GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
VPC Flow Logs Should Be Enabled
More Info:
Ensures VPC flow logs are enabled for traffic logging.
Risk Level
Low
Address
Security
Compliance Standards
CISGCP, CBP, HIPAA, ISO27001, NIST
Triage and Remediation
Remediation
To remediate the misconfiguration “VPC Flow Logs Should Be Enabled” for GCP using GCP console, follow these steps:
-
Open the Google Cloud Console and navigate to the VPC network that you want to enable flow logs for.
-
Click on the “VPC network details” button.
-
In the “VPC network details” page, click on the “Logs” tab.
-
Click on the “Configure logs” button.
-
In the “Configure logs” page, select the “VPC flow logs” option.
-
Choose the “Create a new sink” option.
-
Enter a name for the new sink and select the destination for the logs.
-
Click on the “Create sink” button.
-
Once the sink is created, click on the “Save” button.
-
The VPC flow logs are now enabled for the selected VPC network.
Note: It is recommended to create a separate project for storing logs to ensure proper access control and security.
To remediate the misconfiguration of VPC Flow Logs not being enabled in GCP using GCP CLI, you can follow the below steps:
- Open the Google Cloud Console and navigate to the VPC network for which you want to enable Flow Logs.
- Click on the “Edit” button to edit the VPC network settings.
- Scroll down to the “Flow Logs” section and click on the “Add Flow Logs” button.
- In the “Add Flow Logs” dialog box, select the “All VPC network flows” option to capture all the network flows, or select the “Selected subnet flows” option to capture the network flows of specific subnets.
- Select the “Cloud Storage” option as the destination for the Flow Logs.
- Choose the bucket where you want to store the logs or create a new bucket.
- Click on the “Create” button to enable the Flow Logs for the selected VPC network.
Alternatively, you can use the following GCP CLI commands to enable VPC Flow Logs:
- Set the environment variables:
export PROJECT_ID=<your-project-id>
export NETWORK_NAME=<your-network-name>
export FILTER_NAME=<your-filter-name>
export BUCKET_NAME=<your-bucket-name>
- Create a flow log filter:
gcloud compute flow-logs filters create $FILTER_NAME \
--project=$PROJECT_ID \
--description="All flows" \
--expression="true"
- Create a flow log configuration:
gcloud compute flow-logs create-config $NETWORK_NAME \
--project=$PROJECT_ID \
--filter=$FILTER_NAME \
--storage-bucket=$BUCKET_NAME
After following these steps, VPC Flow Logs will be enabled for the selected VPC network in GCP.
To remediate the misconfiguration “VPC Flow Logs Should Be Enabled” for GCP using Python, you can follow the below steps:
- First, you need to enable VPC flow logs for all the subnets in your GCP project. You can use the following command to enable VPC flow logs for a subnet:
import google.auth
from google.cloud import logging_v2
from google.cloud.logging_v2 import enums
_, project = google.auth.default()
logging_client = logging_v2.LoggingServiceV2Client()
parent = logging_client.project_path(project)
# Replace the <SUBNET_NAME> with the name of the subnet for which you want to enable VPC flow logs.
resource = {
"type": "gce_subnet",
"labels": {
"zone": "<ZONE_NAME>",
"subnetwork_name": "<SUBNET_NAME>",
"project_id": project
}
}
response = logging_client.create_sink(
parent,
"vpc-flow-logs",
filter_=None,
destination=resource,
unique_writer_identity=True
)
print("VPC flow logs enabled for subnet: {}".format(response.name))
- You can create a script to run the above command for all the subnets in your GCP project.
import google.auth
from google.cloud import compute_v1
_, project = google.auth.default()
compute_client = compute_v1.InstancesClient()
# Get all the subnets in the project
subnets = compute_client.aggregated_subnetworks().list(project=project).execute()
for zone, subnets_list in subnets["items"].items():
for subnet in subnets_list.get("subnetworks", []):
subnet_name = subnet["name"]
# Enable VPC flow logs for the subnet
# Replace the <ZONE_NAME> and <SUBNET_NAME> with the actual values.
# You can also replace the sink name "vpc-flow-logs" with a different name.
enable_vpc_flow_logs_command = f"python enable_vpc_flow_logs.py --zone <ZONE_NAME> --subnet <SUBNET_NAME>"
print(f"Enabling VPC flow logs for subnet: {subnet_name}")
os.system(enable_vpc_flow_logs_command)
- You can schedule the above script to run periodically to ensure that VPC flow logs are always enabled for all the subnets in your GCP project.
Note: Before running the above script, make sure that you have the necessary permissions to create VPC flow logs sinks and enable VPC flow logs for subnets in your GCP project.