Jump to Content
Security & Identity

Unique Identifier helps troubleshooting VPC Service Controls perimeter

December 2, 2019
Adam Gavish

Product Manager, VPC Service Controls

VPC Service Controls is a powerful tool to help mitigate the risk of cloud data breaches stemming from stolen credentials, compromised clients, malicious insiders, and misconfigured IAM policies. It allows admins to define policies and enforce security perimeters that segment and isolate resources of multi-tenant services such as Cloud Storage, BigQuery, and Stackdriver Logging. VPC Service Controls secures communication across three network interfaces of such resources: internet, VPC networks, and service backend paths. 

Managing a powerful and centrally configured policy requires admins to understand the impact of the policy on specific service interactions. Today, we are making it easier to understand and debug denials caused by VPC Service Controls with the VPC Service Controls Unique Identifier. This feature allows Google Cloud users to easily communicate errors that arise from VPC Service Controls denials to security admins, and lets admins quickly correlate the denied requests to corresponding Cloud Audit Log entries. This helps admins resolve access issues quickly while controls to mitigate exfiltration risks remain in place.  

Configuring and troubleshooting VPC Service Controls
When you use VPC Service Controls, you define service perimeters that protect the Google Cloud services used in specific projects under your organization. Service perimeter configurations include: 

1. Protected services (i.e. BigQuery, Cloud Storage, etc.) 

2. Protected projects including the network projects identifying authorized networks

3. Access Levels that define the IP ranges and identities of clients outside the perimeter that can access resources within the perimeter.

When VPC Service Controls denies an incoming data access request, a 403 error message is shown and a Cloud Audit Log entry is generated. Now, with Unique Identifier, we are making it easier to connect the 403 error message to the relevant Cloud Audit Log entry to help customers troubleshoot VPC Service Controls faster.

Here’s how it works:

1. When users are denied access by VPC Service Controls, the 403 error messages now include a unique identifier (UID) that does not expose the underlying policy details to the potentially unauthorized or compromised client.

https://storage.googleapis.com/gweb-cloudblog-publish/images/VPC_service_control_error.max-900x900.png

2. Users communicate with security admins about their issue and include the UID.

3. Security admins use Stackdriver Logging and search for the UID.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Stackdriver_Logging.max-600x600.png

4. Because the UID is used, only relevant log entries are displayed, which now contain links to the relevant VPC Service Controls perimeter and Access Levels pages.

https://storage.googleapis.com/gweb-cloudblog-publish/images/VPC_Service_Controls.max-1300x1300.png
5. Security admins fix the issue by updating the VPC Service Controls perimeter or access level configurations.

VPC Service Controls Unique Identifier helps you efficiently communicate, debug, and resolve issues associated with VPC Service Controls denials with minimal effort—helping ensure your users have access to the data they need while mitigating the risks of a data breach.

To learn more about VPC Service Controls, check out our documentation.

Posted in