Skip to main content

lacework-global-725

Instance is publicly accessible (Automated)

Description

Alert when a compute instance is publicly accessible via a Virtual Network Interface Card (VNIC). Give careful consideration when allowing internet access to any compute instances.

For an instance to be publicly accessible, it must:

  1. Have a public IP address.
  2. Exist in a public Virtual Cloud Network (VCN) subnet.
  3. Be on a VCN that has an internet gateway enabled and configured for outbound traffic.
  4. Be on a subnet where the security list allows all IP addresses and all ports (0.0.0.0/0).

Remediation

To remove a public IP address from an instance, from the console:

  1. Open the navigation menu and click Compute. Under Compute, click Instances.
  2. Click the instance to view its details.
  3. Click Attached VNICs. (Note: This displays the primary VNIC and any secondary VNICs attached to the instance.)
  4. Click the VNIC of interest.
  5. Click IPv4 Addresses. (Note: This displays the VNIC's primary private IP and any secondary private IPs.)
  6. For the private IP of interest, click the Actions menu, and then click Edit.
  7. In the Public IP Address section, for Public IP Type, select the radio button for No Public IP.
  8. Click Update. The instance no longer has a public IP.

Alternatively, you can stop or terminate the compute instance to remove the public access.

From the console:

  1. Open the navigation menu and click Compute. Under Compute, click Instances.
  2. For the row containing the instance of interest, click the Actions menu.
  3. Select either the Stop or Terminate option.
  4. For the stop option, click Stop instance in the pop up window and wait for the instance to shut down. Alternatively, click the box for Force stop the instance in the pop up window.
  5. For the terminate option, click Terminate instance in the pop up window and wait for the instance to delete.
note

While not required, it is advisable to delete the boot drive also. You can do this via the tick box in the terminate instance pop up window.

From CLI:

To remove a public IP address:

First get the ocid for the instance:

oci compute instance list --compartment-id <compartment-ocid>

Next get the vnic attachments using the instance ocid from the previous step:

oci compute instance list-vnics --instance-id <instance-ocid>

Finally, with the ocid for the public ip, run the following command to delete it:

oci network public-ip delete --public-ip-id <public-ip-ocid>

To stop a compute instance:

Force stop:

oci compute instance action --instance-id <instance-ocid> --action STOP

OR

Soft stop (up to 15 minutes to shut down):

oci compute instance action --instance-id <instance-ocid> --action SOFTSTOP

To terminate a compute instance:

oci compute instance terminate --instance-id <instance-ocid>

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__INSTANCE_PUBLICLY_ACCESSIBLE
https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/taggingoverview.htm
https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/understandingautomaticdefaulttags.htm
https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/understandingfreeformtags.htm
https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm
https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcetags.htm
https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.28.1/oci_cli_docs/cmdref/compute/instance/update.html

Last updated on