Compute instances shouldn’t be accessible from the Internet

gcp_compute_instance_publicy_accessible

Severity

low

Vendor

GCP

Resource

AIM

Description

Enabling access_configs allows you to assign external IP addresses to your instances, which means they can be reached from outside your network. However, this also exposes them to potential attacks or unauthorized access.

To fix it, remove network_interfaces.access_configs configuration property.

Learn more about this topic at Managing access to Compute Engine resources.

Examples

---
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: test_object
    network_interfaces:
      - network: "{{ network }}"
        access_configs:
          - name: External NAT
            nat_ip: "{{ address }}"
            type: ONE_TO_ONE_NAT
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    state: present

Mitigation / Fix

---
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: test_object
    network_interfaces:
      - network: '{{ network }}'
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    state: present