Restrict VPC Peering Usage

Risk Level: Medium (should be achieved)

Ensure that the VPC networks that are allowed to be peered with the networks created for your project, folder, or organization, are defined using the "Restrict VPC Peering Usage" constraint policy. This constraint helps you achieve regulatory compliance by explicitly defining the resource name of each Virtual Private Cloud (VPC) network allowed for VPC peering, i.e. projects/<project-id>/global/networks/<vpc-network-name>. You can also define the list of allowed networks using the following format: under:organizations/<organization-id>, under:folders/<folder-id>, under:projects/<project-id>. The list of allowed networks must be configured in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

Security

VPC network peering allows private connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same Google Cloud project, folder, or organization. VPC peering enables you to peer VPC networks so that workloads in different networks can communicate in private RFC 1918 space. By default, anyone with the right set of permissions can peer your VPC network with any other network within your organization and this can pose a major security risk if the process is not managed correctly (e.g. when peering development and production networks) or if someone peers your VPC network with a malicious entity. With "Restrict VPC Peering Usage" constraint policy, you have the ability to define the VPC networks that are allowed to be peered with other networks within your project, folder, or organization, in order to enhance access security and comply with internal regulations.

Note: To avoid breaking existing cloud infrastructure, you should test this constraint policy on non-production projects and folders within your organization. For example, when not used properly, this constraint can prevent the creation of a GKE private cluster when there is no existing VPC network peering connection to the GKE master`s VPC network.

Audit

To determine if VPC peering restriction is enabled within your GCP organizations, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the complete list of the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Name and Restrict VPC peering usage to return the "Restrict VPC Peering Usage" policy.

06 Click on the name of the GCP organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Allowed configuration attribute value. If the Allowed attribute value is set to All, the "Restrict VPC Peering Usage" policy constraints are not enforced within the organization, therefore the VPC network peering restriction is not enabled for your Google Cloud organization.

08 Repeat steps no. 2 – 7 for each organization available in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each organization available within your Google Cloud account:

gcloud organizations list
    --format="table(name)"

02 The command output should return the requested organization identifiers (IDs):

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter, to describe the enforcement configuration of the "Restrict VPC Peering Usage" policy, available for the selected GCP organization:

gcloud alpha resource-manager org-policies describe "compute.restrictVpcPeering"
    --effective
    --organization=112233441122
    --format="value(listPolicy.allValues)"

04 The command request should return the requested configuration information:

ALLOW

If the resource-manager org-policies describe command output returns ALLOW, as shown in the example above, the "Restrict VPC Peering Usage" policy constraints are not enforced within the organization, therefore the VPC peering restriction is not enabled for your Google Cloud organization.

05 Repeat step no. 3 and 4 for each organization created in your Google Cloud account.

Remediation / Resolution

To implement Virtual Private Cloud (VPC) peering restriction at the GCP organization level, enable and configure the "Restrict VPC Peering Usage" policy by performing the following actions:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Restrict VPC Peering Usage conformity rule settings and note the list of Google Cloud VPC networks that are allowed to be peered with the VPC networks available in your GCP organization.

02 Sign in to Google Cloud Management Console with the organizational unit credentials.

03 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

04 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

05 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your organization.

06 Click inside the Filter by policy name or ID filter box, select Name and Restrict VPC peering usage to return only the "Restrict VPC Peering Usage" policy.

07 Click on the name of the GCP organization policy returned at the previous step.

08 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

09 On the Edit policy configuration page, perform the following operations:

Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
To override the inherited policies completely, select Replace under Policy enforcement.
To use explicit values, select Custom from the Policy values dropdown list.
For Policy type, select Allow to specify that the listed values will be the only allowed values, and all other values will be denied.
In the Custom values section, use the configuration controls to define the Google Cloud VPC networks that are allowed to be peered with the VPC networks that belong to your GCP organization (including the projects and folders within the organization), identified at step no. 1. Use the following format to define the allowed VPC network: projects/<project-id>/global/networks/<vpc-network-name>, where <project-id> is the ID of the VPC network's project and <vpc-network-name> is the name of the allowed VPC network. You can also use the under: prefix if you need to allow VPC peering with all the networks available in a particular project (under:projects/<project-id>), a folder (under:folders/<folder-id>), or within an entire organization (under:organizations/<organization-id>).
(Optional) To set a recommendation for other users, click SET RECOMMENDATION, enter a string value into the Recommended value text box, and click SET to apply the recommendation. This string value will be displayed in the Google Cloud console to provide guidance to users about this organization policy. This is just a communication tool, and does not affect the policy configuration.
Click SAVE to apply the changes and enforce the "Restrict VPC Peering Usage" policy constraints.

10 If required, repeat steps no. 3 – 9 to enable the required policy for other organizations available in your Google Cloud account.

Using GCP CLI

02 Define the "Restrict VPC Peering Usage" policy constraints and save the YAML policy document to a file named cc-restrict-vpc-peering-policy.yaml. Use the list of allowed Google Cloud VPC networks identified at step no. 1 to configure the allowed_values list. The following policy configuration example allows peering with a VPC network identified by projects/cc-project5/global/networks/prod-vpc-network, where cc-project5 is the ID of the VPC network's project and prod-vpc-network is the name of the allowed VPC network. You can also use the under: prefix if you need to allow peering with all the VPC networks available within the specified project (e.g. under:projects/cc-project5):

constraint: constraints/compute.restrictVpcPeering
listPolicy:
  allowed_values:
    projects/cc-project5/global/networks/default

03 Run resource-manager org-policies set-policy command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the "Restrict VPC Peering Usage" policy, using the policy document defined at the previous step, for the selected organization:

gcloud beta resource-manager org-policies set-policy cc-restrict-vpc-peering-policy.yaml
    --organization=112233441122

04 The command request should return the enforced organization policy metadata:

constraint: constraints/compute.restrictVpcPeering
etag: abcdabcdabcd
listPolicy:
  allowedValues:
  - projects/cc-project5/global/networks/default
updateTime: '2020-09-02T12:00:00.000Z'

05 If required, repeat step no. 3 and 4 to enforce the necessary policy for other organizations created within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Resource Manager
Organization policy constraints
Creating and managing organization policies

GCP Command Line Interface (CLI) Documentation
gcloud organizations list
gcloud alpha resource-manager org-policies describe
gcloud beta resource-manager org-policies set-policy

Publication date May 10, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ResourceManager rules