Reino: Environment

Esta seção contém tudo o que fica fora do código-fonte, porém que é essencial para a segurança do produto que está sendo criado. Como os problemas tratados neste domínio não são diretamente relacionados com o código-fonte, nós o separamos dos demais domínios.

633 itens encontrados
Vulnerabilidades

GCP Terraform Misconfiguration: Cloud DNS DNSSEC Disabled

Abstract
Uma configuração do Terraform não habilita o Domain Name System Security (DNSSEC) de um Domínio do Cloud DNS.
Explanation
O DNSSEC impede a falsificação de DNS fornecendo a capacidade de usar assinaturas digitais para validação de resposta de DNS. O DNSSEC de um Domínio do Cloud DNS não está habilitado.

Exemplo 1: O exemplo a seguir mostra uma configuração do Terraform que desabilita o DNSSEC em um Domínio do Cloud DNS definindo state como off no bloco dnssec_config.

resource "google_dns_managed_zone" "zone-demo" {
...
  dnssec_config {
    state = "off"
    ...
  }
...
}
References
[1] HashiCorp dns_managed_zone
[2] Google Cloud Manage DNSSEC configuration
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 3.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 345
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-002418, CCI-002422
[6] Standards Mapping - FIPS200 SC
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-8 Transmission Confidentiality and Integrity (P1), SC-20 Secure Name/Address Resolution Service (Authoritative Source) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-8 Transmission Confidentiality and Integrity, SC-20 Secure Name/Address Resolution Service (Authoritative Source) (P1)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.1 - Authentication and Access Control
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.1 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_dns_dnssec_disabled

GCP Terraform Misconfiguration: Cloud Functions Missing Customer-Managed Encryption Key

Abstract
Uma configuração do Terraform não especifica nenhuma chave de criptografia gerenciada pelo cliente para dados em repouso.
Explanation
As chaves de criptografia gerenciadas pelo cliente (CMEK) não estão habilitadas para dados em repouso.

Por padrão, o Google Cloud usa Chaves de Criptografia de Dados (DEK) geradas aleatoriamente para criptografar dados em repouso. O recurso CMEK permite que as organizações usem chaves criptográficas de sua escolha para criptografar a DEK. Isso dá às organizações melhor controle e registro de processos de criptografia.

Como tal, a CMEK geralmente faz parte da solução para atender aos requisitos que incluem, mas não estão limitados a:
- Logs de auditoria para acesso a dados confidenciais
- Residência de dados
- Substituição, desabilitação ou destruição de chaves
- Módulo de segurança de hardware inviolável
References
[1] Google Cloud Customer-managed encryption keys (CMEK)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.hcl.iac.gcp_bad_practices_missing_customer_managed_encryption_key.base

GCP Terraform Misconfiguration: Cloud KMS CryptoKey Publicly Accessible

Abstract
Uma configuração do Terraform concede acesso público às CryptoKeys do Cloud KMS.
Explanation
Conceder a allUsers ou allAuthenticatedUsers uma função de CryptoKey do Cloud KMS dá a qualquer pessoa acesso a dados confidenciais.
References
[1] HashiCorp IAM policy for Google Cloud KMS crypto key
[2] Google Cloud Usage logs & storage logs
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 1.9
[4] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235, CCI-002420
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, IA-8 Identification and Authentication (Non-Organizational Users), SC-8 Transmission Confidentiality and Integrity
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_kms_cryptokey_publicly_accessible

GCP Terraform Misconfiguration: Cloud Spanner Missing Customer-Managed Encryption Key

Abstract
Uma configuração do Terraform não especifica nenhuma chave de criptografia gerenciada pelo cliente para dados em repouso.
Explanation
As chaves de criptografia gerenciadas pelo cliente (CMEK) não estão habilitadas para dados em repouso.

Por padrão, o Google Cloud usa Chaves de Criptografia de Dados (DEK) geradas aleatoriamente para criptografar dados em repouso. O recurso CMEK permite que as organizações usem chaves criptográficas de sua escolha para criptografar a DEK. Isso dá às organizações melhor controle e registro de processos de criptografia.

