Dual-homed Compute instances should be checked Affecting Compute Engine service in Google
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00719
- creditSnyk Research Team
Description
Dual-homed Compute instances can introduce security risks by allowing unauthorized access and potential data exfiltration. It is important to regularly check for and address any instances that have multiple network interfaces connected to different networks. This helps ensure proper network segmentation and reduces the risk of unauthorized access or data leakage.
How to fix?
Do not create a Compute instance with multiple network interface blocks.
Example Configuration
resource "google_compute_instance" "allowed1" {
name = "allowed1"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = google_compute_network.network-1.name
subnetwork = google_compute_subnetwork.subnet-1.name
}
}
resource "google_compute_network" "network-1" {
name = "network-1"
}
resource "google_compute_subnetwork" "subnet-1" {
name = "subnet-1"
network = google_compute_network.network-1.id
ip_cidr_range = "10.0.1.0/24"
}