Trend Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made at the Compute Engine service level, in your GCP account.
Compute Engine is a secure, scalable, and customizable compute service that enables you to deploy and run single virtual machines or large compute clusters on Google Cloud Platform (GCP) infrastructure.
Similar to other Google Cloud services, Compute Engine writes audit logs that can help you find who used the service to create and configure compute resources, where and when. As a security best practice, you need to be aware of all configuration changes made at the Google Cloud Compute Engine level, changes such as launching virtual machine (VM) instances, adding VM instances to instance groups, or setting access policies to VM instances.
Trend Cloud One™ – Conformity RTMA uses the audit information collected by Google Cloud to process and send notifications about the configurations changes made at the Compute Engine service level.
The activity detected by the Conformity RTMA feature could be, for example, a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the following operations:
- "instances.insert" - Creates a VM instance in the specified GCP project using the data included in the request.
- "instanceGroups.addInstances" - Adds a list of VM instances to the specified Compute Engine instance group.
- "instances.setIamPolicy" - Applies an access control policy to the specified compute resource. This operation replaces any existing policy associated with the resource.
To follow cloud security best practices and implement the Principle of Least Privilege (POLP), i.e. the practice of providing every user/process/system the minimal amount of access required to successfully perform its tasks, Trend Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide your GCP users (except administrators or authorized personnel) the permission to perform Compute Engine configuration changes within your GCP account.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for Compute Engine configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.
This rule resolution is part of the Conformity solution.
The detailed visibility that you gain into your cloud environment activity using monitoring is a key aspect of security and operational best practices. Using Trend Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) to detect configuration changes made at the Compute Engine level, can help you prevent any accidental or intentional changes that may lead to security breaches, unauthorized access to other cloud resources and services using lateral movement techniques, or accruing unexpected charges on your GCP bill. Conformity RTMA helps you to ensure that your Compute Engine configuration changes are investigated and any unwanted changes can be rolled back in a timely manner.
References
- Google Cloud Platform (GCP) Documentation
- Compute Engine
- Compute Engine documentation
- Compute Engine audit logging information
- Method: instances.insert
- Method: instanceGroups.addInstances
- Method: instances.setIamPolicy