Como tal, a CMEK geralmente faz parte da solução para atender aos requisitos que incluem, mas não estão limitados a:
- Logs de auditoria para acesso a dados confidenciais
- Residência de dados
- Substituição, desabilitação ou destruição de chaves
- Módulo de segurança de hardware inviolável
References
[1] Google Cloud Customer-managed encryption keys (CMEK)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.hcl.iac.gcp_bad_practices_missing_customer_managed_encryption_key.base

GCP Terraform Misconfiguration: Cloud SQL Backup Disabled

Abstract
Uma configuração do Terraform configura uma instância de banco de dados sem configurações de backup.
Explanation
Os backups de banco de dados são essenciais para proteger contra perda ou corrupção de dados. Os backups automatizados de uma instância de banco de dados do Cloud SQL devem ser configurados e habilitados explicitamente.

Exemplo 1: O exemplo a seguir mostra uma configuração do Terraform que desabilita as configurações de backup de instância de banco de dados definindo enabled como false.

resource "google_sql_database_instance" "database_instance_demo" {
  ...
  settings {
    backup_configuration {
      enabled = false
      ...
    }
  }
}
References
[1] HashiCorp google_sql_database_instance
[2] Google Cloud About Cloud SQL backups
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 6.7
[4] Standards Mapping - Common Weakness Enumeration CWE ID 1188
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-38 Operations Security (P0)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-38 Operations Security
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 12.10.1
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_sql_backup_disabled

GCP Terraform Misconfiguration: Cloud SQL Database Publicly Accessible

Abstract
Uma configuração do Terraform permite o acesso público a uma instância do Banco de Dados do Google Cloud SQL.
Explanation
A falha em bloquear o tráfego de rede indesejado expande a superfície de ataque de um serviço de nuvem. Os serviços abertos à interação com o público estão sujeitos a varreduras e investigações quase contínuas por entidades mal-intencionadas.

Por padrão, o Terraform implanta uma instância do Banco de Dados do Google Cloud SQL que aceita apenas conexões de endereços IP privados. As configurações opcionais de Redes Autorizadas definem intervalos aceitáveis de endereços IP públicos.

Exemplo 1: A configuração do Terraform a seguir define value como 0.0.0.0/0 no bloco authorized_networks. Um bloco CIDR de /0 aceita conexões de qualquer endereço IP entre 0.0.0.0 e 255.255.255.255.

resource "google_sql_database_instance" "db-demo" {
  ...
  settings {
  ...
    ip_configuration {
    ...
      authorized_networks {
        name  = "any ip"
        value = "0.0.0.0/0"
      }
    ...
    }
    ...
  }
  ...
}
References
[1] HashiCorp google_sql_database_instance
[2] Google Cloud Authorize with authorized networks
[3] Google Cloud Disable public IP
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 6.5
[5] Standards Mapping - Common Weakness Enumeration CWE ID 284
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_sql_database_publicly_accessible

GCP Terraform Misconfiguration: Cloud Storage Bucket Publicly Accessible

Abstract
Uma configuração do Terraform concede acesso público a um Bucket do Cloud Storage.
Explanation
Conceder a allUsers ou allAuthenticatedUsers uma função do Cloud Storage dá a qualquer pessoa acesso a dados confidenciais.
References
[1] HashiCorp IAM policy for Cloud Storage Bucket
[2] Google Cloud Public access prevention
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 5.1
[4] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235, CCI-002420
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, IA-8 Identification and Authentication (Non-Organizational Users), SC-8 Transmission Confidentiality and Integrity
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_storage_bucket_publicly_accessible

GCP Terraform Misconfiguration: Cloud Storage Bucket Uniform Access Disabled

Abstract
Uma configuração do Terraform configura um Bucket do Google Storage que permite o uso de Listas de Controle de Acesso para controlar permissões.
Explanation
A má gestão de permissões aumenta o risco de acesso não autorizado ou modificação de dados restritos.

