Skip to main content

πŸ“ Google GCE Instance has a public IP address 🟒

  • Contextual name: πŸ“ Instance has a public IP address 🟒
  • ID: /ce/ca/google/compute-engine/instance-public-ip
  • Located in: πŸ“ Google GCE

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

Compute instances should not be configured to have external IP addresses.

Rationale​

To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.

Impact​

Removing the external IP address from your Compute instance may cause some applications to stop working.

Audit​

From Google Cloud Console​
  1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
  2. For every VM, ensure that there is no External IP configured.
From Google Cloud CLI​
        gcloud compute instances list --format=json
  1. The output should not contain an accessConfigs section under networkInterfaces. Note that the natIP value is present only for instances that are running or for instances that are stopped but have a static IP address. For instances that are stopped and are configured to have an ephemeral public IP address, the natIP field will not be present. Example output:

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
  2. Click on the instance name to go the the Instance detail page.
  3. Click Edit.
  4. For each Network interface, ensure that External IP is set to None.
  5. Click Done and then click Save.

From Google Cloud CLI​

  1. Describe the instance properties:

         gcloud compute instances describe <INSTANCE_NAME> --zone=<ZONE>
  2. Identify the access config name that contains the external IP address. This access config appears in the following format:

         networkInterfaces: 
    - accessConfigs:
    - kind: compute#accessConfig
    name: External NAT
    natIP: 130.211.181.55
    type: ONE_TO_ONE_NAT
  3. Delete the access config.

         gcloud compute instances delete-access-config <INSTANCE_NAME> --zone=<ZONE> --access-config-name <ACCESS_CONFIG_NAME>

In the above example, the ACCESS_CONFIG_NAME is External NAT. The name of your access config might be different.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 4.9 Ensure that Compute instances do not have public IP addresses - Level 2 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses - Level 2 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses - Level 2 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses - Level 2 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access72
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3763
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)13
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81150
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)12
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)63
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)12
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)63
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)13
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)650
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό MP-2 Media Access (L)(M)(H)12
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1126
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1430
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1023
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code821
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed1115
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1942
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-3: Organizational communication and data flows are mapped47
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1551
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)921
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4464
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-4: Communications and control networks are protected921
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events111
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained43
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties86
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk21
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected107
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected102
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage63
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CA-3 SYSTEM INTERCONNECTIONS52
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-7 BOUNDARY PROTECTION23510
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15532
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-5 Separation of Duties13
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102343
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό MP-2 Media Access212
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1027
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.27
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.27
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.27
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1636
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-3 Restricts Logical Access121
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-7 Restricts Access to Information Assets1225