v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/gcp_compliance
Overview
12Dashboards
536Controls
201Queries
2Variables
GitHub

Control: 2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes

Description

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) changes.

It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.

Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.

Remediation

From Console

Create the prescribed log metric:

  1. Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC".
  2. Click the down arrow symbol on Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add:
resource.type=gce_network
AND (protoPayload.methodName="beta.compute.networks.insert"
OR protoPayload.methodName="beta.compute.networks.patch"
OR protoPayload.methodName="v1.compute.networks.delete"
OR protoPayload.methodName="v1.compute.networks.removePeering" OR protoPayload.methodName="v1.compute.networks.addPeering")
  1. Click Submit Filter. Display logs appear based on the filter text entered by the user.
  2. In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.
  3. Click Create Metric.

Create the prescribed alert policy:

  1. Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
  2. Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric. A new page appears.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of 0 for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
  1. Configure the desired notifications channels in the section Notifications.
  2. Name the policy and click Save.

From Command Line

Create the prescribed Log Metric:

  • Use the command: gcloud logging metrics create

Create the prescribed Alert Policy:

  • Use the command: gcloud alpha monitoring policies create

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v300_2_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v300_2_9 --share

SQL

This control uses a named query:

logging_metric_alert_network_changes

Tags

benchmark = cis
category = Compliance
cis_item_id = 2.9
cis_level = 2
cis_section_id = 2
cis_type = automated
cis_version = v3.0.0
plugin = gcp
service = GCP/Logging