Profile Applicability:

Level 2

Description:

It is recommended to configure log metric filters and alerts to monitor changes to Virtual Private Cloud (VPC) network firewall rules. These rules govern network access to resources in a project, and monitoring their changes helps detect unauthorized or unintended access adjustments.

Rationale:

Monitoring the creation, update, or deletion of firewall rules provides insight into network access changes and can reduce the time it takes to detect potential suspicious activity or configuration errors.

Impact:

Enabling logging for firewall rule changes may increase costs due to the additional log data storage and processing.

Default Value:

By default, VPC firewall rule changes are not monitored.

Audit Steps:

Using Google Cloud Console:

  1. Verify Log Metric Configuration:

                       

  • In the User-defined Metrics section, ensure there is a metric with the following filter:
resource.type="gce_firewall_rule"
AND (protoPayload.methodName:"compute.firewalls.patch"
OR protoPayload.methodName:"compute.firewalls.insert"
OR protoPayload.methodName:"compute.firewalls.delete")
  1. Verify Alert Policy Configuration:

                     

  • Confirm the presence of an alert policy linked to the metric above.

  • Check the condition is set to trigger for:

    • Condition: Any changes to the metric.

    • Threshold: 0 (alerts on any firewall rule change).

  • Ensure notification channels are configured for alerts.

Using Google Cloud CLI:

  1. Verify Log Metric Configuration:

  • List the log metrics:
gcloud logging metrics list --format json
  • Check for a metric with the following filter:
resource.type="gce_firewall_rule"
AND (protoPayload.methodName:"compute.firewalls.patch"
OR protoPayload.methodName:"compute.firewalls.insert"
OR protoPayload.methodName:"compute.firewalls.delete")
  1. Verify Alert Policy Configuration:

  • List the alerting policies:
gcloud alpha monitoring policies list --format json

  • Confirm the output contains a policy where:

    • Condition Filter: Matches the above metric.

    • Enabled: true.

Remediation Steps:

Using Google Cloud Console:

  1. Create a Log Metric:

                     

  • Click CREATE METRIC and set the following:

Filter:

resource.type="gce_firewall_rule"
AND (protoPayload.methodName:"compute.firewalls.patch"
OR protoPayload.methodName:"compute.firewalls.insert"
OR protoPayload.methodName:"compute.firewalls.delete")

  • Metric Type: Counter.

  • Units: 1 (default).

  • Click Create Metric.

  1. Create an Alert Policy:

    • Find the newly created metric under User-defined Metrics.

    • Click the three-dot menu and select Create alert from Metric.

    • Configure the alert policy:

      • Aggregator: Count.

      • Threshold: Above 0.

      • Condition: Any change to firewall rules triggers the alert.

    • Configure notification channels and save the policy.

Using Google Cloud CLI:

Create a Log Metric:

gcloud logging metrics create <metric-name> \
  --description="Monitor VPC firewall rule changes" \
  --log-filter="resource.type='gce_firewall_rule' AND \
  (protoPayload.methodName:'compute.firewalls.patch' OR \
  protoPayload.methodName:'compute.firewalls.insert' OR \
  protoPayload.methodName:'compute.firewalls.delete')"

Create an Alert Policy:

gcloud alpha monitoring policies create \
  --display-name="<policy-name>" \
  --conditions="<condition-config>" \
  --notification-channels="<notification-channels>"

References:

  1. Logs-Based Metrics

  2. Custom Metrics in Monitoring

  3. Alerts in Monitoring

  4. Firewall Rules Documentation

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Enable audit logging across enterprise assets.

8.5 Collect Detailed Audit Logs

Configure detailed logging to capture sensitive data-related activities for forensics.


6.2 Activate Audit Logging

Ensure local logging is enabled on systems and devices.

6.3 Enable Detailed Logging

Include event source, timestamps, and relevant details in logs.