Profile Applicability:

  • Level 2

Description:

Compute instances should not have external (public) IP addresses to reduce exposure to the internet. Instead, instances should operate behind load balancers, which provide a controlled and secure way to access these resources.

Rationale:

Public IP addresses increase the attack surface of Compute instances by exposing them directly to the internet. By restricting instances to private IPs and routing traffic through load balancers or Identity-Aware Proxy (IAP), organizations can enforce tighter access controls and reduce the risk of unauthorized access or exploitation.

Impact:

Removing external IP addresses from Compute instances may disrupt applications or services relying on direct public access. Proper networking configurations, such as VPNs, IAP, or bastion hosts, should be in place to avoid service interruptions.

Default Value:

By default, Compute instances are assigned public IP addresses unless explicitly configured otherwise.

Audit Steps:
Using Google Cloud Console:

  1. Navigate to Compute Engine > VM Instances: https://console.cloud.google.com/compute/instances.

             

  1. For each instance, verify that no External IP is configured under the Network interfaces section.

             

Using Google Cloud CLI:

List all instances:

gcloud compute instances list --format=json

  1. Review the networkInterfaces section in the output:

    • Ensure no accessConfigs section contains natIP.

Example output for a public IP:
networkInterfaces:

- accessConfigs:

  - name: External NAT

    natIP: 130.211.181.55

    type: ONE_TO_ONE_NAT

  1. If the natIP field is present, the instance has a public IP.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to Compute Engine > VM Instances: https://console.cloud.google.com/compute/instances.

               

  1. Select the instance name to open its Instance Details page.

  1. Click Edit.

  1. Under Network interfaces, set External IP to None for each network interface.

                   

  1. Save the changes.

         

Using Google Cloud CLI:

Describe the instance:

gcloud compute instances describe <INSTANCE_NAME> --zone=<ZONE>

  1. Identify the accessConfigs section containing the external IP.

Remove the external IP:

gcloud compute instances delete-access-config <INSTANCE_NAME> --zone=<ZONE> --access-config-name <ACCESS_CONFIG_NAME>

  1. Replace <ACCESS_CONFIG_NAME> with the name of the access configuration, such as External NAT.

Prevention:

To ensure that new VMs are not configured with public IPs, apply an Organization Policy to restrict external IP access:

Backout Plan:

If an instance needs to be publicly accessible, or if an error occurs after removing the public IP:

  1. Identify the affected instance.

  2. Re-enable the Auto-assign Public IP setting at the time of launch or use the following command to assign a public IP manually:

    aws ec2 associate-address --instance-id <instance-id> --public-ip <public-ip>

  3. Verify that the instance is correctly reconfigured with the public IP.

References:

  1. Connecting to Instances Without Public IPs

Additional Information:

  • Use Identity-Aware Proxy (IAP) to access Linux VMs without public IPs.

  • For Windows VMs, configure RDP access through private networking or a bastion host.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.3 Configure Data Access Control Lists

Apply access permissions to restrict data access to authorized users only.

14.6 Protect Information Through Access Control Lists

Enforce access controls on files, databases, and systems to restrict unauthorized access.