界: Environment

本節包括原始程式碼之外的所有內容,但對於建立中產品的安全性仍至關重要。由於此領域所涵蓋的問題與原始程式碼沒有直接關係,因此我們將其與其他領域分開。

633 找到的項目
弱點

GCP Terraform Misconfiguration: Cloud DNS DNSSEC Disabled

Abstract
Terraform 組態不會啟用 Cloud DNS 網域的網域名稱系統安全性 (DNSSEC)。
Explanation
DNSSEC 透過提供使用數位簽章進行 DNS 回應驗證的能力來防止 DNS 假冒。Cloud DNS 網域的 DNSSEC 未啟用。

範例 1:以下範例顯示一個 Terraform 組態,其透過將 dnssec_config 區塊的 state 設定為 off,來停用 Cloud DNS 網域上的 DNSSEC。

resource "google_dns_managed_zone" "zone-demo" {
...
  dnssec_config {
    state = "off"
    ...
  }
...
}
References
[1] HashiCorp dns_managed_zone
[2] Google Cloud Manage DNSSEC configuration
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 3.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 345
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-002418, CCI-002422
[6] Standards Mapping - FIPS200 SC
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-8 Transmission Confidentiality and Integrity (P1), SC-20 Secure Name/Address Resolution Service (Authoritative Source) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-8 Transmission Confidentiality and Integrity, SC-20 Secure Name/Address Resolution Service (Authoritative Source) (P1)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.1 - Authentication and Access Control
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.1 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_dns_dnssec_disabled

GCP Terraform Misconfiguration: Cloud Functions Missing Customer-Managed Encryption Key

Abstract
Terraform 組態未指定任何客戶自管加密金鑰給靜態資料。
Explanation
未針對靜態資料啟用客戶自管加密金鑰 (CMEK)。

依預設,Google Cloud 使用隨機產生的資料加密金鑰 (DEK) 來加密靜態資料。CMEK 功能允許組織使用自己選擇的加密金鑰來加密 DEK。這讓組織可以妥善控制和記錄加密過程。

因此,CMEK 通常會納入解決方案的一部分,可滿足包括但不限於以下需求:
- 敏感資料存取的稽核記錄
- 資料落地
- 取代、停用或銷毀金鑰
- 防篡改硬體安全性模組
References
[1] Google Cloud Customer-managed encryption keys (CMEK)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.hcl.iac.gcp_bad_practices_missing_customer_managed_encryption_key.base

GCP Terraform Misconfiguration: Cloud KMS CryptoKey Publicly Accessible

Abstract
Terraform 組態會授予對 Cloud KMS CryptoKeys 的公開存取權。
Explanation
將 Cloud KMS CryptoKey 角色授予 allUsersallAuthenticatedUsers 後,任何人都可以存取敏感資料。
References
[1] HashiCorp IAM policy for Google Cloud KMS crypto key
[2] Google Cloud Usage logs & storage logs
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 1.9
[4] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235, CCI-002420
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, IA-8 Identification and Authentication (Non-Organizational Users), SC-8 Transmission Confidentiality and Integrity
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_kms_cryptokey_publicly_accessible

GCP Terraform Misconfiguration: Cloud Spanner Missing Customer-Managed Encryption Key

Abstract
Terraform 組態未指定任何客戶自管加密金鑰給靜態資料。
Explanation
未針對靜態資料啟用客戶自管加密金鑰 (CMEK)。

依預設,Google Cloud 使用隨機產生的資料加密金鑰 (DEK) 來加密靜態資料。CMEK 功能允許組織使用自己選擇的加密金鑰來加密 DEK。這讓組織可以妥善控制和記錄加密過程。

因此,CMEK 通常會納入解決方案的一部分,可滿足包括但不限於以下需求:
- 敏感資料存取的稽核記錄
- 資料落地
- 取代、停用或銷毀金鑰
- 防篡改硬體安全性模組
References
[1] Google Cloud Customer-managed encryption keys (CMEK)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.hcl.iac.gcp_bad_practices_missing_customer_managed_encryption_key.base

GCP Terraform Misconfiguration: Cloud SQL Backup Disabled

Abstract
Terraform 組態設定了一個沒有備份組態的資料庫執行個體。
Explanation
資料庫備份對於防止資料遺失或損毀至關重要。所以,應明確設定並啟用 Cloud SQL 資料庫執行個體的自動備份功能。

