Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
12Dashboards
536Benchmarks
201Queries
2Variables
GitHub

Control: Ensure that Compute instances do not have public IP addresses

Description

Compute instances should not be configured to have external IP addresses.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.compute_instance_with_no_public_ip_addresses

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.compute_instance_with_no_public_ip_addresses --share

SQL

This control uses a named query:

with instance_without_access_config as (
  select
    name
  from
    gcp_compute_instance,
    jsonb_array_elements(network_interfaces) nic
  where
    nic ->> 'accessConfigs' is null
),
instance_with_access_config as (
  select
    name
  from
    gcp_compute_instance,
    jsonb_array_elements(network_interfaces) nic,
    jsonb_array_elements(nic -> 'accessConfigs') d
  where
    d ->> 'natIP' is null
)
select
  self_link resource,
  case
    when name like 'gke-%' and labels ? 'goog-gke-node' then 'skip'
    when name in (select name from instance_without_access_config) then 'ok'
    when name in (select name from instance_with_access_config) then 'ok'
    else 'alarm'
  end as status,
  case
    when name like 'gke-%' and labels ? 'goog-gke-node'
      then title || ' created by GKE.'
    when name in (select name from instance_without_access_config) or name in (select name from instance_with_access_config)
      then title || ' not associated with public IP addresses.'
    else title || ' associated with public IP addresses.'
  end as reason
  
  , location as location, project as project
from
  gcp_compute_instance;

Tags

category = Compliance
hipaa = true
nist_800_53_rev_5 = true
nist_csf_v10 = true
pci_dss_v321 = true
plugin = gcp
service = GCP/Compute
soc_2_2017 = true