🛡️ Google GCE Network DNS Policy Logging is not enabled🟢

• Contextual name: 🛡️ GCE Network DNS Policy Logging is not enabled🟢
• ID: /ce/ca/google/vpc/network-dns-policy-logging
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GCE Network
  • 🔌 Google Cloud DNS Policy - object.extracts.yaml
  • 🔌 Google GCE Network - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Cloud DNS Logging for VPC Networks

Description

Open File

Description

Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.

Rationale

Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing, and other technology that can obscure the DNS name used by a client from the IP address. Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC. These logs can be monitored for anomalous domain names, evaluated against threat intelligence.

Note: For full capture of DNS, firewall must block egress UDP/53 (DNS) and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.

Impact

Enabling of Cloud DNS logging might result in your project being charged for the additional logs usage.

Audit

From Google Cloud CLI

1. List all VPCs networks in a project:

... see more

Remediation

Open File

Remediation

From Google Cloud CLI

Add New DNS Policy With Logging Enabled

For each VPC network that needs a DNS policy with logging enabled:

gcloud dns policies create enable-dns-logging --enable-logging --description="Enable DNS Logging" --networks=VPC_NETWORK_NAME

The VPC_NETWORK_NAME can be one or more networks in comma-separated list

Enable Logging for Existing DNS Policy

For each VPC network that has an existing DNS policy that needs logging enabled:

gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME

The VPC_NETWORK_NAME can be one or more networks in comma-separated list

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 2.12 Ensure that Cloud DNS logging is enabled for all VPC networks - Level 1 (Automated _ Roadmapped)			1		no data
💼 CIS GCP v1.3.0 → 💼 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			65		no data
💼 FedRAMP High Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	6	20	32		no data
💼 FedRAMP High Security Controls → 💼 AU-7 Audit Record Reduction and Report Generation (M)(H)	1		18		no data
💼 FedRAMP Low Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)			24		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	2		32		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-7 Audit Record Reduction and Report Generation (M)(H)	1		18		no data
💼 ISO/IEC 27001:2022 → 💼 5.25 Assessment and decision on information security events		1	3		no data
💼 NIST CSF v1.1 → 💼 DE.AE-2: Detected events are analyzed to understand attack targets and methods		18	24		no data
💼 NIST CSF v1.1 → 💼 PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy		16	33		no data
💼 NIST CSF v1.1 → 💼 RS.AN-1: Notifications from detection systems are investigated		18	24		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			35		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			50		no data
💼 NIST CSF v2.0 → 💼 RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident			17		no data
💼 NIST CSF v2.0 → 💼 RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved			18		no data
💼 NIST CSF v2.0 → 💼 RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved			18		no data
💼 NIST CSF v2.0 → 💼 RS.MA-02: Incident reports are triaged and validated			25		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6 Audit Record Review, Analysis, and Reporting	10	1	13		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-7 Audit Record Reduction and Report Generation	2	1	18		no data
💼 PCI DSS v3.2.1 → 💼 10.6.1 Review security events and critical system component logs at least daily.			2		no data
💼 PCI DSS v3.2.1 → 💼 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.			5		no data
💼 PCI DSS v3.2.1 → 💼 10.6.3 Follow up exceptions and anomalies identified during the review process.			2		no data
💼 PCI DSS v4.0.1 → 💼 10.4.1 The audit logs are reviewed at least once daily.	1		2		no data
💼 PCI DSS v4.0.1 → 💼 10.4.1.1 Automated mechanisms are used to perform audit log reviews.			2		no data
💼 PCI DSS v4.0.1 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		5		no data
💼 PCI DSS v4.0.1 → 💼 10.4.2.1 The frequency of periodic log reviews for all other system components is defined in the entity's targeted risk analysis.			2		no data
💼 PCI DSS v4.0.1 → 💼 10.4.3 Exceptions and anomalies identified during the review process are addressed.			2		no data
💼 PCI DSS v4.0 → 💼 10.4.1 The audit logs are reviewed at least once daily.	1		2		no data
💼 PCI DSS v4.0 → 💼 10.4.1.1 Automated mechanisms are used to perform audit log reviews.			2		no data
💼 PCI DSS v4.0 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		5		no data
💼 PCI DSS v4.0 → 💼 10.4.2.1 The frequency of periodic log reviews for all other system components is defined in the entity's targeted risk analysis.			2		no data
💼 PCI DSS v4.0 → 💼 10.4.3 Exceptions and anomalies identified during the review process are addressed.			2		no data
💼 SOC 2 → 💼 CC4.1-1 Considers a Mix of Ongoing and Separate Evaluations			2		no data
💼 SOC 2 → 💼 CC4.1-2 Considers Rate of Change			2		no data
💼 SOC 2 → 💼 CC4.1-3 Establishes Baseline Understanding			2		no data
💼 SOC 2 → 💼 CC4.1-4 Uses Knowledgeable Personnel			2		no data
💼 SOC 2 → 💼 CC4.1-5 Integrates With Business Processes			2		no data
💼 SOC 2 → 💼 CC4.1-6 Adjusts Scope and Frequency			2		no data
💼 SOC 2 → 💼 CC4.1-7 Objectively Evaluates			2		no data
💼 SOC 2 → 💼 CC4.1-8 Considers Different Types of Ongoing and Separate Evaluations			2		no data
💼 SOC 2 → 💼 CC7.3-1 Responds to Security Incidents			2		no data
💼 SOC 2 → 💼 CC7.3-2 Communicates and Reviews Detected Security Events			2		no data
💼 SOC 2 → 💼 CC7.3-3 Develops and Implements Procedures to Analyze Security Incidents			2		no data
💼 SOC 2 → 💼 CC7.3-4 Assesses the Impact on Confidential Information			2		no data
💼 SOC 2 → 💼 CC7.3-5 Determines Confidential Information Used or Disclosed			2		no data