Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.NET.08
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should not have canIpForward=true

REMEDIATION

From Portal

Navigate to VM instances page: https://console.cloud.google.com/compute/instances
Click CREATE INSTANCE, select all of the settings from the previous instance.
Click Management, security, disks, networking, sole tenancy
Go to Networking
Click edit, ensure IP forwarding is off.
After instance creation, stop/delete the previous instance.

From TF
Set the filed 'can_ip_forward' to be equal to 'false':

resource 'google_compute_instance' 'default' {
	...
	can_ip_forward = false
	
}

From Command Line

You can view the instance's setting using:

gcloud compute instances describe INSTANCE_NAME --zone INSTANCE_ZONE

Create the new instance, ensure '--can-ip-forward' is not set.

gcloud compute instances create

Delete the previous instance:

gcloud compute instances delete INSTANCE_NAME

References

instance creation: https://cloud.google.com/sdk/gcloud/reference/compute/instances/create
instance describe: https://cloud.google.com/sdk/gcloud/reference/compute/instances/describe
instance deletion: https://cloud.google.com/sdk/gcloud/reference/compute/instances/delete
https://cloud.google.com/vpc/docs/using-routes#canipforward

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.0.0
GCP CIS Foundations v. 1.1.0
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CloudGuard Best Practices
GCP CloudGuard Network Security
GCP LGPD regulation
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5
GCP Security Risk Management