📝 Google GCE Instance has a public IP address 🟢

• Contextual name: 📝 Instance has a public IP address 🟢
• ID: /ce/ca/google/compute-engine/instance-public-ip
• Located in: 📁 Google GCE

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Check for Virtual Machine Instances with Public IP Addresses

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google GCE Instance
  • 🔌 Google GCE Network Interface - object.extracts.yaml
  • 🔌 Google GCE Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Compute instances should not be configured to have external IP addresses.

Rationale

To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.

Impact

Removing the external IP address from your Compute instance may cause some applications to stop working.

Audit

From Google Cloud Console

1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
2. For every VM, ensure that there is no External IP configured.

From Google Cloud CLI

        gcloud compute instances list --format=json

1. The output should not contain an accessConfigs section under networkInterfaces. Note that the natIP value is present only for instances that are running or for instances that are stopped but have a static IP address. For instances that are stopped and are configured to have an ephemeral public IP address, the natIP field will not be present. Example output:

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
2. Click on the instance name to go the the Instance detail page.
3. Click Edit.
4. For each Network interface, ensure that External IP is set to None.
5. Click Done and then click Save.

From Google Cloud CLI

1. Describe the instance properties:

        gcloud compute instances describe <INSTANCE_NAME> --zone=<ZONE>

2. Identify the access config name that contains the external IP address. This access config appears in the following format:

        networkInterfaces: 
        - accessConfigs: 
            - kind: compute#accessConfig 
              name: External NAT 
              natIP: 130.211.181.55 
              type: ONE_TO_ONE_NAT

3. Delete the access config.

        gcloud compute instances delete-access-config <INSTANCE_NAME> --zone=<ZONE> --access-config-name <ACCESS_CONFIG_NAME>

In the above example, the ACCESS_CONFIG_NAME is External NAT. The name of your access config might be different.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v1.2.0 → 💼 4.9 Ensure that Compute instances do not have public IP addresses - Level 2 (Automated)			1
💼 CIS GCP v1.3.0 → 💼 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses - Level 2 (Automated)			1
💼 CIS GCP v2.0.0 → 💼 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses - Level 2 (Automated)			1
💼 CIS GCP v3.0.0 → 💼 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses - Level 2 (Automated)			1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			72
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	63
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			13
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	50
💼 FedRAMP High Security Controls → 💼 MP-2 Media Access (L)(M)(H)			12
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			63
💼 FedRAMP Low Security Controls → 💼 MP-2 Media Access (L)(M)(H)			12
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			63
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			13
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		50
💼 FedRAMP Moderate Security Controls → 💼 MP-2 Media Access (L)(M)(H)			12
💼 ISO/IEC 27001:2022 → 💼 5.10 Acceptable use of information and other associated assets		11	26
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	30
💼 ISO/IEC 27001:2022 → 💼 8.3 Information access restriction		10	23
💼 ISO/IEC 27001:2022 → 💼 8.4 Access to source code		8	21
💼 NIST CSF v1.1 → 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed		11	15
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		19	42
💼 NIST CSF v1.1 → 💼 ID.AM-3: Organizational communication and data flows are mapped		4	7
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		15	51
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		9	21
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		44	64
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		9	21
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			111
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			43
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			86
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			21
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			107
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			89
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			102
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			63
💼 NIST SP 800-53 Revision 4 → 💼 CA-3 SYSTEM INTERCONNECTIONS	5		2
💼 NIST SP 800-53 Revision 4 → 💼 SC-7 BOUNDARY PROTECTION	23	5	10
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	32
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			13
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	43
💼 NIST SP 800-53 Revision 5 → 💼 MP-2 Media Access	2		12
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	27
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			27
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			27
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			27
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			27
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities		16	36
💼 SOC 2 → 💼 CC6.1-3 Restricts Logical Access		1	21
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets		12	25