Para definir a permissão do usuário para acesso a buckets e objetos em buckets, o Google Cloud Storage oferece dois sistemas: ACLs (Listas de Controle de Acesso) e IAM (Gerenciamento de Identidade e Acesso). O IAM pode ser usado em todo o Google Cloud, enquanto apenas o Cloud Storage oferece suporte a ACLs. Habilitar o Acesso Uniforme no Nível do Bucket impede que as ACLs concedam permissão. Isso garante que o IAM seja o único sistema para gerenciar todo o controle de acesso dos recursos do Google Cloud.

Exemplo 1: A configuração do Terraform a seguir permite o uso de ACLs junto com o IAM para conceder acesso ao bucket de armazenamento definindo uniform_bucket_level_access como false.

resource "google_storage_bucket" "bucket-demo" {
...
  uniform_bucket_level_access = false
...
}
References
[1] HashiCorp google_storage_bucket
[2] Google Cloud Uniform bucket-level access
[3] Google Cloud Organization policy constraints for Cloud Storage
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 5.2
[5] Standards Mapping - Common Weakness Enumeration CWE ID 284
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002121
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.4 Access Control Architectural Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002880 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002880 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002880 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002880 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002880 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_storage_bucket_uniform_access_disabled

GCP Terraform Misconfiguration: Compute Engine Access Control

Abstract
Uma configuração do Terraform configura uma instância do Compute Engine sem usar funções do Identity and Access Management (IAM) para gerenciar o acesso SSH.
Explanation
O controle de acesso baseado no IAM reduz os erros humanos e promove a eficiência. A habilitação do login do SO permite o uso de funções do IAM para automatizar o gerenciamento do ciclo de vida de contas do Linux para acessar todas as instâncias do Compute Engine no mesmo projeto ou organização.

Exemplo 1: O exemplo a seguir mostra uma configuração do Terraform que desabilita o uso de funções do IAM para gerenciar o acesso ao SSH definindo enable-oslogin como false no argumento metadata.

resource "google_compute_instance" "compute-instance-demo" {
  ...
  metadata = {
    enable-oslogin = false
    ...
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud About OS Login
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.4
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000015, CCI-002121
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AC-3 Access Enforcement (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AC-3 Access Enforcement
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.1.6 Secure Software Development Lifecycle (L2 L3), 1.4.1 Access Control Architectural Requirements (L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 8.2.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 8.3.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 8.3.1
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[16] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_access_control

GCP Terraform Misconfiguration: Compute Engine Default Service Account

Abstract
Uma configuração do Terraform cria uma instância do Compute Engine com uma conta de serviço padrão.
Explanation
Se uma instância do Compute Engine for criada sem uma especificação de conta de serviço gerenciada pelo usuário, o Google Cloud atribuirá uma conta de serviço padrão à instância. Os direitos de acesso da conta de serviço padrão geralmente estão além do que a instância precisa para operar. Isso viola o princípio do privilégio mínimo.

Exemplo 1: O exemplo a seguir mostra uma configuração do Terraform que cria uma instância do Compute Engine sem uma especificação de conta de serviço gerenciada pelo usuário. O bloco service_account está ausente.

resource "google_compute_instance" "instance-demo" {
    name = "name-demo"
    machine_type = "e2-micro"
    boot_disk {
    ...
    }
    network_interface {
    ...
    }
}
References
[1] Dylan Ayrey & Allison Donovan Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation
[2] Google Cloud Best practices for securing service accounts
[3] HashiCorp google_compute_instance
[4] Google Cloud Service accounts
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.1
[6] Standards Mapping - Common Weakness Enumeration CWE ID 250
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000017, CCI-000381, CCI-002233, CCI-002235
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AC-6 Least Privilege, CM-7 Least Functionality
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.4 General Access Control Design (L1 L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000330 CAT II, APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000330 CAT II, APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_default_service_account

GCP Terraform Misconfiguration: Compute Engine IP Forwarding Enabled

Abstract
Uma configuração do Terraform configura uma instância do Compute Engine que permite o encaminhamento de IP.
Explanation
A falha em bloquear o tráfego de rede indesejado expande a superfície de ataque de um serviço de nuvem.

