For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform/gcp/rdp_access_is_not_restricted.md. A documentation index is available at /llms.txt.

RDP access is not restricted

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-gcp-rdp-access-is-not-restricted

Cloud Provider: GCP

Platform: Terraform

Severity: High

Category: Networking and Firewall

Learn More

Description

This check verifies if Google Compute firewall rules allow unrestricted RDP access by examining if port 3389 (the default RDP port) is openly accessible from the internet. When firewall rules allow RDP traffic from 0.0.0.0/0 (all IPv4) or ::/0 (all IPv6), it significantly increases the risk of brute force attacks, unauthorized access, and potential system compromise.

Vulnerable configurations include allowing port 3389 directly or within ranges (for example, 21-3390), or using protocol = "all" with unrestricted source ranges. To secure your environment, explicitly exclude RDP ports from public access and restrict RDP traffic to specific trusted IP addresses or VPN connections.

// Insecure configuration (AVOID):
resource "google_compute_firewall" "insecure" {
  // ... other configuration ...
  allow {
    protocol = "tcp"
    ports    = ["80", "3389"]
  }
  source_ranges = ["0.0.0.0/0"]
}

// Secure configuration:
resource "google_compute_firewall" "secure" {
  // ... other configuration ...
  allow {
    protocol = "tcp"
    ports    = ["80", "8080", "1000-2000"] // Excludes RDP port 3389
  }
  source_tags = ["web"]
  // Alternatively, limit RDP to specific IPs:
  // source_ranges = ["10.0.0.0/24", "192.168.1.0/24"]
}

Compliant Code Examples

resource "google_compute_firewall" "negative1" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "icmp"
  }

  allow {
    protocol = "tcp"
    ports    = ["80", "8080", "1000-2000"]
  }

  source_tags = ["web"]
}

Non-Compliant Code Examples

resource "google_compute_firewall" "positive1" {
  name    = "test-firewall"
  network = google_compute_network.default.name
  direction = "INGRESS"

  allow {
    protocol = "icmp"
  }

  allow {
    protocol = "tcp"
    ports    = ["80", "8080", "1000-2000","3389"]
  }

  source_tags = ["web"]
  source_ranges = ["0.0.0.0/0"]
}

resource "google_compute_firewall" "positive2" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "udp"
    ports    = ["80", "8080", "1000-2000","21-3390"]
  }

  source_tags = ["web"]
  source_ranges = ["::/0"]
}

resource "google_compute_firewall" "positive3" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "all"
  }

  source_tags = ["web"]
  source_ranges = ["::/0"]
}