More Info:

Ensure that “Define Allowed External IPs for VM Instances” constraint policy is enforced at the GCP organization level in order to enable you to define the set of virtual machine (VM) instances that are allowed to use external IP addresses. This constraint helps you to minimize your instance’s exposure to the Internet.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

“Allowed External IPs for VM Instances” is a firewall rule in GCP that allows traffic from specific external IP addresses to reach the VM instances. This misconfiguration can be a security risk as it may allow unauthorized access to the VM instances.

To remediate this misconfiguration in GCP using the GCP console, follow these steps:

  1. Go to the GCP console and select the project containing the affected VM instances.

  2. In the navigation menu, click on “VPC Network” and then click on “Firewall rules”.

  3. Find the firewall rule that allows external IPs and click on it to edit it.

  4. In the “Source IP ranges” field, remove the specific IP addresses that are not authorized to access the VM instances.

  5. If necessary, add a new firewall rule to restrict access to the VM instances to specific IP addresses or IP ranges that are authorized to access them.

  6. Click on “Save” to apply the changes.

  7. Verify that the firewall rule has been updated by checking the “Firewall rules” page in the GCP console.

By following these steps, you can remediate the “Allowed External IPs for VM Instances” misconfiguration in GCP using the GCP console.