🛡️ Google GCE Subnetwork Flow Logs are not enabled🟢

• Contextual name: 🛡️ GCE Subnetwork Flow Logs are not enabled🟢
• ID: /ce/ca/google/vpc/subnetwork-flow-logs
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Stats

not available

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GCE Subnetwork
  • 🔌 Google GCE Subnetwork - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable VPC Flow Logs for VPC Subnets

Description

Open File

Description

This policy checks whether VPC Flow Logs are enabled and configured correctly for Google Cloud GCE subnetworks that support flow logging. VPC Flow Logs capture information about IP traffic going to and from network interfaces in a subnet and make that data available in Cloud Logging.

Rationale

VPC Flow Logs provide visibility into network traffic for resources inside a subnet. They support network monitoring, traffic analysis, network forensics, and security investigations. Logging all traffic with detailed intervals, complete metadata, full sampling, and no filter helps preserve the context needed to investigate suspicious or unexpected activity.

Impact

Enabling VPC Flow Logs can increase Cloud Logging, BigQuery, or Pub/Sub costs depending on the configured sinks and retained log volume.

Audit

This policy flags a Google GCE Subnetwork as INCOMPLIANT when its Purpose is PRIVATE and any of the following conditions are met:

• Flow Logs is not set to Enabled.
• Log Config State is not set to Enabled.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the VPC network GCP Console visiting https://console.cloud.google.com/networking/networks/list
2. Click the name of a subnet, The Subnet details page displays.
3. Click the EDIT button.
4. Set Flow Logs to On.
5. Expand the Configure Logs section.
6. Set Aggregation Interval to 5 SEC.
7. Check the box beside Include metadata.
8. Set Sample rate to 100.
9. Click Save.

Note

It is not possible to configure a Log filter from the console.

From Google Cloud CLI

To enable VPC Flow Logs for a network subnet, run the following command:

gcloud compute networks subnets update {{subnet-name}} \
    --region {{region}} \
    --enable-flow-logs \
    --logging-aggregation-interval=interval-5-sec \
    --logging-flow-sampling=1 \
    --logging-metadata=include-all

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - Level 2 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - Level 2 (Automated)			1		no data
💼 CIS GCP v4.0.0 → 💼 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - Level 2 (Automated)			1		no data
💼 CIS GCP v5.0.0 → 💼 3.10 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network - Level 2 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			79		no data
💼 FedRAMP High Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	14	51	63		no data
💼 FedRAMP Low Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)			10		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	7		14		no data
💼 ISO/IEC 27001:2022 → 💼 8.15 Logging		20	35		no data
💼 ISO/IEC 27001:2022 → 💼 8.16 Monitoring activities		4	5		no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		19	63		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			51		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			66		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			51		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			182		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			47		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			62		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			62		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			47		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			196		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			167		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			197		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4 System Monitoring	25	1	18		no data
💼 SOC 2 → 💼 CC7.2-1 Implements Detection Policies, Procedures, and Tools			7		no data
💼 SOC 2 → 💼 CC7.2-2 Designs Detection Measures			7		no data
💼 SOC 2 → 💼 CC7.2-3 Implements Filters to Analyze Anomalies		9	18		no data
💼 SOC 2 → 💼 CC7.2-4 Monitors Detection Tools for Effective Operation			1		no data