lacework-global-207
Virtual Cloud Network (VCN) has Internet Gateway attached (Automated)
Description
Alert when a VCN has an internet gateway attachment. Ensure authorization of internet gateways attached to a VCN, and that this attachment does not expose resources to the internet. Ensure that security lists with ingress / inbound rules and those security lists are not configured to allow access from all IP addresses 0.0.0.0/0.
Remediation
From Console:
- Login to the OCI Console.
- From the navigation menu, click Networking.
- Click Virtual cloud networks.
- Select a VCN which should not have an internet gateway attached.
- Click Internet Gateways.
- Click the Actions menu the internet gateway, and click Terminate.
- Click Terminate again to confirm.
From CLI:
To locate internet gateway and VCN Oracle Cloud Identifiers (OCID), execute the following command:
oci network internet-gateway list --compartment-id <compartment_id> --output table --query 'data[].{"internet gateway name":"display-name","internet gateway ocid":id,"vcn ocid":"vcn-id"}'
To disable an internet gateway, execute the following command:
oci network internet-gateway update --ig-id <internet_gateway_ocid> --is-enabled true
To delete an internet gateway, execute the following command:
oci network internet-gateway delete --ig-id <internet_gateway_ocid>
Enter 'y' to confirm deletion of the internet gateway.
It is not possible to disable an internet gateway via the console, and if a route table lists an internet gateway as a target, you must remove this reference before deleting the internet gateway.
References
https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__VCN_HAS_INTERNET_GATEWAY_ATTACHED
https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingIGs.htm
https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.29.1/oci_cli_docs/cmdref/network/internet-gateway.html