範例 1:以下範例顯示一個 Terraform 組態,其透過將 enabled 設定為 false 來停用資料庫執行個體備份組態。

resource "google_sql_database_instance" "database_instance_demo" {
  ...
  settings {
    backup_configuration {
      enabled = false
      ...
    }
  }
}
References
[1] HashiCorp google_sql_database_instance
[2] Google Cloud About Cloud SQL backups
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 6.7
[4] Standards Mapping - Common Weakness Enumeration CWE ID 1188
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-38 Operations Security (P0)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-38 Operations Security
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 12.10.1
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_sql_backup_disabled

GCP Terraform Misconfiguration: Cloud SQL Database Publicly Accessible

Abstract
Terraform 組態啟用了對 Google Cloud SQL Database 執行個體的公開存取。
Explanation
未能封鎖不需要的網路流量,將會擴大雲端服務的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。

依預設,Terraform 會部署只接受來自私有 IP 位址連線的 Google Cloud SQL Database 執行個體。選用的 Authorized Networks 設定定義了可接受的公用 IP 位址範圍。

範例 1:以下 Terraform 組態在 authorized_networks 區塊中將 value 設為 0.0.0.0/0/0 的 CIDR 區塊會接受來自 0.0.0.0 和 255.255.255.255 之間任何 IP 位址的連線。

resource "google_sql_database_instance" "db-demo" {
  ...
  settings {
  ...
    ip_configuration {
    ...
      authorized_networks {
        name  = "any ip"
        value = "0.0.0.0/0"
      }
    ...
    }
    ...
  }
  ...
}
References
[1] HashiCorp google_sql_database_instance
[2] Google Cloud Authorize with authorized networks
[3] Google Cloud Disable public IP
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 6.5
[5] Standards Mapping - Common Weakness Enumeration CWE ID 284
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_sql_database_publicly_accessible

GCP Terraform Misconfiguration: Cloud Storage Bucket Publicly Accessible

Abstract
Terraform 組態會授予對 Cloud Storage 值區的公開存取權。
Explanation
將 Cloud Storage 角色授予 allUsersallAuthenticatedUsers 後,任何人都可以存取敏感資料。
References
[1] HashiCorp IAM policy for Cloud Storage Bucket
[2] Google Cloud Public access prevention
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 5.1
[4] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235, CCI-002420
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, IA-8 Identification and Authentication (Non-Organizational Users), SC-8 Transmission Confidentiality and Integrity
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002480 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_storage_bucket_publicly_accessible

GCP Terraform Misconfiguration: Cloud Storage Bucket Uniform Access Disabled

Abstract
Terraform 組態設定了一個允許使用存取控制清單來控制權限的 Google Storage 儲存貯體。
Explanation
權限管理不善會增加未經授權存取或限制資料遭到修改的風險。

為了定義存取儲存貯體和儲存貯體中物件的使用者權限,Google Cloud Storage 提供了兩個系統:存取控制清單 (ACL) 和 Identity and Access Management (IAM)。IAM 可以在整個 Google Cloud 中使用,但只有 Cloud Storage 支援 ACL。啟用 Uniform Bucket-level Access 會阻止 ACL 授予權限。這可確保 IAM 是管理 Google Cloud 資源所有存取控制的唯一系統。

範例 1:以下 Terraform 組態透過將 uniform_bucket_level_access 設為 false,來允許使用 ACL 和 IAM 授予對儲存貯體的存取權限。

resource "google_storage_bucket" "bucket-demo" {
...
  uniform_bucket_level_access = false
...
}
References
[1] HashiCorp google_storage_bucket
[2] Google Cloud Uniform bucket-level access
[3] Google Cloud Organization policy constraints for Cloud Storage
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 5.2
[5] Standards Mapping - Common Weakness Enumeration CWE ID 284
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002121
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.4 Access Control Architectural Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002880 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002880 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002880 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002880 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002880 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_storage_bucket_uniform_access_disabled

GCP Terraform Misconfiguration: Compute Engine Access Control

Abstract
Terraform 組態設定了一個 Compute Engine 執行個體,而未使用 Identity and Access Management (IAM) 角色來管理 SSH 存取。
Explanation
IAM 型存取控制可減少人為錯誤,並提高效率。啟用 OS Login 後,會允許使用 IAM 角色來自動化 Linux 帳戶的生命週期管理,以存取同一專案或組織中的所有 Compute Engine 執行個體。

