🛡️ Google GCE Instance has a public IP address🟢

• Contextual name: 🛡️ Instance has a public IP address🟢
• ID: /ce/ca/google/compute-engine/instance-public-ip
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GCE Instance
  • 🔌 Google GCE Instance - object.extracts.yaml
  • 🔌 Google GCE Network Interface - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Check for Virtual Machine Instances with Public IP Addresses

Description

Open File

Description

Compute instances should not be configured to have external IP addresses.

Rationale

To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.

Impact

Removing the external IP address from your Compute instance may cause some applications to stop working.

Audit

From Google Cloud Console

1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
2. For every VM, ensure that there is no External IP configured.

From Google Cloud CLI

        gcloud compute instances list --format=json

1. The output should not contain an accessConfigs section under networkInterfaces. Note that the natIP value is present only for instances that are running or for instances that are stopped but have a static IP address. For instances that are stopped and are configured to have an ephemeral public IP address, the natIP field will not be present. Example output:

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
2. Click on the instance name to go the the Instance detail page.
3. Click Edit.
4. For each Network interface, ensure that External IP is set to None.
5. Click Done and then click Save.

From Google Cloud CLI

1. Describe the instance properties:

        gcloud compute instances describe <INSTANCE_NAME> --zone=<ZONE>

2. Identify the access config name that contains the external IP address. This access config appears in the following format:

        networkInterfaces: 
        - accessConfigs: 
            - kind: compute#accessConfig 
              name: External NAT 
              natIP: 130.211.181.55 
              type: ONE_TO_ONE_NAT

3. Delete the access config.

        gcloud compute instances delete-access-config <INSTANCE_NAME> --zone=<ZONE> --access-config-name <ACCESS_CONFIG_NAME>

In the above example, the ACCESS_CONFIG_NAME is External NAT. The name of your access config might be different.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 4.9 Ensure that Compute instances do not have public IP addresses - Level 2 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses - Level 2 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses - Level 2 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses - Level 2 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			101		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	68		no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			15		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	57		no data
💼 FedRAMP High Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68		no data
💼 FedRAMP Low Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			15		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		57		no data
💼 FedRAMP Moderate Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 ISO/IEC 27001:2022 → 💼 5.10 Acceptable use of information and other associated assets		11	27		no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	31		no data
💼 ISO/IEC 27001:2022 → 💼 8.3 Information access restriction		10	24		no data
💼 ISO/IEC 27001:2022 → 💼 8.4 Access to source code		8	22		no data
💼 NIST CSF v1.1 → 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed		10	34		no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		18	63		no data
💼 NIST CSF v1.1 → 💼 ID.AM-3: Organizational communication and data flows are mapped		4	8		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56		no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			69		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116		no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			44		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			95		no data
💼 NIST SP 800-53 Revision 4 → 💼 CA-3 SYSTEM INTERCONNECTIONS	5		2		no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-7 BOUNDARY PROTECTION	23	5	31		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	40		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			15		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	50		no data
💼 NIST SP 800-53 Revision 5 → 💼 MP-2 Media Access	2		13		no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	56		no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			56		no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			56		no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	56		no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			56		no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities		15	36		no data
💼 SOC 2 → 💼 CC6.1-3 Restricts Logical Access		1	22		no data
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets		13	27		no data