This page describes the preventative and detective policies that are included in the v1.0 version of the predefined posture for VPC Service Controls, extended. This posture includes two policy sets:
A policy set that includes organization policies that apply to VPC Service Controls.
A policy set that includes custom Security Health Analytics detectors that apply to VPC Service Controls.
You can use this predefined posture to configure a security posture that helps protect VPC Service Controls. If you want to deploy this predefined posture, you must customize some of the policies so that they apply to your environment.
Organization policy constraints
The following table describes the organization policies that are included in this posture.
Policy | Description | Compliance standard |
---|---|---|
compute.skipDefaultNetworkCreation |
This policy disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created. The value is |
NIST SP 800-53 control: SC-7 and SC-8 |
ainotebooks.restrictPublicIp |
This constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances. The value is |
NIST SP 800-53 control: SC-7 and SC-8 |
compute.disableNestedVirtualization |
This policy disables nested virtualization for all Compute Engine VMs to decrease the security risk related to unmonitored nested instances. The value is |
NIST SP 800-53 control: SC-7 and SC-8 |
compute.vmExternalIpAccess |
This constraint defines the Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses. The constraint uses the format You must configure this value when you adopt this predefined posture. |
NIST SP 800-53 control: SC-7 and SC-8 |
ainotebooks.restrictVpcNetworks |
This list defines the VPC networks a user can select when creating new Vertex AI Workbench instances where this constraint is enforced. You must configure this value when you adopt this predefined posture. |
NIST SP 800-53 control: SC-7 and SC-8 |
compute.vmCanIpForward |
This constraint defines the VPC networks that a user can select when creating new Vertex AI Workbench instances. By default, you can create a Vertex AI Workbench instance with any VPC network. You must configure this value when you adopt this predefined posture. |
NIST SP 800-53 control: SC-7 and SC-8 |
Security Health Analytics detectors
The following table describes the Security Health Analytics detectors that are included in the predefined posture. For more information about these detectors, see Vulnerability findings.
Detector name | Description |
---|---|
FIREWALL_NOT_MONITORED |
This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes. |
NETWORK_NOT_MONITORED |
This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes. |
ROUTE_NOT_MONITORED |
This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes. |
DNS_LOGGING_DISABLED |
This detector checks whether DNS logging is enabled on the VPC network. |
FLOW_LOGS_DISABLED |
This detector checks whether flow logs are enabled on the VPC subnetwork. |
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED |
This detector checks whether the |
YAML definition
The following is the YAML definition for the predefined posture for VPC Service Controls.
name: organizations/123/locations/global/postureTemplates/vpcsc_extended
description: VPCSC Posture Template
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: VPCSC preventative policy set
description: 6 org policies that new customers can automatically enable.
policies:
- policy_id: Skip default network creation
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.skipDefaultNetworkCreation
policy_rules:
- enforce: true
description: This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
- policy_id: Restrict public IP access on new Vertex AI Workbench notebooks and instances
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: ainotebooks.restrictPublicIp
policy_rules:
- enforce: true
description: This boolean constraint, when enforced, restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IPs can access Vertex AI Workbench notebooks and instances.
- policy_id: Disable VM nested virtualization
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.disableNestedVirtualization
policy_rules:
- enforce: true
description: This boolean constraint disables hardware-accelerated nested virtualization for all Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True. By default, hardware-accelerated nested virtualization is allowed for all Compute Engine VMs running on Intel Haswell or newer CPU platforms.
- policy_id: Define allowed external IPs for VM instances
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.vmExternalIpAccess
policy_rules:
- values:
allowed_values:
- is:projects/PROJECT_ID/zones/ZONE/instances/INSTANCE
description: This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses. The allowed/denied list of VM instances must be identified by the VM instance name, in the form of projects/PROJECT_ID/zones/ZONE/instances/INSTANCE
- policy_id: Restrict VPC networks on new Vertex AI Workbench instances
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: ainotebooks.restrictVpcNetworks
policy_rules:
- values:
allowed_values:
- is:organizations/ORGANIZATION_ID
- is:folders/FOLDER_ID
- is:projects/PROJECT_ID
- is:projects/PROJECT_ID/global/networks/NETWORK_NAME
description: This list constraint defines the VPC networks a user can select when creating new Vertex AI Workbench instances where this constraint is enforced. By default, a Vertex AI Workbench instance can be created with any VPC networks. The allowed or denied list of networks must be identified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.
- policy_id: Restrict VM IP Forwarding
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.vmCanIpForward
policy_rules:
- values:
allowed_values:
- is:organizations/ORGANIZATION_ID
- is:folders/FOLDER_ID
- is:projects/PROJECT_ID
- is:projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME.
description: This list constraint defines the set of VM instances that can enable IP forwarding. By default, any VM can enable IP forwarding in any virtual network. VM instances must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME. This constraint is not retroactive.
- policy_set_id: VPCSC detective policy set
description: 6 SHA modules that new customers can automatically enable.
policies:
- policy_id: Firewall not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FIREWALL_NOT_MONITORED
- policy_id: Network not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: NETWORK_NOT_MONITORED
- policy_id: Route not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ROUTE_NOT_MONITORED
- policy_id: DNS logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DNS_LOGGING_DISABLED
- policy_id: Flow logs disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FLOW_LOGS_DISABLED
- policy_id: Flow logs settings not recommended
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED