Flow logs enabled remediation

Using Console

Using CLI

To remediate the misconfiguration of VPC Flow Logs not being enabled in GCP using GCP CLI, you can follow the below steps:

Open the Google Cloud Console and navigate to the VPC network for which you want to enable Flow Logs.
Click on the “Edit” button to edit the VPC network settings.
Scroll down to the “Flow Logs” section and click on the “Add Flow Logs” button.
In the “Add Flow Logs” dialog box, select the “All VPC network flows” option to capture all the network flows, or select the “Selected subnet flows” option to capture the network flows of specific subnets.
Select the “Cloud Storage” option as the destination for the Flow Logs.
Choose the bucket where you want to store the logs or create a new bucket.
Click on the “Create” button to enable the Flow Logs for the selected VPC network.

Alternatively, you can use the following GCP CLI commands to enable VPC Flow Logs:

Set the environment variables:

export PROJECT_ID=<your-project-id>
export NETWORK_NAME=<your-network-name>
export FILTER_NAME=<your-filter-name>
export BUCKET_NAME=<your-bucket-name>

Create a flow log filter:

gcloud compute flow-logs filters create $FILTER_NAME \
--project=$PROJECT_ID \
--description="All flows" \
--expression="true"

Create a flow log configuration:

gcloud compute flow-logs create-config $NETWORK_NAME \
--project=$PROJECT_ID \
--filter=$FILTER_NAME \
--storage-bucket=$BUCKET_NAME

After following these steps, VPC Flow Logs will be enabled for the selected VPC network in GCP.

Using Python

To remediate the misconfiguration “VPC Flow Logs Should Be Enabled” for GCP using Python, you can follow the below steps:

First, you need to enable VPC flow logs for all the subnets in your GCP project. You can use the following command to enable VPC flow logs for a subnet:

import google.auth
from google.cloud import logging_v2
from google.cloud.logging_v2 import enums

_, project = google.auth.default()

logging_client = logging_v2.LoggingServiceV2Client()
parent = logging_client.project_path(project)

# Replace the <SUBNET_NAME> with the name of the subnet for which you want to enable VPC flow logs.
resource = {
    "type": "gce_subnet",
    "labels": {
        "zone": "<ZONE_NAME>",
        "subnetwork_name": "<SUBNET_NAME>",
        "project_id": project
    }
}

response = logging_client.create_sink(
    parent, 
    "vpc-flow-logs", 
    filter_=None, 
    destination=resource, 
    unique_writer_identity=True
)

print("VPC flow logs enabled for subnet: {}".format(response.name))

You can create a script to run the above command for all the subnets in your GCP project.

import google.auth
from google.cloud import compute_v1

_, project = google.auth.default()

compute_client = compute_v1.InstancesClient()

# Get all the subnets in the project
subnets = compute_client.aggregated_subnetworks().list(project=project).execute()

for zone, subnets_list in subnets["items"].items():
    for subnet in subnets_list.get("subnetworks", []):
        subnet_name = subnet["name"]
        # Enable VPC flow logs for the subnet
        # Replace the <ZONE_NAME> and <SUBNET_NAME> with the actual values.
        # You can also replace the sink name "vpc-flow-logs" with a different name.
        enable_vpc_flow_logs_command = f"python enable_vpc_flow_logs.py --zone <ZONE_NAME> --subnet <SUBNET_NAME>"
        print(f"Enabling VPC flow logs for subnet: {subnet_name}")
        os.system(enable_vpc_flow_logs_command)

You can schedule the above script to run periodically to ensure that VPC flow logs are always enabled for all the subnets in your GCP project.

Note: Before running the above script, make sure that you have the necessary permissions to create VPC flow logs sinks and enable VPC flow logs for subnets in your GCP project.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Flow logs enabled remediation

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation