Google CloudOverview
Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC Subnets. After you've created a flow log, you can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business critical VPC subnet.
Rationale
VPC networks and subnetworks provide logically isolated and secure network partitions where you can launch GCP resources. When Flow Logs is enabled for a subnet, VMs within subnet starts reporting on all TCP and UDP flows. Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in your on-premises datacenter, a Google service, or a host on the Internet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.
Flow Logs supports following use cases:
- Network monitoring
- Understanding network usage and optimizing network traffic expenses
- Network forensics
- Real-time security analysis
Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows.
The Flow Logs must be configured such that all network traffic is logged, the interval of logging is granular to provide detailed information on the connections, no logs are filtered, and metadata to facilitate investigations are included.
Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC flow logs.
Impact
Standard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow Logs generation will be charged starting in GA as described in reference: https://cloud.google.com/vpc/
Remediation guidance
Using Console
- Go to VPC network: https://console.cloud.google.com/networking/networks/list
- Navigate to the
SUBNETS IN CURRENT PROJECTtab, and select a subnet to go to itsSubnet detailspage - Click on the
EDITbutton - Set Flow Logs to
On - Expand the
Configure Logssection - Set the
Aggregation Intervalto5 SEC - Check the
Include metadatacheckbox - Set the
Sample rateto100 - Click on
SAVE
Note: It is not possible to configure a Log filter from the console.
Using Command Line
To enable VPC Flow Logs for a network subnet, run the following command:
gcloud compute networks subnets update <subnetName> --region <region> --enable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-flow-sampling=1 --logging-metadata=include-all
Default Value
By default, Flow Logs is set to Off when you create a new VPC network subnet.
References
- https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging
- https://cloud.google.com/vpc/
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
VPC Flow logs is enabled for every subnet in a VPC Network
Connectors
Covered asset types
Expected check: eq []
vpcs(where:{hasSubnetwork_SOME:{enableFlowLogs:false}}){...AssetFragment}
