Instance should not expose public IP
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | Google Cloud Provider | NETWORK |
Description
In general, it is good practice to limit the number of public interfaces in the VPC. Doing so reduces the attack surface and potential data leaks or compromissions.
In particular, instances in a subnet should not expose a public IP if firewall is not configured properly
Google best practices advise the use of a Shared VPC to reduces the amount of complexity in network design. Communications are controlled by ingress and egress rules defining a policy model. This facilitates network monitoring and enhances Distributed Denial of Service (DDoS) resiliency.
Concentrating your public interfaces in this manner reduces the attack surface of the VPC.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | True | False | False |
Having a public IP on an instance risks exposing data, and leaves it open to Distributed Denial of Service (DDoS) attacks.
Potentially, the whole subnet may be subsequently affected.
Remediation guidelines
Depending on the VPC configuration, several options are available:
- Disable public IP mapping;
- If this subnet must be exposed, consider using a common gateway as a common public interface;
- Review the ACLs associated with the exposed resources.