Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
12Dashboards
536Benchmarks
201Queries
2Variables
GitHub

Control: Ensure that Cloud DNS logging is enabled for all VPC networks

Description

Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.compute_network_dns_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.compute_network_dns_logging_enabled --share

SQL

This control uses a named query:

with associated_networks as (
  select
    split_part(network ->> 'networkUrl', 'networks/', 2) network_name,
    enable_logging
  from
    gcp_dns_policy,
    jsonb_array_elements(networks) network
)
select
  net.self_link resource,
  case
    when p.network_name is null then 'alarm'
    when not p.enable_logging then 'alarm'
    else 'ok'
  end as status,
  case
    when p.network_name is null then net.title || ' not associated with DNS policy.'
    when not p.enable_logging then net.title || ' associated with DNS policy with logging disabled.'
    else net.title || ' associated with DNS policy with logging enabled.'
  end as reason
  , project as project
from
  gcp_compute_network net
left join associated_networks p on net.name = p.network_name;

Tags

category = Compliance
hipaa = true
nist_800_53_rev_5 = true
nist_csf_v10 = true
plugin = gcp
service = GCP/Compute
soc_2_2017 = true