🛡️ Google GCE Instance IP Forwarding is not disabled.🟢

• Contextual name: 🛡️ Instance IP Forwarding is not disabled.🟢
• ID: /ce/ca/google/compute-engine/disable-instance-ip-forwarding
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GCE Instance
  • 🔌 Google GCE Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Disable IP Forwarding for Virtual Machine Instances

Description

Open File

Description

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.

Forwarding of data packets should be disabled to prevent data loss or information disclosure.

Rationale

Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets. To enable this source and destination IP check, disable the canIpForward field, which allows an instance to send and receive packets with non-matching destination or source IPs.

Impact

... see more

Remediation

Open File

Remediation

You only edit the canIpForward setting at instance creation time. Therefore, you need to delete the instance and create a new one where canIpForward is set to false.

From Google Cloud Console

1. Go to the VM Instances page by visiting: https://console.cloud.google.com/compute/instances.
2. Select the VM Instance you want to remediate.
3. Click the Delete button.
4. On the VM Instances page, click CREATE INSTANCE.
5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.

From Google Cloud CLI

1. Delete the instance:

        gcloud compute instances delete INSTANCE_NAME

2. Create a new instance to replace it, with IP forwarding set to Off

        gcloud compute instances create

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 4.6 Ensure that IP forwarding is not enabled on Instances - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 4.6 Ensure That IP Forwarding Is Not Enabled on Instances - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 4.6 Ensure That IP Forwarding Is Not Enabled on Instances - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 4.6 Ensure That IP Forwarding Is Not Enabled on Instances - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			57		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	50		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			35		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		44		no data
💼 NIST CSF v1.1 → 💼 ID.AM-3: Organizational communication and data flows are mapped		4	8		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			69		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			95		no data
💼 NIST SP 800-53 Revision 4 → 💼 CA-9 INTERNAL SYSTEM CONNECTIONS	1		1		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	52		no data
💼 PCI DSS v3.2.1 → 💼 1.1 Establish and implement firewall and router configuration standards	7	1	39		no data
💼 PCI DSS v3.2.1 → 💼 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.	7	8	30		no data
💼 PCI DSS v4.0.1 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.			34		no data
💼 PCI DSS v4.0.1 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.			19		no data
💼 PCI DSS v4.0 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.		24	34		no data
💼 PCI DSS v4.0 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.		7	19		no data
💼 SOC 2 → 💼 CC6.6-1 Restricts Access		16	19		no data
💼 SOC 2 → 💼 CC6.6-4 Implements Boundary Protection Systems			4		no data