Ensure compatibility firestore storage resource does not have access policy set to 'Public' for Google App Engine Application

MEDIUM

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

In GCP Console -

Open the App Engine page.
Select Firewall rules.
Choose a rule to edit, Click on edit.
Remove any rule with Action Allow and IP range *.
Click Save.

In Terraform -

In the resource google_app_engine_standard_app_version ensure that 'action' is set to ALLOW and if source_range is set to *.

References:
https://cloud.google.com/appengine/docs/standard/creating-firewalls
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_firewall_rule#action

Policy Details

Rule Reference ID: AC_GCP_0286

CSP: GCP

Remediation Available: No

Domain: Infrastructure Security

Resource: google_app_engine_application

Resource Category: Serverless

Resource Type: App Engine

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0

Detections

Analytics