Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
14Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: 3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network

Description

Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.

VPC networks and subnetworks not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.

Flow Logs supports the following use cases:

  • Network monitoring
  • Understanding network usage and optimizing network traffic expenses
  • Network forensics
  • Real-time security analysis

Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or provide insight during security workflows.

The Flow Logs must be configured such that all network traffic is logged, the interval of logging is granular to provide detailed information on the connections, no logs are filtered, and metadata to facilitate investigations are included.

Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC flow logs.

Remediation

From Console

  1. Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list
  2. Click the name of a subnet, The Subnet details page displays.
  3. Click the EDIT button.
  4. Set Flow Logs to On.
  5. Expand the Configure Logs section.
  6. Set Aggregation Interval to 5 SEC.
  7. Check the box beside Include metadata.
  8. Set Sample rate to 100.
  9. Click Save.

Note: It is not possible to configure a Log filter from the console.

From Command Line

To enable VPC Flow Logs for a network subnet, run the following command:

gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-flow-sampling=1 --logging-metadata=include-all

Default Value

By default, Flow Logs is set to Off when a new VPC network subnet is created.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v200_3_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v200_3_8 --share

SQL

This control uses a named query:

select
  self_link resource,
  case
    when enable_flow_logs then 'ok'
    else 'alarm'
  end as status,
  case
    when enable_flow_logs
      then title || ' flow logging enabled.'
    else title || ' flow logging disabled.'
  end as reason
  , location as location, project as project
from
  gcp_compute_subnetwork;

Tags

benchmark = cis
category = Compliance
cis_item_id = 3.8
cis_level = 2
cis_section_id = 3
cis_type = automated
cis_version = v2.0.0
plugin = gcp
service = GCP/Compute