Asset does not contain a network tag

Network tags are used by networks to identify which Compute Engine virtual machine (VM) instances are subject to certain firewall rules and network routes. Instances without tags have no micro-segmentation and are only controlled by high level firewall rules that are applicable to the entire network. It is recommended to use network tags instead of setting rules that will effect all of the instances in a network.

Risk Level: Low
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.NET.03
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should have networkTags length() > 0

REMEDIATION

From Portal

  1. Go to the VM instances page using https://console.cloud.google.com/compute/instances
  2. Click on the instance you want to add or update tags for.
  3. Click EDIT
  4. Make changes in the Network tags section.
  5. Save your changes.

From TF
Set tag in tags node:

resource 'google_compute_instance' 'default' {
	..
	tags = ['tag_1','tag_2']
	..
}

From Command Line
gcloud compute instances add-tags INSTANCE_NAME --tags TAG_NAME

References

  1. https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-tags
  2. https://cloud.google.com/vpc/docs/add-remove-network-tags

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP CloudGuard Network Security
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP NIST 800-53 Rev 4
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2