Ensure That Compute Instances Do Not Have Public IP Addresses

To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.

Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.CRY.10
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should not have nics contain [ publicIpAddress ]

REMEDIATION

From Portal

  1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
  2. Click on the instance name to go the Instance detail page.
  3. Click Edit.
  4. For each Network interface, ensure that External IP is set to None.
  5. Click Done and then click Save.

From TF
Delete the 'access_config' block from 'network_interface':

resource 'google_compute_instance' 'default' {
	...
	network_interface {
		...
		-  access_config {
		}
	}
	...
}

From Command Line

  1. Describe the instance properties:
gcloud compute instances describe INSTANCE_NAME --zone=ZONE
  1. Identify the access config name that contains the external IP address. This access config appears in the following format:
networkInterfaces:
- accessConfigs:
- kind: compute#accessConfig
name: External NAT
natIP: 130.211.181.55
type: ONE_TO_ONE_NAT
  1. Delete the access config.
gcloud compute instances delete-access-config INSTANCE_NAME --zone=ZONE --access-config-name=ACCESS_CONFIG_NAME

References

  1. https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses
  2. https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances
  3. https://cloud.google.com/compute/docs/instances/connecting-to-instance
  4. https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip
  5. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0
  • GCP Security Risk Management