GCP firewall rule allows egress to any destination
Description
AlphaSOC detected a Google Cloud firewall rule that was created or updated to allow egress traffic to any destination (0.0.0.0/0 or ::/0). Rules with unrestricted egress allow outbound traffic to any IP address on the internet. Attackers often create permissive egress rules to facilitate data exfiltration or command-and-control communication from compromised resources.
Impact
Unrestricted egress rules enable compromised instances to communicate with any external destination, facilitating data exfiltration, malware command-and-control, or cryptocurrency mining pool connections. This configuration bypasses network segmentation controls and may violate security policies requiring explicit destination allowlisting.
Severity
| Severity | Condition |
|---|---|
Low | Firewall rule allows egress to any destination |
Investigation and Remediation
Review the firewall rule configuration to understand the intended use case. Verify the identity of the user who created or modified the rule and confirm the action was authorized. If possible, restrict the rule to specific destination IP ranges or use network tags to limit scope. Monitor traffic through the rule for suspicious patterns.
Known False Positives
- Legitimate rules for internet-facing services requiring broad connectivity
- Development or testing environments with relaxed network controls
- NAT gateway or proxy configurations requiring outbound access