More Info:

Compute instances should not be configured to have external IP addresses.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP, SOC2, ISO27001, HITRUST, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Compute Instances Should Not Have Public IPs” in GCP using GCP console, please follow the below steps:
  1. Login to GCP console (https://console.cloud.google.com/).
  2. In the navigation menu, click on “Compute Engine”.
  3. Click on “VM instances”.
  4. Select the instance for which you want to remove the public IP.
  5. Click on “Edit” button at the top of the page.
  6. Scroll down to the “Network interfaces” section.
  7. Under “External IP”, select “None” from the dropdown menu.
  8. Click on “Save” to save the changes.
Once the changes are saved, the public IP will be removed from the instance and it will no longer be accessible publicly.

To remediate the misconfiguration of compute instances having public IPs in GCP using GCP CLI, follow these steps:
  1. Open the GCP CLI and authenticate with your GCP account credentials.
  2. Identify the instances that have public IPs assigned to them. You can use the following command to list all the instances in your project: 
    gcloud compute instances list
    This will list all the instances in your project along with their details, including their public IPs.
  3. Remove the public IP address from each instance using the following command: 
    gcloud compute instances delete-access-config [INSTANCE_NAME] \
--access-config-name "External NAT"
    Replace [INSTANCE_NAME] with the name of the instance that you want to remove the public IP from. This command will delete the external NAT access configuration from the instance, which will remove the public IP address.
  4. Repeat the above step for all the instances that have public IPs assigned to them until all the instances have their public IPs removed.
  5. Verify that the instances no longer have public IPs assigned to them using the following command: 
    gcloud compute instances list
    This will list all the instances in your project along with their details, including their IP addresses. Verify that the instances no longer have public IPs assigned to them.
By following these steps, you can remediate the misconfiguration of compute instances having public IPs in GCP using GCP CLI.
To remediate the misconfiguration “Compute Instances Should Not Have Public IPs” in GCP using Python, you can follow the below steps:Step 1: Get a list of all the Compute Instances with Public IPs. This can be done by using the Google Cloud SDK and running the following command:
gcloud compute instances list --filter="networkInterfaces.accessConfigs.natIP:*"
This command will return a list of all the Compute Instances that have a Public IP associated with them.Step 2: Use the Google Cloud Python Client Library to update the instances and remove the Public IP. You can use the following Python script:
from google.cloud import compute_v1

# Create a Compute Engine client object
compute_client = compute_v1.InstancesClient()

# Project ID for this request.
project = 'your-project-id'  # TODO: Update placeholder value.

# Zone name for this request.
zone = 'us-central1-a'  # TODO: Update placeholder value.

# Get the list of instances with public IPs
instances = compute_client.list(project=project, zone=zone, filter="networkInterfaces.accessConfigs.natIP:*")

for instance in instances:
    # Remove the Public IP from the instance
    instance.network_interfaces[0].access_configs[0].nat_ip = None

    # Update the instance
    operation = compute_client.update(project=project, zone=zone, instance=instance.name, instance=instance)

    # Wait for the operation to complete
    result = operation.result()

    print(f"Public IP removed from instance {instance.name}")
This script will loop through all the instances with Public IPs and remove the Public IP from them. It will then print a message for each instance that has been updated.Step 3: Run the Python script to remediate the misconfiguration.Note: Before running the script, make sure you have set up the Google Cloud SDK and installed the Google Cloud Python Client Library.