Best practice rules for GCP VPC
Trend Micro Cloud One™ – Conformity monitors GCP VPC with the following rules:
- Check for Legacy Networks
Ensure that legacy networks are not being used anymore within your GCP projects.
- Check for Unrestricted DNS Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP and UDP port 53 (DNS).
- Check for Unrestricted FTP Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP).
- Check for Unrestricted ICMP Access
Ensure that no VPC firewall rules allow unrestricted inbound access using Internet Control Message Protocol (ICMP).
- Check for Unrestricted Inbound Access on Uncommon Ports
Ensure that no VPC firewall rules allow unrestricted ingress access to uncommon TCP/UDP ports.
- Check for Unrestricted MySQL Database Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3306 (MySQL Database).
- Check for Unrestricted Oracle Database Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 1521 (Oracle Database).
- Check for Unrestricted Outbound Access on All Ports
Ensure that VPC network firewall rules do not allow unrestricted outbound/egress access.
- Check for Unrestricted PostgreSQL Database Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server).
- Check for Unrestricted RDP Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP).
- Check for Unrestricted RPC Access
Ensure there are no VPC firewall rules that allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC).
- Check for Unrestricted SMTP Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 25 (SMTP).
- Check for Unrestricted SQL Server Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server).
- Check for Unrestricted SSH Access
Ensure that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH).
- Check for VPC Firewall Rules with Port Ranges
Ensure there are no VPC network firewall rules with range of ports opened to allow incoming traffic.
- Default VPC Network In Use
Ensure that the default VPC network is not being used within your GCP projects.
- Enable Cloud DNS Logging for VPC Networks
Ensure that Cloud DNS logging is enabled for all VPC networks.
- Enable Logging for VPC Firewall Rules
Ensure that logging is enabled for your Virtual Private Cloud (VPC) firewall rules.
- Enable VPC Flow Logs for VPC Subnets
Ensure that VPC Flow Logs feature is enabled for all VPC network subnets.
- Exclude Metadata from Firewall Logging
Ensure that logging metadata is not included within your VPC firewall log files.