🛡️ Google GCE Firewall Rule logging is disabled🟢

• Contextual name: 🛡️ GCE Firewall Rule logging is disabled🟢
• ID: /ce/ca/google/vpc/firewall-rule-logging
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GCE Firewall Rule
  • 🔌 Google GCE Firewall Rule - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Google GCE Firewall Rules that do not have logging enabled. Enabling firewall rule logging allows you to audit, verify, and analyze the effects of your firewall rules within Google Cloud VPC networks.

Rationale

Firewall rule logging provides visibility into the network traffic that is allowed or denied by your firewall rules. Capturing these logs is critical for security auditing, monitoring unauthorized access attempts, and troubleshooting connectivity issues. Without logging, it becomes difficult to perform forensic analysis during security incidents or to validate that firewall rules are functioning as intended.

Impact

Enabling logging may result in additional costs for log storage and processing within Cloud Logging.

Audit

This policy flags a Google GCE Firewall Rule as INCOMPLIANT if its Log State is set to Disabled.

Remediation

Open File

Remediation

Enable Firewall Rule Logging

Enabling logging on firewall rules allows you to capture traffic information for auditing, monitoring, and troubleshooting purposes.

From gcloud CLI

```sh
gcloud compute firewall-rules update {{firewall-rule-name}} \
    --enable-logging
```

Consideration

After enabling logging, traffic matching this rule will be captured in Cloud Logging, which may incur additional costs.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			65		no data
💼 ISO/IEC 27001:2013 → 💼 A.13.1.1 Network controls			21		no data
💼 NIST CSF v1.1 → 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed		10	34		no data
💼 NIST CSF v1.1 → 💼 DE.AE-2: Detected events are analyzed to understand attack targets and methods		18	24		no data
💼 NIST CSF v1.1 → 💼 DE.AE-3: Event data are collected and correlated from multiple sources and sensors		18	38		no data
💼 NIST CSF v1.1 → 💼 DE.AE-4: Impact of events is determined		13	14		no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		18	63		no data
💼 NIST CSF v1.1 → 💼 DE.CM-5: Unauthorized mobile code is detected		11	12		no data
💼 NIST CSF v1.1 → 💼 DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events		6	7		no data
💼 NIST CSF v1.1 → 💼 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed		18	24		no data
💼 NIST CSF v1.1 → 💼 DE.DP-2: Detection activities comply with all applicable requirements		6	7		no data
💼 NIST CSF v1.1 → 💼 DE.DP-3: Detection processes are tested		13	14		no data
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated		29	33		no data
💼 NIST CSF v1.1 → 💼 DE.DP-5: Detection processes are continuously improved		13	16		no data
💼 NIST CSF v1.1 → 💼 ID.RA-1: Asset vulnerabilities are identified and documented		13	16		no data
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed			22		no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44		no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v1.1 → 💼 PR.IP-8: Effectiveness of protection technologies is shared		6	7		no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44		no data
💼 NIST CSF v1.1 → 💼 RS.AN-1: Notifications from detection systems are investigated		18	24		no data
💼 NIST CSF v1.1 → 💼 RS.CO-3: Information is shared consistent with response plans		16	18		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			35		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			50		no data
💼 NIST CSF v2.0 → 💼 DE.AE-04: The estimated impact and scope of adverse events are understood			14		no data
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools			33		no data
💼 NIST CSF v2.0 → 💼 DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis			38		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			35		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			142		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			69		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			40		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			41		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			31		no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated			53		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116		no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			44		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			95		no data
💼 NIST CSF v2.0 → 💼 RS.CO-02: Internal and external stakeholders are notified of incidents			31		no data
💼 NIST CSF v2.0 → 💼 RS.CO-03: Information is shared with designated internal and external stakeholders			19		no data
💼 NIST CSF v2.0 → 💼 RS.MA-02: Incident reports are triaged and validated			25		no data
💼 NIST SP 800-53 Revision 4 → 💼 SI-4 INFORMATION SYSTEM MONITORING	24		1		no data
💼 PCI DSS v3.2.1 → 💼 10.1 Implement audit trails to link all access to system components to each individual user.		4	7		no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.	7	6	28		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7		27		no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7	1	27		no data