GCP Vertex AI instances are not private
Description
Vertex AI Workbench is a data science service offered by GCP that leverages https://jupyterlab.readthedocs.io/en/stable/getting_started/overview.html[JupyterLab] to explore and access data. Workbenches have public IPs assigned by default which can increase your attack surface and expose sensitive data. We recommend you only assign private IPs to Vertex AI Workbenches.
Code Example
{
"# To create an instance from a VmImage name
gcloud beta notebooks instances create example-instance \\
--vm-image-project=deeplearning-platform-release \\
--vm-image-name=tf2-2-1-cu101-notebooks-20200110 \\
--machine-type=n1-standard-4 \\
--location=us-central1-b \\
--no-public-ip",
}Remediation
- GCP Console*
It's not currently possible to edit a * Vertex AI workbench* network setting to remove or add a public IP. To create a * Vertex AI Workbench* with a private IP:
. Log in to the GCP Console at https://console.cloud.google.com.
. Navigate to https://console.cloud.google.com/vertex-ai/workbench/create-instance [Vertex AI Workbench].
. Scroll down to the Networking section and expand.
. Locate the External IP dropdown and select * None*.
- CLI Command*
It's not currently possible to edit a * Vertex AI workbench* network settings to remove or add a public IP. To create a private * Vertex AI Workbench* you'll need to specify the `--no-public-ip` command. For example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0947 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_GCP_89 |