Profile Applicability:

Level 2

Description:

Identity-Aware Proxy (IAP) authenticates user requests to applications using Google Single Sign-On (SSO). You can manage user access permissions and restrict application access using both IAP and firewall rules. It is recommended to configure firewalls to allow traffic only from Google-managed IP ranges to secure apps containing sensitive information.

Rationale:

IAP protects virtual machines (VMs) by ensuring that only authenticated requests can access applications. Without proper firewall rules, unauthenticated traffic can reach apps, increasing the risk of unauthorized access. Configuring firewalls to allow traffic exclusively from Google-managed IAP IP ranges mitigates these risks. Proper firewall settings ensure the security of sensitive applications while maintaining functionality.

Impact:

Improper firewall configuration may disrupt legitimate business services. Changes should be implemented during low-usage periods to minimize potential impact.

Default Value:

By default, GCP allows all incoming traffic unless restricted by firewall rules.

Audit Steps:

From Google Cloud Console:

  1. For each app with IAP enabled:

    • Navigate to VPC Network > Firewall Rules.

                         

  1. Ensure firewall rules include the following values:

    • Targets: All instances in the network.

    • Source IP ranges:

      • IAP Proxy Addresses: 35.235.240.0/20.

      • Google Health Check: 130.211.0.0/22.

      • Google Health Check: 35.191.0.0/16.

    • Protocols and Ports:

      • Specify protocols and ports required for app access, such as:

        • TCP:80 (Default HTTP Health Check port).

        • TCP:443 (Default HTTPS Health Check port).

                               

From Google Cloud CLI:

List all firewall rules:

gcloud compute firewall-rules list

  1. Verify firewall rules match the following criteria:

    • Target Tags or Network: Include all relevant instances.

    • Source Ranges:

      • 35.235.240.0/20

      • 130.211.0.0/22

      • 35.191.0.0/16

    • Allowed Protocols and Ports:

      • TCP:80, TCP:443.

    • Delete any rules that allow broader or insecure access.

Remediation Steps:

From Google Cloud Console:

  1. Go to VPC Network > Firewall Rules.

                       

  1. Identify and delete insecure default rules (e.g., default-allow-http, default-allow-https, default-allow-internal).

           

  1. Create a new firewall rule with the following values:

                     

  • Name: allow-iap-traffic

  • Targets: All instances in the network.

  • Source IP Ranges:

    • 35.235.240.0/20 (IAP Proxy Addresses).

    • 130.211.0.0/22 (Google Health Check).

    • 35.191.0.0/16 (Google Health Check).

  • Protocols and Ports:

    • TCP:80 (HTTP).

    • TCP:443 (HTTPS).

  • Add any custom ports used by your load balancers.

                     

  1. Click Create to apply the changes.

                     

From Google Cloud CLI:

Delete default rules that allow insecure access:

gcloud compute firewall-rules delete default-allow-http default-allow-https default-allow-internal

Create a new firewall rule for IAP traffic:

gcloud compute firewall-rules create allow-iap-traffic \
    --direction=INGRESS \
    --action=ALLOW \
    --rules=tcp:80,tcp:443 \
    --source-ranges=35.235.240.0/20,130.211.0.0/22,35.191.0.0/16 \
    --target-tags=all-instances

References:

  1. IAP Overview

  2. Configuring IAP with Load Balancers

  3. GCP Health Checks

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

5.6 Centralize Account Management

Centralize user account management through identity services.


16.2 Configure Centralized Authentication

Ensure all authentication is managed through centralized points.