Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Skip Default VPC Network Creation

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that "Skip Default Network Creation" constraint policy is enforced for your Google Cloud Platform (GCP) organizations in order to follow security best practices and meet networking requirements. Once enabled, this constraint skips the creation of the default Virtual Private Cloud (VPC) network and related resources during Google Cloud project creation.

Security

By default, a default network and supporting resources are automatically created when you launch a new Google Cloud project. A default Virtual Private Cloud (VPC) is designed in such a way that you can quickly deploy cloud resources and not have to think about the underlying network. The default VPC comes with a predefined network configuration that automatically generates a set of over-permissive, insecure firewall rules, that are not included in the audit logging. A default VPC might be suitable for getting started quickly with your GCP project, however, when you deploy complex, production applications that use multi-tier architectures, you may need to keep parts of your network private or to customize the network model yourself, therefore it is strongly recommended to enforce using non-default VPC networks.

Audit

To determine if the creation of the default VPC network is disabled for your GCP organizations, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Name and Skip default network creation to return the "Skip Default Network Creation" policy.

06 Click on the name of the organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the "Skip Default Network Creation" constraint policy is not enforced within the selected Google Cloud organization.

08 Repeat steps no. 2 – 7 for each organization available in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each organization available within your Google Cloud account: 

gcloud organizations list
    --format="table(name)"

02 The command output should return the requested organization identifiers (IDs): 

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter, to describe the enforcement configuration of the "Skip Default Network Creation" constraint policy, available for the selected organization: 

gcloud alpha resource-manager org-policies describe
"compute.skipDefaultNetworkCreation"
    --effective
    --organization=112233441122
    --format="table(booleanPolicy)"

04 The command request should return the requested configuration information: 

BOOLEAN_POLICY
{}

If the resource-manager org-policies describe command output returns an empty object for the BOOLEAN_POLICY configuration attribute, as shown in the example above, the "Skip Default Network Creation" constraint policy is not enforced for the selected Google Cloud organization.

05 Repeat step no. 3 and 4 for each organization created within your Google Cloud account.

Remediation / Resolution

To ensure that a default VPC network is not automatically deployed for each new Google Cloud project within your organization, enable the "Skip Default Network Creation" constraint policy by performing the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your organization.

05 Click inside the Filter by policy name or ID box, select Name and Skip default network creation to list only the "Skip Default Network Creation" policy.

06 Click on the name of the organization policy listed at the previous step.

07 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

08 On the Edit policy configuration page, perform the following operations:

  1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
  2. Under rEnforcement, select On to enforce the "compute.skipDefaultNetworkCreation" constraint. This constraint skips the creation of the default VPC network (and supporting resources) when a new Google Cloud project is created within the selected organization.
  3. Click SAVE to apply the changes and enforce the "Skip Default Network Creation" policy.

09 If required, repeat steps no. 2 – 8 to enable the policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the "Skip Default Network Creation" policy (i.e. "compute.skipDefaultNetworkCreation" constraint) for the selected organization: 

gcloud alpha resource-manager org-policies enable-enforce "compute.skipDefaultNetworkCreation"
    --organization=112233441122

02 The command request should return the reconfigured organization policy metadata: 

booleanPolicy:
  enforced: true
constraint: constraints/compute.skipDefaultNetworkCreation
etag: abcdabcdabcd
updateTime: '2020-09-02T16:00:00.000Z'

03 If required, repeat step no. 1 and 2 to enforce the policy for other organizations created within your Google Cloud account.

References

Publication date May 10, 2021

Related ResourceManager rules