GCP VPC Best Practices

Best practice rules for GCP VPC

Trend Micro Cloud One™ – Conformity monitors GCP VPC with the following rules:

• Check for Legacy Networks

  Ensure that legacy networks are not being used anymore within your GCP projects.

• Check for Unrestricted DNS Access

  Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP and UDP port 53 (DNS).

• Check for Unrestricted FTP Access

  Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP).

• Check for Unrestricted ICMP Access

  Ensure that no VPC firewall rules allow unrestricted inbound access using Internet Control Message Protocol (ICMP).

• Check for Unrestricted Inbound Access on Uncommon Ports

  Ensure that no VPC firewall rules allow unrestricted ingress access to uncommon TCP/UDP ports.

• Check for Unrestricted MySQL Database Access

  Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database).

• Check for Unrestricted Oracle Database Access

  Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database).

• Check for Unrestricted Outbound Access on All Ports

  Ensure that VPC network firewall rules do not allow unrestricted outbound/egress access.

• Check for Unrestricted PostgreSQL Database Access

  Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server).

• Check for Unrestricted RDP Access

  Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP).

• Check for Unrestricted RPC Access

  Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC).

• Check for Unrestricted SMTP Access

  Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP).

• Check for Unrestricted SQL Server Access

  Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server).

• Check for Unrestricted SSH Access

  Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH).

• Check for VPC Firewall Rules with Port Ranges

  Ensure there are no VPC network firewall rules with range of ports opened to allow incoming traffic.

• Default VPC Network In Use

  Ensure that the default VPC network is not being used within your GCP projects.

• Enable Cloud DNS Logging for VPC Networks

  Ensure that Cloud DNS logging is enabled for all VPC networks.

• Enable Logging for VPC Firewall Rules

  Ensure that logging is enabled for your Virtual Private Cloud (VPC) firewall rules.

• Enable VPC Flow Logs for VPC Subnets

  Ensure that VPC Flow Logs feature is enabled for all VPC network subnets.

• Exclude Metadata from Firewall Logging

  Ensure that logging metadata is not included within your VPC firewall log files.