We now support the ability to reason on security groups in GCP. The concept of security group is created in Dome9 compliance engine as a more flexible firewall grouping mechanism. Firewall rules can be assigned in one of the following modes: all instances in the network; instances by target tags; instances by target service account. In the compliance engine we grouped these rules by tags.
It is now possible to find unused firewall rules – they are not assigned to any VM:
GcpSecurityGroup should have vmInstances
We grouped the rules that are applied to all the instances into a “Global” security group. It is now possible to inquire on the global rules. For example, making sure that there is no global rule that allows all traffic:
GcpSecurityGroup where name='Global' should not have inboundRules contain [ protocol='TCP' and source = '0.0.0.0/0' ]