Profile Applicability:

  • Level 1

Description:

Cloud instances should be configured to use private IP addresses instead of public IPs whenever possible. Assigning private IPs enhances network security by limiting direct internet exposure and reduces the attack surface.

Rationale:

  • Using private IPs restricts instance accessibility to within the Virtual Private Cloud (VPC) or connected networks.

  • Public IPs expose instances directly to the internet, increasing risks from external threats.

  • Private IP assignment supports compliance and best practices in network security.

Impact:

  • Instances without public IPs cannot be accessed directly from the internet.

  • Remote access and service connectivity must be handled through VPNs, bastion hosts, or private networking solutions.

  • Requires updates to architecture and access management.

Default Value:

  • Many cloud platforms assign public IPs by default unless specified otherwise.

Audit Steps:

Using Cloud Console:

  1. Navigate to the Compute Engine (or equivalent) instances page.

  2. Review the Network interfaces section for each instance.

  3. Confirm the External IP is either None or set to Private.

  4. Repeat for all instances.

Using CLI:

gcloud compute instances list --format="table(name,zone,networkInterfaces.networkIP,networkInterfaces.accessConfigs[0].natIP)"

  • Ensure natIP (external IP) is empty or not assigned.

Remediation Steps:

Using Cloud Console:

  1. For existing instances, remove the external IP by editing the Network Interface and unassigning the external IP.

  2. For new instances, during creation, do not assign an external IP.

  3. Use private IP ranges and VPN or proxy solutions for external access.

Using CLI:

  • To create a new instance with only private IP:

gcloud compute instances create [INSTANCE_NAME] --no-address --zone=[ZONE]

  • To remove the external IP from an existing instance (requires recreation or network interface update):

gcloud compute instances delete-access-config [INSTANCE_NAME] --access-config-name "external-nat" --zone=[ZONE]

Backout Plan:

  1. Reassign a public IP if connectivity is lost and immediate access is needed:

gcloud compute instances add-access-config [INSTANCE_NAME] --access-config-name "external-nat" --zone=[ZONE]

  1. Verify instance connectivity post change.

  2. Notify teams if IP changes impact services or access.

References:

CIS Controls:

Control
Description
IG 1
IG 2
IG 3
3.3
Configure Data Access Control Lists
14.6
Protect Information Through ACLs