GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Network Route Change Log Alerts Should Be Enabled
More Info:
Ensures that logging and log alerts exist for VPC network route changes.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, NIST, ISO27001, HIPAA, CISGCP, CBP, HITRUST
Triage and Remediation
Remediation
To remediate the misconfiguration “Network Route Change Log Alerts Should Be Enabled” for GCP using GCP console, follow these steps:
-
Open the GCP console and navigate to the Logging section.
-
Click on “Logs Explorer” in the left-hand menu.
-
In the search bar at the top of the page, type “route” and press enter.
-
Select the “GCE_NETWORK_ROUTE” log type from the dropdown menu.
-
Click on the “Create Metric” button.
-
Name the metric “route-change” and set the aggregation to “Count”.
-
Click on the “Create” button to create the metric.
-
In the left-hand menu, click on “Alerting”.
-
Click on the “Create Policy” button.
-
Name the policy “route-change-alert” and set the “Resource Type” to “GCE Instance”.
-
Under “Conditions”, click on “Add Condition”.
-
Select “Metric Threshold” as the condition type.
-
Set the “Metric” to “route-change” and set the “Aggregation” to “Count”.
-
Set the “Threshold” to “1” and the “For” duration to “1 minute”.
-
Click on “Add” to add the condition.
-
Under “Notifications”, click on “Add Notification”.
-
Select the notification method you want to use (e.g. email, SMS, etc.) and enter the appropriate information.
-
Click on “Save” to save the policy.
By following these steps, you will have successfully enabled network route change log alerts for GCP using GCP console.
To remediate the misconfiguration “Network Route Change Log Alerts Should Be Enabled” for GCP using GCP CLI, please follow the below steps:
-
Open the Cloud Shell in the GCP Console.
-
Run the following command to enable route change log alerts for your project:
gcloud beta logging sinks create ROUTE_CHANGE_LOGS_STORAGE_BUCKET_NAME \ storage.googleapis.com/ROUTE_CHANGE_LOGS_STORAGE_BUCKET_NAME \ --log-filter="resource.type=\"gce_route\" AND protoPayload.methodName=\"beta.compute.routes.patch\"" \ --project=PROJECT_IDNote: Replace ROUTE_CHANGE_LOGS_STORAGE_BUCKET_NAME and PROJECT_ID with your own values.
-
Run the following command to grant the logs writer role to the sink service account:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:SINK_SERVICE_ACCOUNT" \ --role="roles/logging.logWriter"Note: Replace PROJECT_ID and SINK_SERVICE_ACCOUNT with your own values.
-
Run the following command to create a log metric for the route change logs:
gcloud logging metrics create ROUTE_CHANGE_LOGS_METRIC_NAME \ --description="Metric for route change logs" \ --filter="resource.type=\"gce_route\" AND protoPayload.methodName=\"beta.compute.routes.patch\"" \ --project=PROJECT_IDNote: Replace ROUTE_CHANGE_LOGS_METRIC_NAME and PROJECT_ID with your own values.
-
Run the following command to create an alert policy for the route change logs:
gcloud alpha monitoring policies create-route-change-alert-policy \ --display-name="Route Change Log Alerts" \ --condition-filter="metric.type=\"logging.googleapis.com/user/ROUTE_CHANGE_LOGS_METRIC_NAME\" AND resource.type=\"gce_route\"" \ --destination-channel-name="CHANNEL_NAME" \ --project=PROJECT_IDNote: Replace ROUTE_CHANGE_LOGS_METRIC_NAME, CHANNEL_NAME, and PROJECT_ID with your own values.
-
Verify that the alert policy is created successfully by running the following command:
gcloud alpha monitoring policies list --filter="displayName=\"Route Change Log Alerts\"" --project=PROJECT_IDNote: Replace PROJECT_ID with your own value.
By following the above steps, you will be able to remediate the misconfiguration “Network Route Change Log Alerts Should Be Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Network Route Change Log Alerts Should Be Enabled” for GCP using Python, follow the below steps:
- Import the required libraries:
from google.cloud import logging_v2
from google.cloud.logging_v2 import enums
from google.protobuf import field_mask_pb2
- Set the project ID for which you want to enable the Network Route Change Log Alerts:
project_id = 'your-project-id'
- Initialize the Logging client:
client = logging_v2.LoggingServiceV2Client()
- Create a request to get the existing sink for the project:
parent = f"projects/{project_id}"
response = client.list_sinks(parent)
- Check if the sink already exists. If it exists, update it with the required configuration. If it doesn’t exist, create a new sink with the required configuration:
# Check if the sink already exists
for sink in response.sinks:
if sink.name == f"{parent}/sinks/your-sink-name":
# Update the existing sink with the required configuration
sink.filter = "resource.type=gce_route AND protoPayload.methodName=beta.compute.routes.patch"
sink.destination = "pubsub.googleapis.com/projects/your-project-id/topics/your-topic-name"
sink.output_version_format = enums.LogSinkVersionFormat.V2
update_mask = field_mask_pb2.FieldMask(paths=["filter", "destination", "output_version_format"])
client.update_sink(sink=sink, update_mask=update_mask)
break
else:
# Create a new sink with the required configuration
sink = logging_v2.types.LogSink()
sink.name = f"{parent}/sinks/your-sink-name"
sink.filter = "resource.type=gce_route AND protoPayload.methodName=beta.compute.routes.patch"
sink.destination = "pubsub.googleapis.com/projects/your-project-id/topics/your-topic-name"
sink.output_version_format = enums.LogSinkVersionFormat.V2
client.create_sink(parent, sink)
Note: Replace your-sink-name and your-topic-name with the desired names for your sink and topic.
- Confirm that the sink is created or updated successfully by checking the Stackdriver Logging console.
With these steps, you can remediate the misconfiguration “Network Route Change Log Alerts Should Be Enabled” for GCP using Python.