Ensure that "Define Allowed External IPs for VM Instances" constraint policy is enforced at the GCP organization level in order to enable you to define the set of virtual machine (VM) instances that are allowed to use external IP addresses. This constraint helps you to minimize your instance's exposure to the Internet. The allowed list of VM instances must be identified by the instance name, using the following format: projects/<project-id>/zones/<instance-zone>/instances/<instance-name> and must be defined in the conformity rule settings, on the Trend Micro Cloud One™ – Conformity account console.
By default, all Google Cloud virtual machine instances are allowed to use external IP addresses. To reduce the attack surface, not all virtual machine instances should have public IP addresses attached.
Note: To avoid breaking existing cloud infrastructure, you should test this constraint policy on non-production projects and folders within your organization.
To determine if "Define Allowed External IPs for VM Instances" constraint policy is enabled for your GCP organizations, perform the following actions:
Remediation / Resolution
To minimize your Google Cloud virtual machine instances exposure to the Internet, enable and configure the "Define Allowed External IPs for VM Instances" policy at the GCP organization level by performing the following actions:
- Google Cloud Platform (GCP) Documentation
- Resource Manager
- Using constraints
- Organization policy constraints
- Creating and managing organization policies
- GCP Command Line Interface (CLI) Documentation
- gcloud organizations list
- gcloud alpha resource-manager org-policies describe
- gcloud beta resource-manager org-policies set-policy
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Define Allowed External IPs for VM Instances
Risk level: Medium