Firewall reviewed Public SSH Denied
Resolving Public SSH Access on Google Cloud Platform
Issue Summary
Drata has flagged a misconfiguration in our Google Cloud Platform (GCP) account:
Finding: One or more firewall rules allow public SSH access (tcp:22) from 0.0.0.0/0.Impact: This exposes VMs to the public internet over SSH, which is a critical security risk.Affected Account: 572152723110:ops-optimsync
This document provides clear instructions to remediate this issue using both the GCP Console UI and the gcloud CLI.
Objective
Update or remove firewall rules that allow TCP port 22 (SSH) access from the public (0.0.0.0/0).
Option 1: Fix via Google Cloud Console (UI)
Filter for Public SSH RulesUse the search bar and enter:
tcp:22 0.0.0.0/0
Select the Relevant Rule(s)Click on rules that:
- Allow tcp:22
- Have source IP range: 0.0.0.0/0
Click “Edit” at the top
Update the Source IP RangesReplace:
0.0.0.0/0
With a more secure IP or subnet, such as:
<your static IP>/32 (e.g., 203.0.113.45/32)
OR
Internal subnet (e.g., 10.0.0.0/8)
Save the Rule
(Optional) Delete the Rule if it's not needed:
- Go back to the Firewall Rules list.
- Select the checkbox next to the rule.
- Click "Delete".
Option 2: Fix via gcloud CLI
List Offending Rules:
gcloud compute firewall-rules list \
--filter='direction=INGRESS AND allowed.protocol=TCP AND allowed.ports:22 AND sourceRanges="0.0.0.0/0"'
Update Rule to Restrict Access (replace <RULE_NAME> and <IP>):
gcloud compute firewall-rules update <RULE_NAME> \
--source-ranges=<YOUR_IP>/32
Example:
gcloud compute firewall-rules update default-allow-ssh \
--source-ranges=203.0.113.45/32
To Delete the Rule if SSH is Not Needed:
gcloud compute firewall-rules delete <RULE_NAME>
Best Practices
- Avoid 0.0.0.0/0 for SSH access
- Use IAP for SSH or bastion hosts
- Use key-based authentication and firewall controls
- Regularly audit firewall rules for compliance