Por padrão, o encaminhamento de IP está desabilitado em uma instância do Compute Engine. O encaminhamento de IP permite enviar e receber pacotes com IPs de origem ou destino não correspondentes. Um invasor pode explorar isso roteando pacotes por meio da instância do Compute Engine para ignorar o controle de acesso à rede.

Exemplo 1: A configuração do Terraform a seguir habilita o encaminhamento de IP definindo can_ip_forward como true.

resource "google_compute_instance" "compute_instance_demo" {
  ...
  can_ip_forward = true
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Enabling IP forwarding for instances
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.6
[4] Standards Mapping - Common Weakness Enumeration CWE ID 441
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CA-3 System Interconnections (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CA-3 Information Exchange
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_ip_forwarding_enabled

GCP Terraform Misconfiguration: Compute Engine Missing Confidential Computing Features

Abstract
Uma configuração do Terraform não habilita uma VM Confidencial.
Explanation
Por padrão, uma instância do Compute Engine não é uma VM Confidencial. Uma VM Confidencial usa criptografia baseada em hardware para proteção de dados em uso e para dar suporte a atestados remotos. As chaves de instância por VM dedicadas não exportáveis mantêm a memória da VM criptografada, protegendo assim a confidencialidade e a integridade da VM contra o acesso do provedor de nuvem por meio do hipervisor com privilégios mais altos.

Exemplo 1: O exemplo a seguir mostra uma configuração do Terraform que desabilita a VM Confidencial definindo enable_confidential_compute como false.

resource "google_compute_instance" "default" {
  ...
  confidential_instance_config {
    enable_confidential_compute = false
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Confidential VM
[3] Confidential Computing Consortium A Technical Analysis of Confidential Computing
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.11
[5] Standards Mapping - Common Weakness Enumeration CWE ID 311
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[7] Standards Mapping - FIPS200 SC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_missing_confidential_computing_features

GCP Terraform Misconfiguration: Compute Engine Missing Customer-Managed Encryption Key

Abstract
Uma instância do Compute Engine não usa uma chave de criptografia fornecida pelo cliente para proteger a chave de criptografia do disco.
Explanation
Por padrão, o Google Cloud Compute Engine criptografa todos os dados em repouso. Uma chave de criptografia fornecida pelo cliente (CSEK), se especificada, criptografa as chaves de criptografia de dados. O Google não armazena nenhuma CSEK em uma instância do Compute Engine e não pode acessar os dados protegidos a menos que a CSEK correta seja fornecida.

Exemplo 1: O exemplo a seguir mostra uma configuração do Terraform que define um disco permanente para uma instância do Compute Engine. O bloco disk_encryption_key está ausente, portanto, não há CSEK para proteger as chaves de criptografia de dados.

resource "google_compute_disk" "compute-disk-demo" {
    name  = "test-disk"
    type  = "pd-ssd"
}
References
[1] HashiCorp google_compute_disk
[2] Google Cloud Persistent disk encryption
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.7
[4] Standards Mapping - Common Weakness Enumeration CWE ID 311
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[12] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_missing_customer_managed_encryption_key

GCP Terraform Misconfiguration: Compute Engine Project-Wide SSH

Abstract
Uma configuração do Terraform configura uma instância do Compute Engine sem bloquear o login SSH em todo o projeto.
Explanation
Por padrão, você pode usar chaves SSH armazenadas nos metadados do projeto para acessar todas as instâncias do Compute Engine em um projeto. Isso expande muito a superfície de ataque acessível a qualquer chave SSH comprometida e viola o princípio de privilégio mínimo.

