More Info:

Ensure that “Define Allowed External IPs for VM Instances” constraint policy is enforced at the GCP organization level in order to enable you to define the set of virtual machine (VM) instances that are allowed to use external IP addresses. This constraint helps you to minimize your instance’s exposure to the Internet.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Remediation

Using Console

“Allowed External IPs for VM Instances” is a firewall rule in GCP that allows traffic from specific external IP addresses to reach the VM instances. This misconfiguration can be a security risk as it may allow unauthorized access to the VM instances.

To remediate this misconfiguration in GCP using the GCP console, follow these steps:

  1. Go to the GCP console and select the project containing the affected VM instances.

  2. In the navigation menu, click on “VPC Network” and then click on “Firewall rules”.

  3. Find the firewall rule that allows external IPs and click on it to edit it.

  4. In the “Source IP ranges” field, remove the specific IP addresses that are not authorized to access the VM instances.

  5. If necessary, add a new firewall rule to restrict access to the VM instances to specific IP addresses or IP ranges that are authorized to access them.

  6. Click on “Save” to apply the changes.

  7. Verify that the firewall rule has been updated by checking the “Firewall rules” page in the GCP console.

By following these steps, you can remediate the “Allowed External IPs for VM Instances” misconfiguration in GCP using the GCP console.

Using CLI

The “Allowed External IPs for VM Instances” misconfiguration in GCP means that the firewall rules for the virtual machine instances allow traffic from external IP addresses that are not authorized. To remediate this, you can follow these steps using the GCP CLI:

  1. Open the Cloud Shell in the GCP Console.

  2. Run the following command to list the firewall rules for the project:

gcloud compute firewall-rules list

  1. Identify the firewall rule that needs to be updated to restrict the allowed external IPs.

  2. Run the following command to update the firewall rule:

gcloud compute firewall-rules update [FIREWALL_RULE_NAME] --source-ranges=[AUTHORIZED_IP_RANGES]

Replace [FIREWALL_RULE_NAME] with the name of the firewall rule that needs to be updated, and [AUTHORIZED_IP_RANGES] with the comma-separated list of authorized IP ranges.

For example, if the firewall rule name is allow-http and the authorized IP ranges are 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16, the command would be:

gcloud compute firewall-rules update allow-http --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
  1. Verify that the firewall rule was updated by running the gcloud compute firewall-rules list command again and checking the sourceRanges field for the updated rule.

By following these steps, you can remediate the “Allowed External IPs for VM Instances” misconfiguration in GCP using the GCP CLI.

Using Python

The “Allowed External IPs” configuration in GCP allows network traffic only from specific external IP addresses. To remediate this misconfiguration, you can follow these steps using Python:

  1. Import the necessary libraries:
from google.cloud import compute_v1
from google.oauth2 import service_account
  1. Set up the credentials:
credentials = service_account.Credentials.from_service_account_file('path/to/your/credentials.json')
  1. Set up the client:
client = compute_v1.InstancesClient(credentials=credentials)
  1. Define the project ID and zone where the instance is located:
project = 'your-project-id'
zone = 'your-zone'
  1. Define the instance name:
instance_name = 'your-instance-name'
  1. Get the instance:
instance = client.get(project=project, zone=zone, instance=instance_name)
  1. Define the new list of allowed external IPs:
new_allowed_ips = [
    {
        "value": "x.x.x.x",
        "name": "ip-1"
    },
    {
        "value": "y.y.y.y",
        "name": "ip-2"
    }
]

where x.x.x.x and y.y.y.y are the IP addresses that you want to allow.

  1. Update the instance with the new list of allowed external IPs:
access_configs = instance.network_interfaces[0].access_configs[0]
access_configs.nat_ip = None
access_configs.external_ip = None
access_configs.allowed = new_allowed_ips

request = {
    "project": project,
    "zone": zone,
    "instance": instance_name,
    "instance_resource": instance
}

response = client.update(**request)

This will update the instance with the new list of allowed external IPs. Note that this assumes that the instance has only one network interface and one access config. If there are multiple network interfaces or access configs, you will need to modify the code accordingly.