GCP VM Instances Have IP Forwarding Enabled

This policy identifies VM instances that have IP Forwarding enabled. IP Forwarding could open unintended and undesirable communication paths and allows VM instances to send and receive packets with the non-matching destination or source IPs. To enable the source and destination IP match check, disable IP Forwarding.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP VM instances have IP forwarding enabled.
JSON Query:
$.resource[*].google_compute_instance_template[*].*.[*].can_ip_forward anyTrue
Recommendation:
Recommended solution to disable VM instances IP forwarding.
Ensure that GCP VM have IP forwarding disabled. Please make sure that in the template, "can_ip_forward" exists and is set to "false".
For example:
"google_compute_instance_template": [ { "<compute_instance_template_name>": [ { "can_ip_forward": false } ] } ]

Run Rule Recommendation

GCP VM instances IP forwarding feature cannot be updated. After an instance is created, the IP forwarding field becomes read-only. So to fix this alert, Create a new VM instance with IP forwarding disabled, migrate all required data from reported VM to newly created and delete the VM instance reported.
To create a new VM Instance with IP forwarding disabled:.
  1. Login to GCP Portal.
  2. Go to Computer Engine (Left Panel).
  3. Go to VM instances.
  4. Click the CREATE INSTANCE button.
  5. Specify other instance parameters as you desire.
  6. Click Management, disk, networking, SSH keys.
  7. Click Networking.
  8. Click on the specific Network interfaces.
  9. Set IP forwarding to Off.
  10. Click on Done.
  11. Click on Create button.
    To Delete VM instance which has IP forwarding enabled:
  12. Login to GCP Portal.
  13. Go to Computer Engine (Left Panel).
  14. Go to VM instances.
  15. From the list of VMs, choose the reported VM.
  16. Click on Delete button.

Compliance

There are 4 standards that are applicable to this policy:
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • ISO 27001:2013
  • CCPA 2018

Recommended For You