🛡️ Google VPC Service Controls are not enabled for supported services🟢⚪

• Contextual name: 🛡️ VPC Service Controls are not enabled for supported services🟢⚪
• ID: /ce/ca/google/vpc/vpc-service-controls
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Description

Open File

Description

VPC Service Controls create service perimeters around supported Google Cloud services and projects. Use them for sensitive workloads to restrict access based on approved resources, identities, and networks.

Rationale

Service perimeters reduce data exfiltration risk by limiting how protected services can be accessed and how data can move across project and network boundaries. They complement IAM by adding contextual controls around supported services.

Impact

VPC Service Controls can block legitimate traffic if perimeters, ingress rules, egress rules, or access levels are incomplete. Test changes in dry-run mode and validate application, administrative, and third-party access before enforcement.

Audit

From Google Cloud CLI

1. Verify that the Access Context Manager API is enabled:

   gcloud services list --enabled \
       --filter="name:accesscontextmanager.googleapis.com" \
       --format="value(name)"

2. List Access Context Manager policies for the organization:

   gcloud access-context-manager policies list \

... see more

Remediation

Open File

Remediation

From Google Cloud CLI

1. Create an Access Context Manager policy if one does not already exist:

   gcloud access-context-manager policies create \
       --organization={{organization-id}} \
       --title="VPC Service Controls Policy"

2. Create a service perimeter in dry-run mode for the sensitive projects and services:

   gcloud access-context-manager perimeters create {{perimeter-name}} \
       --title="{{perimeter-title}}" \
       --resources=projects/{{project-number}} \
       --restricted-services={{service-api}} \
       --policy={{policy-id}} \
       --perimeter-type=regular

3. Add required ingress rules, egress rules, access levels, and perimeter bridges.

4. Review dry-run violations and application behavior.

5. Enforce the perimeter only after expected access paths are validated.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v5.0.0 → 💼 3.8 Ensure VPC Service Controls Is Enabled for Supported Google Cloud Services - Level 2 (Manual)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			61		no data