lacework-global-303
3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' (Manual)
Profile Applicability
• Level 2
Description
IAP authenticates the user requests to your apps via a Google single sign in. You can then manage these users with permissions to control access. It is recommended to use both IAP permissions and firewalls to restrict this access to your apps with sensitive information.
Rationale
IAP ensure that access to VMs is controlled by authenticating incoming requests. Access to your apps and the VMs should be restricted by firewall rules that allow only the proxy IAP IP addresses contained in the 35.235.240.0/20 subnet. Otherwise, unauthenticated requests can be made to your apps. To ensure that load balancing works correctly health checks should also be allowed.
Impact
If firewall rules are not configured correctly, legitimate business services could be negatively impacted. It is recommended to make these changes during a time of low usage.
Audit
From the Console:
For each of your apps that have IAP enabled go to the Cloud Console VPC network > Firewall rules.
Verify that the only rules correspond to the following values:
Targets: All instances in the network
Source IP ranges
IAP Proxy Addresses
- 35.235.240.0/20
Google Health Check
- 130.211.0.0/22
Google Health Check
- 35.191.0.0/16
Protocols and ports:
Specified protocols and ports required for access and management of your app. For example most health check connection protocols would be covered by;
- tcp:80 (Default HTTP Health Check port)
- tcp:443--(Default HTTPS Health Check port)
note
If you have custom ports used by your load balancers, you will need to list them here
Remediation
From the Console:
Go to the Cloud Console VPC network > Firewall rules.
Select the checkbox next to the following rules:
- default-allow-http
- default-allow-https
- default-allow-internal
Click Delete.
Click Create firewall rule and set the following values:
Name: allow-iap-traffic
Targets: All instances in the network
Source IP ranges
IAP Proxy Addresses
- 35.235.240.0/20
Google Health Check
- 130.211.0.0/22
Google Health Check
- 35.191.0.0/16
Protocols and ports:
Specified protocols and ports required for access and management of your app. For example most health check connection protocols would be covered by;
- tcp:80 (Default HTTP Health Check port)
- tcp:443--(Default HTTPS Health Check port)
note
If you have custom ports used by your load balancers, you will need to list them here
When you're finished updating values, click Create.
References
https://cloud.google.com/iap/docs/concepts-overview
https://cloud.google.com/iap/docs/concepts-overview
https://cloud.google.com/iap/docs/load-balancer-howto
https://cloud.google.com/load-balancing/docs/health-checks
https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts