Control: 2.9 Ensure that the log metric filter and alerts exist for VPC network changes

Description

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) changes.

It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.

Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.

Remediation

From Console

Create a required log metric:

Login to GCP console and navigate to Logs-based Metrics.
Click CREATE METRIC.
Select Metric Type as Counter, enter Log metric name and Units to 1.
Clear any text in the Build filter field and add below text

resource.type=gce_network
AND protoPayload.methodName="beta.compute.networks.insert"
OR protoPayload.methodName="beta.compute.networks.patch"
OR protoPayload.methodName="v1.compute.networks.delete"
OR protoPayload.methodName="v1.compute.networks.removePeering" OR protoPayload.methodName="v1.compute.networks.addPeering"

Click CREATE METRIC. The logs display based on the filter text entered by the user.

Create a required alert policy for the log metric::

Identify the newly created metric under the section User-defined Metrics.
Click the 3-dot icon in the right most column for the desired metric and select Create alert from metric. A new page opens.
Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project.
Configure the desired notifications channels in the section Notifications.
Enter Alert name and click Save.

From Command Line

Create a required log metric:

Use the command: gcloud beta logging metrics create.
Reference for Command Usage.

Create a alert policy for the log metric:

Use the command: gcloud alpha monitoring policies create.
Reference for Command Usage.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v130_2_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v130_2_9 --share

SQL

This control uses a named query:

with filter_data as (
  select
    m.project as project,
    display_name alert_name,
    count(m.name) metric_name
  from
    gcp_monitoring_alert_policy,
    jsonb_array_elements(conditions) as filter_condition
    join gcp_logging_metric m on m.filter ~ '\s*resource\.type\s*=\s*gce_network\s*AND\s*\(\s*protoPayload\.methodName\s*=\s*"beta\.compute\.networks\.insert"\s*OR\s*protoPayload\.methodName\s*=\s*"beta\.compute\.networks\.patch"\s*OR\s*protoPayload\.methodName\s*=\s*"v1\.compute\.networks\.delete"\s*OR\s*protoPayload\.methodName\s*=\s*"v1\.compute\.networks\.removePeering"\s*OR\s*protoPayload\.methodName\s*=\s*"v1\.compute\.networks\.addPeering"\s*\)'
    and filter_condition -> 'conditionThreshold' ->> 'filter' like '%metric.type="' || m.metric_descriptor_type || '"%'
  where
    enabled
  group by
    m.project, display_name, m.name
)
select
  'https://cloudresourcemanager.googleapis.com/v1/projects/' || project_id resource,
  case
    when d.metric_name > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when d.metric_name > 0
      then 'Log metric and alert exist for network changes.'
    else 'Log metric and alert do not exist for network changes.'
  end as reason
  
  , project_id as project
from
  gcp_project as p
  left join filter_data as d on d.project = p.name;