Ensure VM Instance should not have public IP

Instances with public IP address can leak private information to the entire internet or allow unauthorized data tampering / deletion. Public Facing Services should be behind WAF, ELB and other protection mechanisms.

Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.NET.04
Covered by Spectral: No
Category: Compute

GSL LOGIC

VMInstance should not have isPublic=true

REMEDIATION

From Portal:

  1. Go to the VM instances page using https://console.cloud.google.com/compute/instances
  2. Click on the instance you want to update.
  3. Click EDIT
  4. Click each network interface (nic) and choose None in External IP.
  5. Save your changes.

From TF:
Remove the 'access_config' part from 'network_interface':

resource 'google_compute_instance' 'default' {
	...
	network_interface {
		...
		
		-  access_config {
			-    // Ephemeral public IP
		-    }
	}
	...
}

From Command Line:
You can delete the instance's public ip using:

gcloud compute instances delete-access-config VM_NAME --access-config-name ACCESS_CONFIG_NAME

Reference:

  1. https://cloud.google.com/compute/docs/ip-addresses#externaladdresses
  2. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_address
  3. https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • GCP CloudGuard Best Practices
  • GCP CloudGuard Network Security
  • GCP GDPR Readiness
  • GCP HIPAA
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0
  • GCP Security Risk Management