Google CloudOverview
It is recommended that a metric filter and alarm be established for VPC network route changes.
Rationale
Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destinations. The other destination can be inside your VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.
Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.
Impact
Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.
Remediation guidance
From Google Cloud Console
Create the Log Metric
- Go to
Logging,Log-based Metricsby visiting https://console.cloud.google.com/logs/metrics - Select
Create metric - For
Metric Type, selectCounter - Under
Details, add a name and set theUnitsto1 - Under
Filter selection, add the following query:
resource.type="gce_route"
AND (protoPayload.methodName:"compute.routes.delete"
OR protoPayload.methodName:"compute.routes.insert")
- Click
Create Metric
Create the alert policy
- Go back to
Log-based Metricsand identify the newly created metric underUser-defined metrics - Click the 3-dot icon in rightmost column of that metric to open menu options and select
Create alert from Metric - Fill in the required details. Choose the alerting threshold and configuration that makes sense for the organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
- Under
Configure notifications, configure the desired notification channels - Name the policy and select
CREATE POLICY
Using Google Cloud CLI
Create the Log Metric
- Use command: gcloud logging metrics create
- Reference for Command Usage: https://docs.cloud.google.com/sdk/gcloud/reference/logging/metrics/create
Create the Alert Policy
- Use command: gcloud monitoring policies create
- Reference for command Usage: https://docs.cloud.google.com/sdk/gcloud/reference/monitoring/policies/create
References
- https://cloud.google.com/logging/docs/logs-based-metrics/
- https://cloud.google.com/monitoring/custom-metrics/
- https://cloud.google.com/monitoring/alerts/
- https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
- https://cloud.google.com/storage/docs/access-control/iam
- https://docs.cloud.google.com/sdk/gcloud/reference/logging/metrics/create
- https://docs.cloud.google.com/sdk/gcloud/reference/monitoring/policies/create
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Log metric filter and alerts exist for VPC network route changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging8{...AssetFragment}
