CIS GCP 3.6 (Ensure SSH access is restricted from the internet) requires: Firewall rules should not allow SSH (port 22) access from 0.0.0.0/0. This is a critical-severity control.

How does EchelonGraph detect CIS GCP 3.6 violations?

EchelonGraph automatically detects CIS GCP 3.6 violations using scanner rule GCP-FW-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS GCP 3.6?

List all firewall rules allowing SSH from 0.0.0.0/0. What is your justification for any internet-facing SSH access? Do you use IAP tunneling or VPN for administrative access? How frequently are firewall rules reviewed?

🔷CIS GCP 3.6Rule: GCP-FW-001critical

Ensure SSH access is restricted from the internet

Description

Firewall rules should not allow SSH (port 22) access from 0.0.0.0/0.

⚠️ Risk Impact

Open SSH from the internet exposes instances to brute-force attacks, credential stuffing, and exploitation of SSH vulnerabilities.

🔍 How EchelonGraph Detects This

GCP-FW-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.

🖥️ Manual Verification

terminal

gcloud compute firewall-rules list --filter='direction=INGRESS AND allowed[].ports:22 AND sourceRanges:0.0.0.0/0' --format='table(name,network,allowed[].ports)'

🔧 Remediation

Restrict source ranges to known IP addresses or CIDR blocks. Use IAP tunneling for administrative access.

💀 Real-World Attack Scenario

An attacker ran Shodan queries for GCP instances with port 22 open to the internet. Using a dictionary of 10,000 common passwords, they brute-forced SSH access on a Jenkins build server within 2 hours. From there they extracted environment variables containing database credentials, production API keys, and customer data access tokens.

💰 Cost of Non-Compliance

SolarWinds-style supply chain attacks often begin with exposed SSH. Average cost of SSH-based breach: $3.8M. Insurance claims related to exposed management ports increased 340% between 2021-2024.

📋 Audit Questions

1.List all firewall rules allowing SSH from 0.0.0.0/0.
2.What is your justification for any internet-facing SSH access?
3.Do you use IAP tunneling or VPN for administrative access?
4.How frequently are firewall rules reviewed?

🎯 MITRE ATT&CK Mapping

T1110 — Brute ForceT1133 — External Remote ServicesT1021.004 — SSH

🏗️ Infrastructure as Code Fix

main.tf

# Use IAP for SSH instead of public access:
resource "google_compute_firewall" "allow_iap_ssh" {
  name    = "allow-iap-ssh"
  network = google_compute_network.vpc.name
  allow {
    protocol = "tcp"
    ports    = ["22"]
  }
  source_ranges = ["35.235.240.0/20"]  # IAP's IP range
  target_tags   = ["allow-ssh"]
}

⚡ Common Pitfalls

⛔Creating a temporary 0.0.0.0/0 SSH rule for debugging and forgetting to remove it
⛔Using broad CIDR ranges like /8 instead of specific office IPs
⛔Not monitoring for new firewall rules that re-introduce open SSH

📈 Business Value

Eliminating public SSH access removes the #1 brute-force attack vector in cloud environments. IAP-based access provides centralized audit logging and integrates with your existing identity provider.

⏱️ Effort Estimate

Manual

2-4 hours to audit and remediate all firewall rules

With EchelonGraph

EchelonGraph detects open SSH rules in <30 seconds and alerts on new violations

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.3PCI-1.3.1

Automate CIS GCP 3.6 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →