„° 경계 λ‚΄μ—μ„œλ§Œ 톡신할 수 μžˆμŠ΅λ‹ˆλ‹€. 곡개 끝점을 λΉ„ν™œμ„±ν™”ν•˜λ©΄ 관리 λŒ€μƒμ„ λ‚΄λΆ€ 개인 IP μ£Όμ†Œλ‘œ μ œν•œν•˜μ—¬ GKE ν΄λŸ¬μŠ€ν„°λ₯Ό λ³΄ν˜Έν•  수 μžˆμŠ΅λ‹ˆλ‹€. λΉ„κ³΅κ°œ 끝점과 λΉ„κ³΅κ°œ λ…Έλ“œλ₯Ό μ μš©ν•˜μ§€ μ•ŠμœΌλ©΄ ν΄λŸ¬μŠ€ν„°λ₯Ό λˆ„κ΅¬λ‚˜ μ‚¬μš©ν•  수 있게 λ©λ‹ˆλ‹€.

예제 1: λ‹€μŒ Terraform ꡬ성은 λͺ¨λ“  곡개 IP μ£Όμ†Œμ˜ ν΄λŸ¬μŠ€ν„° λ…Έλ“œ 및 μ œμ–΄ μ˜μ—­ μ•‘μ„ΈμŠ€λ₯Ό ν—ˆμš©ν•©λ‹ˆλ‹€. enable_private_nodes 및 enable_private_endpointκ°€ false둜 μ„€μ •λ˜μ–΄ 있기 λ•Œλ¬Έμž…λ‹ˆλ‹€.

resource "google_container_cluster" "cluster-demo" {
...
  private_cluster_config {
    enable_private_endpoint = false
    enable_private_nodes = false
  }
...
}
References
[1] HashiCorp google_container_cluster
[2] Google Cloud Access to cluster endpoints
[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.6.5
[4] Standards Mapping - Common Weakness Enumeration CWE ID 749
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_publicly_accessible

GCP Terraform Misconfiguration: GKE Container-Optimized OS Not In Use

Abstract
이 Terraform ꡬ성은 Container-Optimized OSλ₯Ό μ‹€ν–‰ν•˜μ§€ μ•ŠλŠ” GKE λ…Έλ“œλ₯Ό μ„€μ •ν•©λ‹ˆλ‹€.
Explanation
기본적으둜 GKE λ…Έλ“œλŠ” Container-Optimized OS(COS)λ₯Ό μ‚¬μš©ν•˜μ—¬ μ‹€ν–‰λ©λ‹ˆλ‹€. COSλŠ” Google Compute Engine μΈμŠ€ν„΄μŠ€μ—μ„œ GKE λ…Έλ“œλ₯Ό μ‹€ν–‰ν•˜λŠ” 데 μ΅œμ ν™”λœ 운영 체제 μ΄λ―Έμ§€μž…λ‹ˆλ‹€. 기본값을 선택 ν•΄μ œν•˜λ©΄ ν–₯μƒλœ λ³΄μ•ˆ 및 νš¨μœ¨μ„±μ˜ 이점이 μ‚¬λΌμ§‘λ‹ˆλ‹€.

예제 1: λ‹€μŒ 예제 Terraform ꡬ성은 node_config λΈ”λ‘μ—μ„œ image_type이 COS μ™Έμ˜ μ΄λ―Έμ§€λ‘œ μ„€μ •λ˜μ–΄ 있기 λ•Œλ¬Έμ— COSλ₯Ό μ‹€ν–‰ν•˜μ§€ μ•ŠλŠ” GKE λ…Έλ“œ 풀을 μ„€μ •ν•©λ‹ˆλ‹€.

resource "google_container_node_pool" "node_pool_demo" {
  ...
  node_config {
    image_type = "UBUNTU"
    ...
  }
  ...
}
References
[1] HashiCorp google_container_node_pool
[2] Google Cloud Setting the default node image type
[3] Google Cloud Container-Optimized OS Overview
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.5.1
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[11] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.hcl.gcp_terraform_misconfiguration_gke_container_optimized_os_not_in_use

GCP Terraform Misconfiguration: GKE Node Auto-Upgrade Disabled

Abstract
이 Terraform ꡬ성은 Kubernetes λ…Έλ“œμ˜ μžλ™ μ—…κ·Έλ ˆμ΄λ“œλ₯Ό λΉ„ν™œμ„±ν™”ν•©λ‹ˆλ‹€.
Explanation
기본적으둜 GKEλŠ” Kubernetes λ…Έλ“œλ₯Ό μ•ˆμ •μ μΈ μ΅œμ‹  λ²„μ „μœΌλ‘œ μžλ™ μ—…κ·Έλ ˆμ΄λ“œν•©λ‹ˆλ‹€. μ•Œλ €μ§„ μ†Œν”„νŠΈμ›¨μ–΄ 취약점에 μ μ‹œμ— 패치λ₯Ό μ μš©ν•˜λŠ” μžλ™ μ—…κ·Έλ ˆμ΄λ“œλŠ” λΉ„ν™œμ„±ν™”λ©λ‹ˆλ‹€.

예제 1: λ‹€μŒ 예제 Terraform ꡬ성은 management λΈ”λ‘μ—μ„œ auto_upgradeλ₯Ό false둜 μ„€μ •ν•˜μ—¬ Kubernetes λ…Έλ“œμ˜ μžλ™ μ—…κ·Έλ ˆμ΄λ“œλ₯Ό λΉ„ν™œμ„±ν™”ν•©λ‹ˆλ‹€.

resource "google_container_node_pool" "node_pool_demo" {
...
  management {
    auto_upgrade = false
    ...
  }
...
}
References
[1] HashiCorp google_container_node_pool
[2] Google Cloud Auto-upgrading nodes
[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.5.3
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[10] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.hcl.gcp_terraform_misconfiguration_gke_node_auto_upgrade_disabled

GCP Terraform Misconfiguration: Google Project Network Access Control

Abstract
이 Terraform ꡬ성은 μ•‘μ„ΈμŠ€ μ œμ–΄κ°€ μ•½ν•œ ν”„λ‘œμ νŠΈ 전체 λ„€νŠΈμ›Œν¬μ˜ μžλ™ 생성을 ν—ˆμš©ν•©λ‹ˆλ‹€.
Explanation
기본적으둜 μƒˆ Google Cloud ν”„λ‘œμ νŠΈλŠ” ν”„λ‘œμ νŠΈ 전체 λ„€νŠΈμ›Œν¬μ—μ„œ μ‹œμž‘λ©λ‹ˆλ‹€. κΈ°λ³Έ λ„€νŠΈμ›Œν¬λŠ” λ™μΌν•œ ν”„λ‘œμ νŠΈμ˜ Compute Engine μΈμŠ€ν„΄μŠ€ 간에 λ¬΄μ œν•œ 톡신을 ν—ˆμš©ν•˜κ³  λͺ¨λ“  μΈμŠ€ν„΄μŠ€μ˜ λ³΄μ•ˆμ— λ―Όκ°ν•œ 포트λ₯Ό 곡개적으둜 λ…ΈμΆœν•˜λŠ” λ°©ν™”λ²½ κ·œμΉ™μœΌλ‘œ 미리 μ±„μ›Œμ Έ μžˆμŠ΅λ‹ˆλ‹€. 영ν–₯을 λ°›λŠ” ν¬νŠΈμ—λŠ” TCP 22(SSH) 및 TCP 3389(RDP)κ°€ μžˆμŠ΅λ‹ˆλ‹€. μΆ©λΆ„νžˆ λ³΄ν˜Έλ˜μ§€ μ•Šμ€ μΈμŠ€ν„΄μŠ€λŠ” 무단 μ•‘μ„ΈμŠ€μ— μ·¨μ•½ν•©λ‹ˆλ‹€.

예제 1: λ‹€μŒ 예제 Terraform ꡬ성은 auto_create_networkλ₯Ό true둜 μ„€μ •ν•˜μ—¬ ν”„λ‘œμ νŠΈ 전체 λ„€νŠΈμ›Œν¬μ˜ μžλ™ 생성을 ν™œμ„±ν™”ν•©λ‹ˆλ‹€.

resource "google_project" "project-demo" {
...
  auto_create_network = true
...
}
References
[1] HashiCorp google_project
[2] Google Cloud VPC network overview
[3] Google Cloud Pre-populated rules in the default network
[4] Google Cloud Organization policy constraints
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 3.2
[6] Standards Mapping - Common Weakness Enumeration CWE ID 732
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3)
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_google_project_network_access_control

GCP Terraform Misconfiguration: Improper Compute Engine Access Control

Abstract
이 Terraform ꡬ성은 μ„œλΉ„μŠ€ 계정에 λŒ€λΆ€λΆ„μ˜ Google Cloud API에 λŒ€ν•œ 전체 μ•‘μ„ΈμŠ€ κΆŒν•œμ„ λΆ€μ—¬ν•©λ‹ˆλ‹€.
Explanation
이 Terraform ꡬ성은 μ„œλΉ„μŠ€ κ³„μ •μ˜ μ•‘μ„ΈμŠ€ λ²”μœ„λ₯Ό λŒ€λΆ€λΆ„μ˜ Google Cloud API에 λŒ€ν•œ μ•‘μ„ΈμŠ€λ₯Ό ν—ˆμš©ν•˜λŠ” cloud-platform으둜 μ„€μ •ν•©λ‹ˆλ‹€. 이둜 인해 μ†μƒλœ Compute Engine μΈμŠ€ν„΄μŠ€μ— μ•‘μ„ΈμŠ€ν•  수 μžˆλŠ” 곡격 ν‘œλ©΄μ΄ λŒ€ν­ ν™•μž₯되고 μ΅œμ†Œ κΆŒν•œ 원칙에 μœ„λ°˜λ©λ‹ˆλ‹€.

예제 1: λ‹€μŒ μ˜ˆμ œλŠ” μ„œλΉ„μŠ€ κ³„μ •μ˜ μ•‘μ„ΈμŠ€ λ²”μœ„(scopes)λ₯Ό cloud-platform으둜 μ„€μ •ν•˜λŠ” Terraform ꡬ성을 λ³΄μ—¬μ€λ‹ˆλ‹€.

resource "google_compute_instance" "compute-instance-demo" {
    name         = "name-demo"
    machine_type = "e2-micro"
    ...
    service_account {
        email  = "foobar.service.account@example.com"
        scopes = ["cloud-platform"]
    }
}
References
[1] Dylan Ayrey & Allison Donovan Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation
[2] Google Cloud Best practices for securing service accounts
[3] HashiCorp google_compute_instance
[4] Google Cloud Service accounts
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.2
[6] Standards Mapping - Common Weakness Enumeration CWE ID 250
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.4 General Access Control Design (L1 L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_improper_compute_engine_access_control

GCP Terraform Misconfiguration: Insecure App Engine Domain Transport

Abstract
Terraform ꡬ성이 HTTPS 지원을 μ„€μ •ν•˜μ§€ μ•Šκ³  App Engine μ‘μš© ν”„λ‘œκ·Έλž¨μš© 도메인을 μ„€μ •ν•©λ‹ˆλ‹€.
Explanation
기본적으둜 App Engine μ‘μš© ν”„λ‘œκ·Έλž¨μš© 도메인은 μ•”ν˜Έν™”λ˜μ§€ μ•Šμ€ μ—°κ²°κ³Ό λ³΄μ•ˆλ˜μ§€ μ•Šμ€ 연결을 ν—ˆμš©ν•©λ‹ˆλ‹€. μ΄λŸ¬ν•œ μ—°κ²°λ‘œ 인해 데이터가 무단 μ•‘μ„ΈμŠ€, λ„λ‚œ 및 λ³€μ‘° μœ„ν—˜μ— λ…ΈμΆœλ©λ‹ˆλ‹€.

예제 1: λ‹€μŒ μ˜ˆμ œμ—λŠ” example.com λ„λ©”μΈμš© ssl_settings 블둝이 ν¬ν•¨λ˜μ§€ μ•Šμ€ Terraform ꡬ성이 λ‚˜μ™€ μžˆμŠ΅λ‹ˆλ‹€. λ”°λΌμ„œ App Engine μ‘μš© ν”„λ‘œκ·Έλž¨μš© μ‚¬μš©μž 지정 도메인이 HTTPSλ₯Ό μ§€μ›ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

resource "google_app_engine_domain_mapping" "domain_mapping" {
  domain_name = "example.com"
}
References
[1] HashiCorp google_app_engine_domain_mapping
[2] Google Cloud Securing Custom Domains with SSL
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.10
[4] Standards Mapping - Common Weakness Enumeration CWE ID 311
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_insecure_app_engine_domain_transport