Control: Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes
Description
It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.logging_metric_alert_firewall_rule_changesSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.logging_metric_alert_firewall_rule_changes --shareSQL
This control uses a named query:
with filter_data as ( select m.project as project, display_name alert_name, count(m.name) metric_name from gcp_monitoring_alert_policy, jsonb_array_elements(conditions) as filter_condition join gcp_logging_metric m on m.filter ~ '\s*resource\.type\s*=\s*"gce_firewall_rule"\s*AND\s*\(\s*protoPayload\.methodName\s*:\s*"compute\.firewalls\.patch"\s*OR\s*protoPayload\.methodName\s*:\s*"compute\.firewalls\.insert"\s*OR\s*protoPayload\.methodName\s*:\s*"compute\.firewalls\.delete"\s*\)' and filter_condition -> 'conditionThreshold' ->> 'filter' like '%metric.type="' || m.metric_descriptor_type || '"%' where enabled group by m.project, display_name, m.name)select 'https://cloudresourcemanager.googleapis.com/v1/projects/' || project_id resource, case when d.metric_name > 0 then 'ok' else 'alarm' end as status, case when d.metric_name > 0 then 'Log metric and alert exist for network firewall rule changes.' else 'Log metric and alert do not exist network for firewall rule changes.' end as reason , project_id as projectfrom gcp_project as p left join filter_data as d on d.project = p.name;