Exemplo 1: O exemplo a seguir mostra uma configuração do Terraform que permite logins SSH em todo o projeto definindo block-project-ssh-keys como false no argumento metadata.

resource "google_compute_instance" "compute_instance_demo" {
  ...
  metadata = {
    block-project-ssh-keys = false
    ...
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Restrict SSH keys from VMs
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 250
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.4 General Access Control Design (L1 L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_project_wide_ssh

GCP Terraform Misconfiguration: Compute Engine Serial Console Enabled

Abstract
Uma configuração do Terraform configura uma instância do Compute Engine que permite o acesso ao console serial interativo.
Explanation
A falha em bloquear o tráfego de rede indesejado expande a superfície de ataque de um serviço de nuvem. Os serviços abertos à interação com o público estão sujeitos a varreduras e investigações quase contínuas por entidades mal-intencionadas.

Por padrão, a porta serial de uma instância do Compute Engine está desativada para acesso ao console. Habilitar o acesso ao console serial pode permitir que invasores se conectem à instância do Compute Engine de qualquer endereço IP, pois a porta serial não é compatível com restrições de acesso baseadas em IP.

Exemplo 1: A configuração do Terraform a seguir permite acesso ao console serial interativo definindo serial-port-enable como true no argumento metadata.

resource "google_compute_instance" "compute_instance_demo" {
  ...
  metadata = {
    serial-port-enable = true
    ...
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Disabling interactive serial console access
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.5
[4] Standards Mapping - Common Weakness Enumeration CWE ID 749
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CA-3 System Interconnections (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CA-3 Information Exchange
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_serial_console_enabled

GCP Terraform Misconfiguration: Compute Engine Shielded VM Option Disabled

Abstract
Uma configuração do Terraform configura uma instância do Compute Engine sem habilitar todas as opções de VM Protegidas recomendadas.
Explanation
Cada recurso de segurança de serviço em nuvem tem uma capacidade única de prevenir ou atenuar uma ameaça conhecida. Qualquer recurso desabilitado por intenção ou erro não oferece proteção.

A desabilitação de qualquer opção de VM Protegida permite que um invasor ignore as restrições de segurança implementadas para um sistema operacional convidado em uma instância do Compute Engine. As opções de VM Protegida recomendadas (e seus identificadores de configuração do Terraform correspondentes) são as seguintes:

- Monitoramento de Integridade (enable_integrity_monitoring)
- Inicialização Segura (enable_secure_boot)
- Módulo de Plataforma Confiável Virtual (enable_vtpm)

Exemplo 1: A configuração do Terraform a seguir define enable_integrity_monitoring como false no bloco shielded_instance_config. Nem todas as opções de VM Protegida recomendadas estão habilitadas.

resource "google_compute_instance" "compute_instance_demo" {
  ...
  shielded_instance_config {
    enable_integrity_monitoring = false
    enable_secure_boot = true
    enable_vtpm = true
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Modifying Shielded VM options on a VM instance
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.8
[4] Standards Mapping - Common Weakness Enumeration CWE ID 320, CWE ID 693, CWE ID 922
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000803, CCI-001749, CCI-002235
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-6 Configuration Settings (P1), IA-7 Cryptographic Module Authentication (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-6 Configuration Settings, CM-14 Signed Components, IA-7 Cryptographic Module Authentication
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2, Requirement 6.5.3
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.3.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.3.3
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_shielded_vm_option_disabled

GCP Terraform Misconfiguration: Edge Cache Service Missing HTTP-to-HTTPS Redirect

Abstract
Uma configuração do Terraform não redireciona a comunicação do Edge Cache de HTTP para HTTPS.
Explanation
Por padrão, os serviços do Edge Cache aceitam conexões não criptografadas e não seguras. Essas conexões expõem os dados a acesso não autorizado, possível roubo e adulteração.

