Google CloudOverview
Compute instances should not be configured to have external IP addresses.
Rationale
To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.
Impact
Removing the external IP address from your Compute instance may cause some applications to stop working.
Remediation guidance
From Google Cloud Console
- Go to the
VM instancespage by visiting: https://console.cloud.google.com/compute/instances - Click on each VM instance name to go to its details page
- Click
STOPand then clickEDIT - For each Network interface, ensure that External IP is set to None.
- Click
Saveand then clickSTART
Using Google Cloud CLI
- Describe the instance properties:
gcloud compute instances describe <instanceName> --zone=<zone>
- Identify the access config name that contains the external IP address. This access config appears in the following format:
networkInterfaces:
- accessConfigs:
- kind: compute#accessConfig
name: External NAT
natIP: 130.211.181.55
type: ONE_TO_ONE_NAT
- Delete the access config.
gcloud compute instances delete-access-config <instanceName> --zone=<zone> --access-config-name <accessConfigName>
In the above example, the accessConfigName is External NAT. The name of your access config might be different.
Prevention
You can configure the Define allowed external IPs for VM instances Organization Policy to prevent VMs from being configured with public IP addresses. Learn more at: https://console.cloud.google.com/orgpolicies/compute-vmExternalIpAccess
Default Value
By default, Compute instances have a public IP address.
References
- https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses
- https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances
- https://cloud.google.com/compute/docs/instances/connecting-to-instance
- https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip
- https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
Additional information
You can connect to Linux VMs that do not have public IP addresses by using IdentityAware Proxy for TCP forwarding. Learn more at https://cloud.google.com/compute/docs/instances/connectingadvanced#sshbetweeninstances. For Windows VMs, see https://cloud.google.com/compute/docs/instances/connectingto-instance.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Compute instances do not have public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
}
) {
...AssetFragment
}
}
