Compute Instance Is Publicly Accessible

  • Query id: 829f1c60-2bab-44c6-8a21-5cd9d39a2c82
  • Query name: Compute Instance Is Publicly Accessible
  • Platform: Ansible
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: 799
  • URL: Github

Description

Compute instances shouldn't be accessible from the Internet.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: test_object
    network_interfaces:
    - network: "{{ network }}"
      access_configs:
      - name: External NAT
        nat_ip: "{{ address }}"
        type: ONE_TO_ONE_NAT
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: test_object
    network_interfaces:
    - network: '{{ network }}'
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    state: present