π Google GCE Subnetwork Flow Logs are not enabled π’
- Contextual name: π GCE Subnetwork Flow Logs are not enabled π’
- ID:
/ce/ca/google/vpc/subnetwork-flow-logs - Located in: π Google VPC
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.
Rationaleβ
VPC networks and subnetworks not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.
Flow Logs supports the following use cases:
... see more
Remediationβ
Remediationβ
From Google Cloud Consoleβ
- Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list
- Click the name of a subnet, The
Subnet detailspage displays.- Click the
EDITbutton.- Set
Flow LogstoOn.- Expand the
Configure Logssection.- Set
Aggregation Intervalto5 SEC.- Check the box beside
Include metadata.- Set
Sample rateto100.- Click
Save.Noteβ
It is not possible to configure a Log filter from the console.
From Google Cloud CLIβ
To enable VPC Flow Logs for a network subnet, run the following command:
gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-flow-sampling=1 --logging-metadata=include-all
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - Level 2 (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Logging and Monitoring Configuration | 49 |