How does EchelonGraph detect CIS GCP 4.2 violations?

EchelonGraph automatically detects CIS GCP 4.2 violations using scanner rule GCP-CMP-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS GCP 4.2?

How many instances have public IP addresses? Which instances genuinely require public IPs? Is Cloud NAT configured for outbound internet access? Are you using IAP for administrative access?

🔷CIS GCP 4.2Rule: GCP-CMP-002medium

Ensure instances do not have public IP addresses

Description

Compute instances should use private IP addresses and access the internet through Cloud NAT.

⚠️ Risk Impact

Public IP addresses expose instances directly to the internet, increasing the attack surface for port scanning and exploitation.

🔍 How EchelonGraph Detects This

GCP-CMP-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.

🖥️ Manual Verification

terminal

gcloud compute instances list --format='table(name,zone,networkInterfaces[].accessConfigs[].natIP)'

🔧 Remediation

Remove external IP. Use Cloud NAT for outbound access and IAP for inbound admin access.

💀 Real-World Attack Scenario

A batch processing instance with a public IP was running an unpatched Apache server on port 8080. Automated scanners found the instance and exploited CVE-2021-41773 (Apache path traversal) to read /etc/passwd, then used a local privilege escalation to gain root access and pivot into the internal network.

💰 Cost of Non-Compliance

Instances with public IPs receive on average 300,000 attack attempts per month. Each successful compromise costs an average of $2.1M. Eliminating public IPs reduces attack surface by 99.7%.

📋 Audit Questions

1.How many instances have public IP addresses?
2.Which instances genuinely require public IPs?
3.Is Cloud NAT configured for outbound internet access?
4.Are you using IAP for administrative access?

🎯 MITRE ATT&CK Mapping

T1190 — Exploit Public-Facing ApplicationT1595 — Active Scanning

🏗️ Infrastructure as Code Fix

main.tf

resource "google_compute_instance" "private" {
  network_interface {
    network    = google_compute_network.vpc.id
    subnetwork = google_compute_subnetwork.subnet.id
    # No access_config block = no public IP
  }
}
# Cloud NAT for outbound:
resource "google_compute_router_nat" "nat" {
  name   = "cloud-nat"
  router = google_compute_router.router.name
  region = var.region
  nat_ip_allocate_option = "AUTO_ONLY"
  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
}

⚡ Common Pitfalls

⛔Removing public IPs without setting up Cloud NAT first (breaking outbound connectivity)
⛔Not configuring IAP for SSH/RDP access before removing public IPs
⛔Using ephemeral public IPs that are hard to track

📈 Business Value

Private-only instances are invisible to internet scanners. Combined with Cloud NAT and IAP, you get full connectivity without any public exposure.

⏱️ Effort Estimate

Manual

4-8 hours to migrate instances to private IPs with Cloud NAT

With EchelonGraph

EchelonGraph detects public IPs on all instances in real-time

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.1

Automate CIS GCP 4.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →