Enable VPC Flow Logs for VPC Subnets

Risk Level: Medium (should be achieved)

Rule ID: CloudVPC-003

Ensure that VPC Flow Logs is enabled for every subnet created within your production Virtual Private Cloud (VPC) network. Flow Logs is a logging feature that enables users to capture information about the IP traffic (accepted, rejected, or all traffic) going to and from the network interfaces (ENIs) available within your VPC subnets.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

By default, the VPC Flow Logs feature is disabled when a new VPC network subnet is created. Once enabled, VPC Flow Logs will start collecting network traffic data to and from your Virtual Private Cloud (VPC) subnets, logging data that can be useful for understanding network usage, network traffic expense optimization, network forensics, and real-time security analysis. To enhance Google Cloud VPC network visibility and security it is strongly recommended to enable Flow Logs for every business-critical or production VPC subnet.

Audit

To determine if VPC Flow Logs is enabled for all your VPC network subnets, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select VPC networks to access the list with the VPC networks created for the selected project.

05 On the VPC networks page, choose the VPC network that you want to examine, then check the Flow logs column to determine the Flow Logs feature status for each VPC subnet available. If one or more subnets have the Flow logs configuration status set to Off, the VPC Flow Logs feature is not enabled for every subnet within the selected Virtual Private Cloud (VPC) network.

06 Repeat step no. 5 for each VPC network created for the selected GCP project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

PROJECT_ID
cc-project5-stack-123123
cc-nodejs-project-112233

03 Run compute networks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each VPC network created inside the selected project:

gcloud compute networks list
	--project cc-project5-stack-123123
	--format="table(name)"

04 The command output should return the name(s) of the VPC network(s) created for the selected GCP project:

NAME
cc-web-stack-network

05 Run compute networks subnets list command (Windows/macOS/Linux) using the name of the VPC network that you want to examine as identifier parameter and custom filtering to describe all the all the subnets created within the selected Virtual Private Cloud (VPC):

gcloud compute networks subnets list
	--network=cc-web-stack-network
	--format=table"(name,region)"

06 The command output should return the name and the region of each VPC subnet available inside the selected network:

NAME                     REGION
cc-web-stack-network-01  us-central1
cc-web-stack-network-02  europe-west1
cc-web-stack-network-03  us-west1
cc-web-stack-network-04  asia-east1
cc-web-stack-network-05  us-east1
cc-web-stack-network-06  asia-southeast1
cc-web-stack-network-07  us-west2
cc-web-stack-network-08  us-east4
cc-web-stack-network-09  australia-southeast1

07 Run compute networks subnets describe command (Windows/macOS/Linux) using the name and the region of each VPC subnet that you want to examine as identifier parameters, to describe the VPC Flow Logs configuration status for the selected Virtual Private Cloud (VPC) subnet:

gcloud compute networks subnets describe cc-web-stack-network-01
	--region us-central1
	--format json | jq '.enableFlowLogs'

08 The command output should return the requested configuration status (true for enabled, false/null for disabled):

false

If the compute networks subnets describe command output returns null or false, as shown in the example above, the Flow Logs feature is not enabled for the selected VPC subnet.

09 Repeat step no. 7 and 8 to determine if VPC Flow Logs feature is enabled for every subnet available in the selected Virtual Private Cloud (VPC) network.

10 Repeat steps no. 5 – 9 for each VPC network created inside the selected project.

11 Repeat steps no. 3 – 10 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable the VPC Flow Logs feature for every subnet available within your production Virtual Private Cloud (VPC) network, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select VPC networks to access the list with the VPC networks available within the selected project.

05 On the VPC networks page, under the name of the VPC network that you want to access, click on the name (link) of the VPC subnet that you want to reconfigure, available in the Subnets column.

06 On the selected VPC subnet information page, click the EDIT button from the dashboard top menu to enter into the subnet edit mode.

07 Select On under Flow logs, then click SAVE to apply the configuration changes and enable the VPC Flow Logs feature for the selected VPC network subnet. Once enabled, the VPC Flow Logs collects data from all the VM instances deployed within the subnet.

08 Repeat steps no. 5 – 7 to enable the feature for every subnet available inside the selected Virtual Private Cloud (VPC) network.

09 Repeat steps no. 5 – 8 for each VPC network created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run compute networks subnets update command (Windows/macOS/Linux) using the name and the region of the VPC subnet that you want to reconfigure as identifier parameters, to enable the VPC Flow Logs feature for the selected subnet. The following compute networks subnets update request example, enable VPC Flow Logs for a subnet named "cc-web-stack-network-01", available in the "us-central1" (Iowa, US) region. Once enabled, the VPC Flow Logs collects data from all the VM instances deployed in the selected subnet:

gcloud compute networks subnets update cc-web-stack-network-01
	--region us-central1
	--enable-flow-logs

02 The command output should return the ID of the reconfigured VPC network subnet:

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/regions/us-central1/subnetworks/cc-web-stack-network].

03 Repeat step no. 1 and 2 to enable the VPC Flow Logs feature for every subnet available inside the selected Virtual Private Cloud (VPC) network.

04 Repeat steps no. 1 – 3 for each VPC network created for the selected project.

05 Repeat steps no. 1 – 4 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
VPC network overview
Using VPC networks
Using VPC Flow Logs

CIS Security Documentation
Securing Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute networks list
gcloud compute networks subnets list
gcloud compute networks subnets describe
gcloud compute networks subnets update

Publication date Mar 12, 2020

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudVPC rules