Ensure compute instance group does not have public IP.
Description
This policy checks whether a compute instance group in Yandex Cloud has a public IP address assigned. Having a public IP address can increase the attack surface of the instance group, making it more vulnerable to external attacks. It's essential to restrict access to the instance group to only necessary sources to minimize the risk. By ensuring the instance group does not have a public IP, you can reduce the likelihood of unauthorized access.
Code Example
terraform
resource "yandex_compute_instance_group" "example" {
instance_template {
network_interface {
nat = false
}
}
}Remediation
Ensure the instance group does not have a public IP by setting the 'nat' property to False in the instance template's network interface configuration.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1351 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | yandex_compute_instance_group |
| Checkov ID | CKV_YC_18 |