Ensure compute instance does not have public IP.
Description
This policy checks whether a compute instance in Yandex Cloud has a public IP address assigned through its network interface. Having a public IP address can increase the attack surface of the instance, making it more vulnerable to external attacks. It's essential to restrict public access to instances that do not require it for their operation. By ensuring that compute instances do not have public IPs unless necessary, organizations can reduce the risk of unauthorized access and data breaches.
Code Example
terraform
resource "yandex_compute_instance" "example" {
network_interface {
nat = false
}
}Remediation
Ensure the compute instance does not have a public IP by setting the 'nat' property to False in the network interface configuration.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1335 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | yandex_compute_instance |
| Checkov ID | CKV_YC_2 |