Unexpected GCP API calls indicating Compute Engine external IP assignment
Description
AlphaSOC detected that an external IP address was assigned to a Google Cloud Compute Engine instance. External IPs provide direct internet connectivity to instances. While sometimes required for legitimate purposes, unexpected external IP assignments may indicate an attacker establishing external access for persistence or command and control.
Impact
Assigning an external IP to an instance exposes it directly to the internet, significantly increasing the attack surface. Attackers may use this access to establish persistent backdoors, exfiltrate data, or enable command and control communications. Instances with external IPs are subject to scanning and exploitation attempts from the internet.
Severity
| Severity | Condition |
|---|---|
Informational | External IP assigned to instance |
Low | External IP assigned with anomalous behavioral patterns |
Medium | External IP assigned in suspicious context |
Investigation and Remediation
Review GCP audit logs for the compute.instances.addAccessConfig action to
identify who assigned the external IP and which instance was affected. Verify
whether the external IP assignment was authorized and necessary for the
workload.
If unauthorized, remove the external IP from the instance immediately. Review the instance for signs of compromise or unauthorized access.
Known False Positives
- Instances that require direct internet access for hosting public services
- Jump hosts or bastion servers