Profile Applicability:

Level 2

Description:

VPC Flow Logs capture detailed information about the IP traffic to and from network interfaces within an organization’s VPC subnets. The logs are stored in Google Cloud’s logging system, providing insights for monitoring, traffic analysis, and security investigations. It is recommended to enable VPC Flow Logs for all business-critical VPC subnets.

Rationale:

Enabling VPC Flow Logs enhances visibility into network activity, helping with:

  • Network Monitoring: Understand and optimize traffic patterns.

  • Security Analysis: Detect unusual or malicious traffic.

  • Forensics: Investigate historical traffic data.

  • Cost Optimization: Identify and manage high-cost network usage.

VPC Flow Logs record network traffic for each VM in the subnet and support both TCP and UDP flows. Logs from subnets reserved for internal HTTP(S) load balancers are not applicable.

Impact:

Activating VPC Flow Logs may incur additional costs for log storage in Google Cloud Logging, BigQuery, or Cloud Pub/Sub, depending on the sampling rate and aggregation interval configured.

Audit Steps:

From Google Cloud Console:

  1. Visit the VPC Networks page.

             

  1. For each subnet, ensure the following settings:

    • Flow Logs: Enabled.

    • Aggregation Interval: 5 sec.

    • Metadata: Included.

    • Sample Rate: Set to 100%.

              

From Google Cloud CLI:

Run the following command to check VPC Flow Logs configuration:

gcloud compute networks subnets list --format=json | jq -r '
(["Subnet","Purpose","Flow_Logs","Aggregation_Interval","Flow_Sampling","Metadata","Logs_Filtered"] |
(., map(length*"-"))),
(.[] |
[
.name,
.purpose,
(if has("enableFlowLogs") and .enableFlowLogs == true then "Enabled" else "Disabled" end),
(if has("logConfig") then .logConfig.aggregationInterval else "N/A" end),
(if has("logConfig") then .logConfig.flowSampling else "N/A" end),
(if has("logConfig") then .logConfig.metadata else "N/A" end),
(if has("logConfig") then (.logConfig | has("filterExpr")) else "N/A" end)
]
) | @tsv' | column -t

Verify the output for each subnet:

  • Flow Logs: Enabled.

  • Aggregation Interval: INTERVAL_5_SEC.

  • Flow Sampling: 1.

  • Metadata: INCLUDE_ALL_METADATA.

  • Logs Filtered: False.

Remediation Steps:

From Google Cloud Console:

  1. Navigate to the VPC Networks page.

                     

  1. Select the subnet to configure.

                 

  1. Click Edit and adjust the following settings:

                   

  • Enable Flow Logs.

  • Set Aggregation Interval to 5 sec.

  • Check the box for Include metadata.

  • Set the Sample Rate to 100%

  1. Click Save.

           


From Google Cloud CLI:

Run the following command to enable VPC Flow Logs for a subnet:

gcloud compute networks subnets update [SUBNET_NAME] \
  --region=[REGION] \
  --enable-flow-logs \
  --logging-aggregation-interval=interval-5-sec \
  --logging-flow-sampling=1 \
  --logging-metadata=include-all

Replace [SUBNET_NAME] and [REGION] with the respective values for your environment.


References:

  1. Using VPC Flow Logs

  2. Google Cloud VPC

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Ensure audit logs are collected for enterprise assets.

13.6 Collect Network Traffic Flow Logs

Collect flow logs to monitor and alert on anomalous traffic patterns.


12.8 NetFlow Collection

Enable NetFlow collection for boundary devices to monitor network activity.