This page describes the preventative and detective policies that are included in the v1.0 version of the predefined posture for VPC Service Controls, essentials. This posture includes two policy sets:
A policy set that includes organization policies that apply to VPC Service Controls.
A policy set that includes custom Security Health Analytics detectors that apply to VPC Service Controls.
You can use this predefined posture to configure a security posture that helps protect VPC Service Controls. You can deploy this predefined posture without making any changes.
Organization policy constraints
The following table describes the organization policies that are included in this posture.
Policy | Description | Compliance standard |
---|---|---|
compute.skipDefaultNetworkCreation |
This policy disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created. The value is |
NIST SP 800-53 control: SC-7 and SC-8 |
ainotebooks.restrictPublicIp |
This constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances. The value is |
NIST SP 800-53 control: SC-7 and SC-8 |
compute.disableNestedVirtualization |
This policy disables nested virtualization for all Compute Engine VMs to decrease the security risk related to unmonitored nested instances. The value is |
NIST SP 800-53 control: SC-7 and SC-8 |
Security Health Analytics detectors
The following table describes the Security Health Analytics detectors that are included in the predefined posture. For more information about these detectors, see Vulnerability findings.
Detector name | Description |
---|---|
FIREWALL_NOT_MONITORED |
This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes. |
NETWORK_NOT_MONITORED |
This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes. |
ROUTE_NOT_MONITORED |
This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes. |
DNS_LOGGING_DISABLED |
This detector checks whether DNS logging is enabled on the VPC network. |
FLOW_LOGS_DISABLED |
This detector checks whether flow logs are enabled on the VPC subnetwork. |
YAML definition
The following is the YAML definition for the predefined posture for VPC Service Controls.
name: organizations/123/locations/global/postureTemplates/vpcsc_essential
description: VPCSC Posture Template
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: VPCSC preventative policy set
description: 3 org policies that new customers can automatically enable.
policies:
- policy_id: Skip default network creation
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.skipDefaultNetworkCreation
policy_rules:
- enforce: true
description: This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
- policy_id: Restrict public IP access on new Vertex AI Workbench notebooks and instances
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: ainotebooks.restrictPublicIp
policy_rules:
- enforce: true
description: This boolean constraint, when enforced, restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IPs can access Vertex AI Workbench notebooks and instances.
- policy_id: Disable VM nested virtualization
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.disableNestedVirtualization
policy_rules:
- enforce: true
description: This boolean constraint disables hardware-accelerated nested virtualization for all Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True. By default, hardware-accelerated nested virtualization is allowed for all Compute Engine VMs running on Intel Haswell or newer CPU platforms.
- policy_set_id: VPCSC detective policy set
description: 5 SHA modules that new customers can automatically enable.
policies:
- policy_id: Firewall not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FIREWALL_NOT_MONITORED
- policy_id: Network not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: NETWORK_NOT_MONITORED
- policy_id: Route not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ROUTE_NOT_MONITORED
- policy_id: DNS logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DNS_LOGGING_DISABLED
- policy_id: Flow logs disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FLOW_LOGS_DISABLED