Profile Applicability:

Level 

Description:

To monitor changes to Virtual Private Cloud (VPC) networks, it is recommended to set up log metric filters and alerts. These changes include network creation, updates, deletion, and changes to VPC peering connections.

Rationale:

VPCs in Google Cloud allow segmentation and control of network traffic between resources. Monitoring modifications to VPC configurations ensures the integrity of traffic flow and helps identify unauthorized changes. This is particularly important for maintaining the security and reliability of inter-VPC communication.

Impact:

Enabling logging and alerting can result in additional charges for log storage and processing, especially in organizations with frequent VPC changes.

Default Value:

By default, VPC network changes are not monitored or alerted.

Audit Steps:

Using Google Cloud Console:

  1. Verify Log Metric Configuration:

                                                           

Under User-defined Metrics, ensure a metric exists with the following filter:

resource.type="gce_network"
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering")


  1. Verify Alert Policy Configuration:

                                                                 

  • Confirm an alert policy is linked to the above metric and is configured to trigger when:

    • Condition: Any network changes occur.

    • Threshold: 0 (trigger an alert for every change).

                                 

  • Ensure appropriate notification channels are set up.

                             

Using Google Cloud CLI:

  1. Verify Log Metric Configuration:

List the log metrics:

gcloud logging metrics list --format json

Check for a metric with the following filter:

resource.type="gce_network"
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering")
  1. Verify Alert Policy Configuration:

List alerting policies:

gcloud alpha monitoring policies list --format json
  • Ensure there is an alert policy where:

    • Condition Filter: Matches the above metric.

    • Enabled: true.

Remediation Steps:

Using Google Cloud Console:

  1. Create a Log Metric:

                                 

  • Click CREATE METRIC and configure:

                                     

Filter:

resource.type="gce_network"
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering")
  • Type: Counter.

  • Units: 1 (default).

                                   

  • Click Create Metric.

                                   

  1. Create an Alert Policy:

    • Locate the metric under User-defined Metrics.

                                 

  • Click the three-dot menu and select Create alert from Metric.

  • Configure the alert:

    • Aggregator: Count.

    • Threshold: Above 0.

    • Condition: Trigger alerts for any VPC changes.

  • Configure notification channels and save the policy.

                                   

Using Google Cloud CLI:

  • Create a Log Metric:
gcloud logging metrics create <metric-name> \
  --description="Monitor VPC network changes" \
  --log-filter="resource.type='gce_network' AND \
  (protoPayload.methodName='compute.networks.insert' OR \
  protoPayload.methodName='compute.networks.patch' OR \
  protoPayload.methodName='compute.networks.delete' OR \
  protoPayload.methodName='compute.networks.removePeering' OR \
  protoPayload.methodName='compute.networks.addPeering')"
  • Create an Alert Policy:
gcloud alpha monitoring policies create \
  --display-name="<policy-name>" \
  --conditions="<condition-config>" \
  --notification-channels="<notification-channels>"

References:

  1. Logs-Based Metrics

  2. Custom Metrics in Monitoring

  3. Alerts in Monitoring

  4. Logging CLI Reference

  5. VPC Overview

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Enable audit logging across enterprise assets.

8.5 Collect Detailed Audit Logs

Configure detailed logging to capture sensitive data-related activities for forensics.


6.2 Activate Audit Logging

Ensure local logging is enabled on systems and devices.

6.3 Enable Detailed Logging

Include event source, timestamps, and relevant details in logs.