Ensure That IP Forwarding Is Not Enabled on Instances

IP Forwarding will let instance route packets in the VPC. Forwarding packets should be disabled in order to prevent data loss or information disclosure.

Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.NET.08
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should not have canIpForward=true

REMEDIATION

From Portal

  1. Navigate to VM instances page: https://console.cloud.google.com/compute/instances
  2. Click CREATE INSTANCE, select all of the settings from the previous instance.
  3. Click Management, security, disks, networking, sole tenancy
  4. go to Networking
  5. Click edit, ensure IP forwarding is off.
  6. After instance creation, stop/delete the previous instance.

From TF
Set the filed 'can_ip_forward' to be equal to 'false':

resource 'google_compute_instance' 'default' {
	...
	can_ip_forward = false
	
}

From Command Line

  1. You can view the instance's setting using:
gcloud compute instances describe INSTANCE_NAME --zone INSTANCE_ZONE
  1. Create the new instance, ensure '--can-ip-forward' in not set.
gcloud compute instances create
  1. Delete the previous instance:
gcloud compute instances delete INSTANCE_NAME

References

  1. instance creation: https://cloud.google.com/sdk/gcloud/reference/compute/instances/create
  2. instance describe: https://cloud.google.com/sdk/gcloud/reference/compute/instances/describe
  3. instance deletion: https://cloud.google.com/sdk/gcloud/reference/compute/instances/delete
  4. https://cloud.google.com/vpc/docs/using-routes#canipforward

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP CloudGuard Network Security
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP Security Risk Management