Detection: Compute Instance with Public Network Interface
Overview
Detect when a Compute instance was configured with a public network interface. Publicly accessible instances may expose sensitive workloads to external threats. Monitoring these configurations helps maintain network security.
References:
Usage
Run the detection in your terminal:
powerpipe detection run gcp_audit_log_detections.detection.compute_instance_with_public_network_interfaceSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run gcp_audit_log_detections.detection.compute_instance_with_public_network_interface --shareSQL
This detection uses a named query:
with network_if as ( select *, unnest(from_json(request -> 'networkInterfaces', '["json"]')) as netif from gcp_audit_log where ( method_name ilike '%.compute.instances.insert' or method_name ilike '%.compute.instances.update' ) ), access_cfg as ( select *, unnest(from_json(netif -> 'accessConfigs', '["json"]')) as ac from network_if ) select tp_timestamp as timestamp,method_name as operation,resource_name as resource,authentication_info.principal_email as actor,tp_source_ip as source_ip,tp_index as project,tp_id as source_id,-- Create new aliases to preserve original row data*
ac from access_cfg where ( (ac ->> 'name') ilike '%nat%' or (ac ->> 'name') ilike '%external%' ) and severity != 'Error'-- TODO: Do we need to check operation?-- and (operation_src is null or operation_src.last = true)
order by timestamp desc;