📝 Google GCE Instance has a public IP address 🟢

• Contextual name: 📝 Instance has a public IP address 🟢
• ID: /ce/ca/google/compute-engine/instance-public-ip
• Located in: 📁 Google GCE

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Check for Virtual Machine Instances with Public IP Addresses

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google GCE Instance
  • 🔌 Google GCE Network Interface - object.extracts.yaml
  • 🔌 Google GCE Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Compute instances should not be configured to have external IP addresses.

Rationale

To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.

Impact

Removing the external IP address from your Compute instance may cause some applications to stop working.

Audit

From Google Cloud Console

1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
2. For every VM, ensure that there is no External IP configured.

From Google Cloud CLI

        gcloud compute instances list --format=json

1. The output should not contain an accessConfigs section under networkInterfaces. Note that the natIP value is present only for instances that are running or for instances that are stopped but have a static IP address. For instances that are stopped and are configured to have an ephemeral public IP address, the natIP field will not be present. Example output:

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
2. Click on the instance name to go the the Instance detail page.
3. Click Edit.
4. For each Network interface, ensure that External IP is set to None.
5. Click Done and then click Save.

From Google Cloud CLI

1. Describe the instance properties:

        gcloud compute instances describe <INSTANCE_NAME> --zone=<ZONE>

2. Identify the access config name that contains the external IP address. This access config appears in the following format:

        networkInterfaces: 
        - accessConfigs: 
            - kind: compute#accessConfig 
              name: External NAT 
              natIP: 130.211.181.55 
              type: ONE_TO_ONE_NAT

3. Delete the access config.

        gcloud compute instances delete-access-config <INSTANCE_NAME> --zone=<ZONE> --access-config-name <ACCESS_CONFIG_NAME>

In the above example, the ACCESS_CONFIG_NAME is External NAT. The name of your access config might be different.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 4.9 Ensure That Compute Instances Do Not Have Public IP Addresses - Level 2 (Automated)			1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			24