Predefined posture for VPC Service Controls, essentials

This page describes the preventative and detective policies that are included in the v1.0 version of the predefined posture for VPC Service Controls, essentials. This posture includes two policy sets:

  • A policy set that includes organization policies that apply to VPC Service Controls.

  • A policy set that includes custom Security Health Analytics detectors that apply to VPC Service Controls.

You can use this predefined posture to configure a security posture that helps protect VPC Service Controls. You can deploy this predefined posture without making any changes.

Organization policy constraints

The following table describes the organization policies that are included in this posture.

Policy Description Compliance standard
compute.skipDefaultNetworkCreation

This policy disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created.

The value is true to avoid creating the default VPC network.

 NIST SP 800-53 control: SC-7 and SC-8
ainotebooks.restrictPublicIp

This constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances.

The value is true to restrict public IP access on new Vertex AI Workbench notebooks and instances.

 NIST SP 800-53 control: SC-7 and SC-8
compute.disableNestedVirtualization

This policy disables nested virtualization for all Compute Engine VMs to decrease the security risk related to unmonitored nested instances.

The value is true to turn off VM nested virtualization.

 NIST SP 800-53 control: SC-7 and SC-8

Security Health Analytics detectors

The following table describes the Security Health Analytics detectors that are included in the predefined posture. For more information about these detectors, see Vulnerability findings.

Detector name Description
FIREWALL_NOT_MONITORED

This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes.
NETWORK_NOT_MONITORED

This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes.
ROUTE_NOT_MONITORED

This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes.
DNS_LOGGING_DISABLED

This detector checks whether DNS logging is enabled on the VPC network.
FLOW_LOGS_DISABLED

This detector checks whether flow logs are enabled on the VPC subnetwork.

YAML definition

The following is the YAML definition for the predefined posture for VPC Service Controls.

name: organizations/123/locations/global/postureTemplates/vpcsc_essential
description: VPCSC Posture Template
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: VPCSC preventative policy set
  description: 3 org policies that new customers can automatically enable.
  policies:
  - policy_id: Skip default network creation
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.skipDefaultNetworkCreation
        policy_rules:
        - enforce: true
    description: This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
  - policy_id: Restrict public IP access on new Vertex AI Workbench notebooks and instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: ainotebooks.restrictPublicIp
        policy_rules:
        - enforce: true
    description: This boolean constraint, when enforced, restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IPs can access Vertex AI Workbench notebooks and instances.
  - policy_id: Disable VM nested virtualization
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.disableNestedVirtualization
        policy_rules:
        - enforce: true
    description: This boolean constraint disables hardware-accelerated nested virtualization for all Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True. By default, hardware-accelerated nested virtualization is allowed for all Compute Engine VMs running on Intel Haswell or newer CPU platforms.
- policy_set_id: VPCSC detective policy set
  description: 5 SHA modules that new customers can automatically enable.
  policies:
  - policy_id: Firewall not monitored
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: FIREWALL_NOT_MONITORED
  - policy_id: Network not monitored
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: NETWORK_NOT_MONITORED
  - policy_id: Route not monitored
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: ROUTE_NOT_MONITORED
  - policy_id: DNS logging disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: DNS_LOGGING_DISABLED
  - policy_id: Flow logs disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: FLOW_LOGS_DISABLED

What's next