Firewall rule exposes risky ports to the internet







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




Firewall rules with accidental or intentional access to the open internet can provide attackers potential pivots to other services. Often rules are added for troubleshooting purposes, not audited, and forgotten. Eventually, they are detected as the result of either an incident or a compliance audit.

Understanding Impact

Business Impact

Firewall rules control the traffic that can flow into Google Cloud services. When they are wide open to the internet, they allow anyone to send traffic to your workloads.
This is the equivalent of not running firewalls on the perimeter of your data center. Based on compliance requirements for your business, not monitoring changes or remediating could be a violation.

Technical Impact

Firewall rules can be attached to workloads such as compute instances and load balancers. While it is common to allow application traffic from the internet (for example: HTTP or HTTPS), management protocols such as SSH or RDP should not be exposed to anyone on the internet. Firewall rule modifications should be monitored and evaluated against a policy on exposure.

Identify affected resources

The GCloud CLI cannot trivially be used to identify firewall rules allowing traffic from the Internet.

  1. Open the Google Cloud Security Command Center.
  2. Use the query state="ACTIVE" AND category="OPEN_FIREWALL" to identify open firewall rules.

Remediate vulnerable resources

Remove or adapt ingress rules that expose risky ports to the internet. You can also restrict them to specific public IPs. For remote management, it is recommended to use Google Cloud Identity-Aware Proxy (IAP) which allows you to authenticate using your existing identity, and does not require opening ingress ports.

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the following out-of-the-box rules:


Using IAP for TCP forwarding

gcp documentation

Did you find this article helpful?