範例 1:以下範例顯示一個 Terraform 組態,其透過將 metadata 引數中的 enable-oslogin 設定為 false 來停用使用 IAM 角色管理 SSH 存取。

resource "google_compute_instance" "compute-instance-demo" {
  ...
  metadata = {
    enable-oslogin = false
    ...
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud About OS Login
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.4
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000015, CCI-002121
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AC-3 Access Enforcement (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AC-3 Access Enforcement
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.1.6 Secure Software Development Lifecycle (L2 L3), 1.4.1 Access Control Architectural Requirements (L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 8.2.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 8.3.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 8.3.1
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[16] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_access_control

GCP Terraform Misconfiguration: Compute Engine Default Service Account

Abstract
Terraform 組態會建立一個具有預設服務帳戶的 Compute Engine 執行個體。
Explanation
如果建立的 Compute Engine 執行個體沒有使用者管理的服務帳戶規格,Google Cloud 會將預設服務帳戶指派給該執行個體。預設服務帳戶的存取權往往超出執行個體運作所需的權限,這會違反最小特權原則。

範例 1:以下範例顯示一個會建立 Compute Engine 執行個體的 Terraform 組態,但這個執行個體沒有使用者管理的服務帳戶規格。service_account 區塊遺失。

resource "google_compute_instance" "instance-demo" {
    name = "name-demo"
    machine_type = "e2-micro"
    boot_disk {
    ...
    }
    network_interface {
    ...
    }
}
References
[1] Dylan Ayrey & Allison Donovan Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation
[2] Google Cloud Best practices for securing service accounts
[3] HashiCorp google_compute_instance
[4] Google Cloud Service accounts
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.1
[6] Standards Mapping - Common Weakness Enumeration CWE ID 250
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000017, CCI-000381, CCI-002233, CCI-002235
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AC-6 Least Privilege, CM-7 Least Functionality
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.4 General Access Control Design (L1 L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000330 CAT II, APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000330 CAT II, APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_default_service_account

GCP Terraform Misconfiguration: Compute Engine IP Forwarding Enabled

Abstract
Terraform 組態設定了一個啟用 IP 轉送的 Compute Engine 執行個體。
Explanation
未能封鎖不需要的網路流量,將會擴大雲端服務的受攻擊面。

依預設,在 Compute Engine 執行個體中會停用 IP 轉送。IP 轉送會允許傳送和接收來源或目標 IP 不相符的封包。攻擊者可以透過 Compute Engine 執行個體路由封包以略過網路存取控制,來利用這個弱點。

範例 1:以下 Terraform 組態透過將 can_ip_forward 設為 true 來啟用 IP 轉送。

resource "google_compute_instance" "compute_instance_demo" {
  ...
  can_ip_forward = true
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Enabling IP forwarding for instances
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.6
[4] Standards Mapping - Common Weakness Enumeration CWE ID 441
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CA-3 System Interconnections (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CA-3 Information Exchange
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_ip_forwarding_enabled

GCP Terraform Misconfiguration: Compute Engine Missing Confidential Computing Features

Abstract
Terraform 組態未啟用機密 VM。
Explanation
依預設,Compute Engine 執行個體不是機密 VM。機密 VM 使用硬體型加密,來保護使用中的資料並支援遠端認證。無法匯出的每個 VM 執行個體專用金鑰會保持 VM 記憶體處於加密狀態,藉此保護 VM 的機密性和完整性,避免雲端供應商透過更高權限的 Hypervisor 來存取。

範例 1:以下範例顯示一個 Terraform 組態,其透過將 enable_confidential_compute 設定為 false 來停用機密 VM。

resource "google_compute_instance" "default" {
  ...
  confidential_instance_config {
    enable_confidential_compute = false
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Confidential VM
[3] Confidential Computing Consortium A Technical Analysis of Confidential Computing
[4] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.11
[5] Standards Mapping - Common Weakness Enumeration CWE ID 311
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[7] Standards Mapping - FIPS200 SC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_missing_confidential_computing_features

GCP Terraform Misconfiguration: Compute Engine Missing Customer-Managed Encryption Key

