iCompaas Support

Profile Applicability:

Level 2

Description:

To monitor changes to Virtual Private Cloud (VPC) network routes, it is recommended to configure log metric filters and alerts. This ensures that any modifications to the network routes are detected promptly, helping maintain the integrity and expected behavior of network traffic paths.

Rationale:

Routes in GCP define how network traffic flows between resources within and outside a VPC. Monitoring changes to these routes helps detect unauthorized or unexpected modifications, reducing the risk of security incidents or misconfigurations that might disrupt traffic or expose resources to external threats.

Impact:

Enabling logging and alerting may incur additional costs due to log data storage and processing, especially in larger organizations with frequent network changes.

Default Value:

By default, VPC route changes are not monitored or alerted.

Audit Steps:

Using Google Cloud Console:

1. Verify Log Metric Configuration:

   • Navigate to Logs-based Metrics.

• In the User-defined Metrics section, ensure there is a metric with the following filter:

  resource.type="gce_route"
  AND (protoPayload.methodName:"compute.routes.delete"
  OR protoPayload.methodName:"compute.routes.insert")

  
  

2. Verify Alert Policy Configuration:

   • Go to Alerting.

• Confirm the presence of an alert policy linked to the above metric.

• Ensure the alert policy is configured to trigger when:

  • Condition: Any route changes occur.

  • Threshold: 0 (triggers an alert for any change).

• Verify that appropriate notification channels are set up.

Using Google Cloud CLI:

1. Verify Log Metric Configuration:

• List log metrics:

gcloud logging metrics list --format json

• Check for a metric with the following filter:

resource.type="gce_route"
AND (protoPayload.methodName:"compute.routes.delete"
OR protoPayload.methodName:"compute.routes.insert")

2. Verify Alert Policy Configuration:

• List alerting policies:

gcloud alpha monitoring policies list --format json

• Ensure there is a policy with:

  • Condition Filter: Matches the above metric.

  • Enabled: true.

Remediation Steps:

Using Google Cloud Console:

1. Create a Log Metric:

   • Navigate to Logs-based Metrics.

• Click CREATE METRIC and set the following:

Filter:

resource.type="gce_route"
AND (protoPayload.methodName:"compute.routes.delete"
OR protoPayload.methodName:"compute.routes.insert")

• Metric Type: Counter.

• Units: 1 (default).

• Click Create Metric.

2. Create an Alert Policy:

   • Locate the newly created metric in User-defined Metrics.

• Click the three-dot menu and select Create alert from Metric.
  
                      

• Configure the alert policy:

  • Aggregator: Count.

  • Threshold: Above 0.

  • Condition: Trigger alerts on any route changes.

• Configure notification channels and save the policy.

Using Google Cloud CLI:

Create a Log Metric:

gcloud logging metrics create <metric-name> \
  --description="Monitor VPC route changes" \
  --log-filter="resource.type='gce_route' AND \
  (protoPayload.methodName:'compute.routes.delete' OR \
  protoPayload.methodName:'compute.routes.insert')"

Create an Alert Policy:

gcloud alpha monitoring policies create \
  --display-name="<policy-name>" \
  --conditions="<condition-config>" \
  --notification-channels="<notification-channels>"

References:

1. Logs-Based Metrics

2. Custom Metrics in Monitoring

3. Alerts in Monitoring

4. Logging CLI Reference

CIS Controls: