Ensure compute instances do not have public IPs

Error: Compute instances have public IPs

Bridgecrew Policy ID: BC_GCP_PUBLIC_2
Checkov Check ID: CKV_GCP_40
Severity: MEDIUM

Compute instances have public IPs

Description

To reduce your attack surface Compute instances should not have public IP addresses. To minimize the instance's exposure to the internet configure instances behind load balancers.

We recommend you ensure compute instances are not configured to have external IP addresses.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to VM instances.
  3. For the Instance detail page, click the instance name.
  4. Click Edit.
  5. For each Network interface, ensure that External IP is set to None.
  6. Click Done, then click Save.

CLI Command

  1. Describe the instance properties:
    gcloud compute instances describe INSTANCE_NAME --zone=ZONE
  2. Identify the access config name that contains the external IP address. This access
    config appears in the following format:
- accessConfigs:
- kind: compute#accessConfig
 name: External NAT
 natIP: 130.211.181.55
 type: ONE_TO_ONE_NAT
  1. To delete the access config, use the following command:
gcloud compute instances delete-access-config INSTANCE_NAME 
--zone=ZONE 
--access-config-name "ACCESS_CONFIG_NAME"

📘

Note

In the above example the ACCESS_CONFIG_NAME is External NAT.

The name of your access config may be different.

Fix - Buildtime

Terraform

  • Resource: google_compute_instance
  • Field: access_config
resource "google_compute_instance" "example" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  boot_disk {}
-  access_config {
    ...
    }
}