Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network

Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. After you've created a flow log, you can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business critical VPC subnet. Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows.

Suggest Edits

Risk Level: Medium
Cloud Entity: Subnet
CloudGuard Rule ID: D9.GCP.NET.16
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

Subnet should have enableFlowLogs=true

REMEDIATION

From Portal

  1. Go to VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list
  2. Click the name of a subnet, The Subnet details page is displayed
  3. Click on EDIT button
  4. Set Flow Logs to On
  5. Expand the Configure Logs section.
  6. Set Aggregation Interval to 5 SEC.
  7. Check the box beside Include metadata.
  8. Set Sample rate to 100.
  9. Click Save.

From TF

resource 'google_compute_subnetwork' 'subnetwork' {
	
	log_config {
		aggregation_interval = 'INTERVAL_10_MIN'
		flow_sampling        = 0.5
		metadata             = 'INCLUDE_ALL_METADATA'
	}
}

From Command Line
Run

gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-flow-sampling=1 --logging-metadata=include-all

References

  1. https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging
  2. https://cloud.google.com/vpc/

Subnet

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP GDPR Readiness
  • GCP HIPAA
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0

Updated 7 months ago