Abstract
Compute Engine 執行個體不使用客戶提供的加密金鑰來保護磁碟加密金鑰。
Explanation
依預設,Google Cloud Compute Engine 會加密所有靜態資料。如果有指定客戶提供的加密金鑰 (CSEK),就會對資料加密金鑰進行加密。除非提供正確的 CSEK,否則 Google 不會在 Compute Engine 執行個體上儲存任何 CSEK,並且無法存取受保護的資料。

範例 1:以下範例顯示一個 Terraform 組態,其為 Compute Engine 執行個體定義了一個持續性磁碟。disk_encryption_key 區塊遺失,因此沒有 CSEK 來保護資料加密金鑰。

resource "google_compute_disk" "compute-disk-demo" {
    name  = "test-disk"
    type  = "pd-ssd"
}
References
[1] HashiCorp google_compute_disk
[2] Google Cloud Persistent disk encryption
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.7
[4] Standards Mapping - Common Weakness Enumeration CWE ID 311
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[12] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_missing_customer_managed_encryption_key

GCP Terraform Misconfiguration: Compute Engine Project-Wide SSH

Abstract
Terraform 組態設定了一個 Compute Engine 執行個體,而不封鎖專案層級 SSH 登入。
Explanation
依預設,您可以使用儲存在專案中繼資料中的 SSH 金鑰,來存取專案中的所有 Compute Engine 執行個體。這不僅會大幅擴大任何遭入侵 SSH 金鑰可存取的受攻擊面,同時也違反最小權限原則。

範例 1:以下範例顯示一個 Terraform 組態,其透過將 metadata 引數中的 block-project-ssh-keys 設定為 false 來允許專案層級 SSH 登入。

resource "google_compute_instance" "compute_instance_demo" {
  ...
  metadata = {
    block-project-ssh-keys = false
    ...
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Restrict SSH keys from VMs
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 250
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.4 General Access Control Design (L1 L2 L3)
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_project_wide_ssh

GCP Terraform Misconfiguration: Compute Engine Serial Console Enabled

Abstract
Terraform 組態設定了一個啟用互動式序列主控台存取的 Compute Engine 執行個體。
Explanation
未能封鎖不需要的網路流量,將會擴大雲端服務的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。

依預設,Compute Engine 執行個體的序列連接埠無法進行主控台存取。若啟用序列主控台存取,可能容許攻擊者從任何 IP 位址連線到 Compute Engine 執行個體,因為序列連接埠不支援以 IP 為基礎的存取限制。

範例 1:以下 Terraform 組態透過在 metadata 引數中將 serial-port-enable 設為 true,來允許互動式序列主控台存取。

resource "google_compute_instance" "compute_instance_demo" {
  ...
  metadata = {
    serial-port-enable = true
    ...
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Disabling interactive serial console access
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.5
[4] Standards Mapping - Common Weakness Enumeration CWE ID 749
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CA-3 System Interconnections (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CA-3 Information Exchange
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_serial_console_enabled

GCP Terraform Misconfiguration: Compute Engine Shielded VM Option Disabled

Abstract
Terraform 組態設定了一個 Compute Engine 執行個體,而未啟用所有建議的 Shield VM 選項。
Explanation
每個雲端服務的安全性功能都具有防止或減輕已知威脅的獨特能力。若故意或不小心停用任何功能,就無法提供保護。

若停用任何 Shield VM 選項,會讓攻擊者略過針對 Compute Engine 執行個體上的客體作業系統實施的安全限制。建議的 Shield VM 選項 (及其對應的 Terraform 組態識別項) 如下:

- Integrity Monitoring (enable_integrity_monitoring)
- Secure Boot (enable_secure_boot)
- Virtual Trusted Platform Module (enable_vtpm)

範例 1:以下 Terraform 組態在 shielded_instance_config 區塊中將 enable_integrity_monitoring 設為 false。並非所有建議的 Shield VM 選項都已啟用。

resource "google_compute_instance" "compute_instance_demo" {
  ...
  shielded_instance_config {
    enable_integrity_monitoring = false
    enable_secure_boot = true
    enable_vtpm = true
  }
  ...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Modifying Shielded VM options on a VM instance
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.8
[4] Standards Mapping - Common Weakness Enumeration CWE ID 320, CWE ID 693, CWE ID 922
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000803, CCI-001749, CCI-002235
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-6 Configuration Settings (P1), IA-7 Cryptographic Module Authentication (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-6 Configuration Settings, CM-14 Signed Components, IA-7 Cryptographic Module Authentication
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2, Requirement 6.5.3
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.3.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.3.3
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_shielded_vm_option_disabled

GCP Terraform Misconfiguration: Edge Cache Service Missing HTTP-to-HTTPS Redirect

Abstract
Terraform 組態不會將邊緣快取通訊從 HTTP 重新導向到 HTTPS。
Explanation
依預設,邊緣快取服務接受未加密和不安全的連線。這類的連線會將資料暴露於未經授權存取、潛在竊取和竄改的風險。

範例 1:以下範例顯示一個 Terraform 組態,其透過將 https_redirect 設為 false 來定義邊緣快取服務,以允許用戶端使用 HTTP 進行通訊。

resource "google_network_services_edge_cache_service" "srv_demo" {
...
  routing {
...
    path_matcher {
...
      route_rule {
...
        url_redirect {
          https_redirect = false
        }
      }
    }
  }
}
References
[1] HashiCorp google_network_services_edge_cache_service
[2] Google Cloud Redirect all requests to HTTPS
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[5] Standards Mapping - FIPS200 SC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_edge_cache_service_missing_http_to_https_redirect

GCP Terraform Misconfiguration: Filestore Missing Customer-Managed Encryption Key

Abstract
Terraform 組態未指定任何客戶自管加密金鑰給靜態資料。
Explanation
未針對靜態資料啟用客戶自管加密金鑰 (CMEK)。

依預設,Google Cloud 使用隨機產生的資料加密金鑰 (DEK) 來加密靜態資料。CMEK 功能允許組織使用自己選擇的加密金鑰來加密 DEK。這讓組織可以妥善控制和記錄加密過程。

因此,CMEK 通常會納入解決方案的一部分,可滿足包括但不限於以下需求:
- 敏感資料存取的稽核記錄
- 資料落地
- 取代、停用或銷毀金鑰
- 防篡改硬體安全性模組
References
[1] Google Cloud Customer-managed encryption keys (CMEK)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.hcl.iac.gcp_bad_practices_missing_customer_managed_encryption_key.base

GCP Terraform Misconfiguration: GKE Cluster Administrative Interface Access Control

Abstract
Terraform 組態沒有定義任何授權網路來限制 GKE 控制層存取。
Explanation
GKE 控制層會制定有關叢集的全域決策,依預設,它的許多 API 端點都是可公開存取的。使用允許清單來新增授權網路,可以為控制層存取提供網路層級的保護。

範例 1:以下範例 Terraform 組態設定了公開叢集,但未在 master_authorized_networks_config 區塊中定義任何授權網路。因此,GKE 控制層 API 端點可以公開存取。

resource "google_container_cluster" "cluster_demo" {
  name = "name-demo"
}
References
[1] HashiCorp google_container_cluster
[2] Google Cloud Add authorized networks for control plane access
[3] Standards Mapping - CIS Google Kubernetes Engine Benchmark Recommendation 5.6.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 749
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001082, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-2 Application Partitioning (P1), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users), SC-2 Separation of System and User Functionality, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3), 14.5.1 Validate HTTP Request Header Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002150 CAT II, APSC-DV-002360 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_administrative_interface_access_control

GCP Terraform Misconfiguration: GKE Cluster Certificate-Based Authentication

Abstract
Terraform 組態在 GKE 叢集上啟用了以憑證為基礎的驗證。
Explanation
依預設,在執行 GKE 1.12 及更高版本的新叢集上,會停用以憑證為基礎的驗證。使用以憑證為基礎的驗證時,使用者需提供憑證,讓 Kubernetes API 伺服器驗證其是否具有指定的憑證授權單位。但是,當使用者離開或遺失認證時,無法撤銷憑證。因此,以憑證為基礎的驗證不適合使用者。

範例 1:以下範例 Terraform 組態透過在 master_auth 區塊中將 issue_client_certificate 設定為 true 來啟用 GKE 用戶端以憑證為基礎的驗證。

resource "google_container_cluster" "container_cluster_demo" {
...
  master_auth {
    client_certificate_config {
      issue_client_certificate = true
      ...
    }
    ...
  }
...
}
References
[1] HashiCorp google_container_cluster
[2] Google Cloud Leave legacy client authentication methods disabled
[3] Standards Mapping - Common Weakness Enumeration CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-5 Authenticator Management (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-5 Authenticator Management
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.3 Authentication Architectural Requirements (L2 L3)
[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_certificate_based_authentication