Skip to main content

πŸ“ Google GCE Subnetwork Flow Logs are not enabled 🟒

  • Contextual name: πŸ“ GCE Subnetwork Flow Logs are not enabled 🟒
  • ID: /ce/ca/google/vpc/subnetwork-flow-logs
  • Located in: πŸ“ Google VPC

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.

Rationale​

VPC networks and subnetworks not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions where GCP resources can be launched. When Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.

Flow Logs supports the following use cases:

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list
  2. Click the name of a subnet, The Subnet details page displays.
  3. Click the EDIT button.
  4. Set Flow Logs to On.
  5. Expand the Configure Logs section.
  6. Set Aggregation Interval to 5 SEC.
  7. Check the box beside Include metadata.
  8. Set Sample rate to 100.
  9. Click Save.
Note​

It is not possible to configure a Log filter from the console.

From Google Cloud CLI​

To enable VPC Flow Logs for a network subnet, run the following command:

gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-flow-sampling=1 --logging-metadata=include-all

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network - Level 1 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - Level 2 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - Level 2 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration59
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)145054
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)7
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)78
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging1834
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.16 Monitoring activities45
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1841
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources46
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations20
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities34
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-4 System Monitoring2518
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.2-1 Implements Detection Policies, Procedures, and Tools7
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.2-2 Designs Detection Measures7
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.2-3 Implements Filters to Analyze Anomalies918
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.2-4 Monitors Detection Tools for Effective Operation1