Exemplo 1: O exemplo a seguir mostra uma configuração do Terraform que define um Serviço do Edge Cache que permite que os clientes usem HTTP para comunicação definindo https_redirect como false.

resource "google_network_services_edge_cache_service" "srv_demo" {
...
  routing {
...
    path_matcher {
...
      route_rule {
...
        url_redirect {
          https_redirect = false
        }
      }
    }
  }
}
References
[1] HashiCorp google_network_services_edge_cache_service
[2] Google Cloud Redirect all requests to HTTPS
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[5] Standards Mapping - FIPS200 SC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_edge_cache_service_missing_http_to_https_redirect

GCP Terraform Misconfiguration: Filestore Missing Customer-Managed Encryption Key

Abstract
Uma configuração do Terraform não especifica nenhuma chave de criptografia gerenciada pelo cliente para dados em repouso.
Explanation
As chaves de criptografia gerenciadas pelo cliente (CMEK) não estão habilitadas para dados em repouso.

Por padrão, o Google Cloud usa Chaves de Criptografia de Dados (DEK) geradas aleatoriamente para criptografar dados em repouso. O recurso CMEK permite que as organizações usem chaves criptográficas de sua escolha para criptografar a DEK. Isso dá às organizações melhor controle e registro de processos de criptografia.

Como tal, a CMEK geralmente faz parte da solução para atender aos requisitos que incluem, mas não estão limitados a:
- Logs de auditoria para acesso a dados confidenciais
- Residência de dados
- Substituição, desabilitação ou destruição de chaves
- Módulo de segurança de hardware inviolável
References
[1] Google Cloud Customer-managed encryption keys (CMEK)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.hcl.iac.gcp_bad_practices_missing_customer_managed_encryption_key.base

GCP Terraform Misconfiguration: GKE Cluster Administrative Interface Access Control

Abstract
Uma configuração do Terraform não define nenhuma rede autorizada para restringir o acesso aos planos de controle do GKE.
Explanation
O plano de controle do GKE toma decisões globais sobre um cluster e, por padrão, muitos de seus endpoints de API são acessíveis publicamente. Adicionar redes autorizadas usando uma lista de permissões pode fornecer proteção em nível de rede para acesso ao plano de controle.

Exemplo 1: O exemplo de configuração do Terraform a seguir configura um cluster público sem definir nenhuma rede autorizada no bloco master_authorized_networks_config. Como resultado, os endpoints da API do plano de controle do GKE podem ser acessados publicamente.

resource "google_container_cluster" "cluster_demo" {
  name = "name-demo"
}
References
[1] HashiCorp google_container_cluster
[2] Google Cloud Add authorized networks for control plane access
[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.6.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 749
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001082, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-2 Application Partitioning (P1), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users), SC-2 Separation of System and User Functionality, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3), 14.5.1 Validate HTTP Request Header Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_administrative_interface_access_control

GCP Terraform Misconfiguration: GKE Cluster Certificate-Based Authentication

Abstract
Uma configuração do Terraform habilita a autenticação baseada em certificado em um cluster do GKE.
Explanation
Por padrão, a autenticação baseada em certificado é desabilitada em novos clusters que executam o GKE versão 1.12 e posterior. Com a autenticação baseada em certificado, um usuário apresenta um certificado que o servidor da API do Kubernetes verifica com a autoridade de certificação especificada. No entanto, não há como revogar o certificado quando o usuário sai ou perde as credenciais. Isso torna a autenticação baseada em certificado inadequada para usuários finais.

Exemplo 1: O exemplo de configuração do Terraform a seguir habilita a autenticação baseada em certificado de cliente do GKE definindo issue_client_certificate como true no bloco master_auth.

resource "google_container_cluster" "container_cluster_demo" {
...
  master_auth {
    client_certificate_config {
      issue_client_certificate = true
      ...
    }
    ...
  }
...
}
References
[1] HashiCorp google_container_cluster
[2] Google Cloud Leave legacy client authentication methods disabled
[3] Standards Mapping - Common Weakness Enumeration CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-5 Authenticator Management (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-5 Authenticator Management
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.3 Authentication Architectural Requirements (L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_certificate_based_authentication