Predefined posture for VPC Service Controls, extended

This page describes the preventative and detective policies that are included in the v1.0 version of the predefined posture for VPC Service Controls, extended. This posture includes two policy sets:

A policy set that includes organization policies that apply to VPC Service Controls.
A policy set that includes custom Security Health Analytics detectors that apply to VPC Service Controls.

You can use this predefined posture to configure a security posture that helps protect VPC Service Controls. If you want to deploy this predefined posture, you must customize some of the policies so that they apply to your environment.

Organization policy constraints

The following table describes the organization policies that are included in this posture.

Policy	Description	Compliance standard
`compute.skipDefaultNetworkCreation`	This policy disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created. The value is `true` to avoid creating the default VPC network.	NIST SP 800-53 control: SC-7 and SC-8
`ainotebooks.restrictPublicIp`	This constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances. The value is `true` to restrict public IP access on new Vertex AI Workbench notebooks and instances.	NIST SP 800-53 control: SC-7 and SC-8
`compute.disableNestedVirtualization`	This policy disables nested virtualization for all Compute Engine VMs to decrease the security risk related to unmonitored nested instances. The value is `true` to turn off VM nested virtualization.	NIST SP 800-53 control: SC-7 and SC-8
`compute.vmExternalIpAccess`	This constraint defines the Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses. The constraint uses the format `projects/PROJECT_ID/zones/ZONE/instances/INSTANCE`. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SC-7 and SC-8
`ainotebooks.restrictVpcNetworks`	This list defines the VPC networks a user can select when creating new Vertex AI Workbench instances where this constraint is enforced. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SC-7 and SC-8
`compute.vmCanIpForward`	This constraint defines the VPC networks that a user can select when creating new Vertex AI Workbench instances. By default, you can create a Vertex AI Workbench instance with any VPC network. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SC-7 and SC-8

Security Health Analytics detectors

The following table describes the Security Health Analytics detectors that are included in the predefined posture. For more information about these detectors, see Vulnerability findings.

Detector name	Description
`FIREWALL_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes.
`NETWORK_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes.
`ROUTE_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes.
`DNS_LOGGING_DISABLED`	This detector checks whether DNS logging is enabled on the VPC network.
`FLOW_LOGS_DISABLED`	This detector checks whether flow logs are enabled on the VPC subnetwork.
`VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED`	This detector checks whether the `enableFlowLogs` property of VPC subnetworks is missing or set to `false`.

YAML definition

The following is the YAML definition for the predefined posture for VPC Service Controls.

name: organizations/123/locations/global/postureTemplates/vpcsc_extended
description: VPCSC Posture Template
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: VPCSC preventative policy set
  description: 6 org policies that new customers can automatically enable.
  policies:
  - policy_id: Skip default network creation
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.skipDefaultNetworkCreation
        policy_rules:
        - enforce: true
    description: This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
  - policy_id: Restrict public IP access on new Vertex AI Workbench notebooks and instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: ainotebooks.restrictPublicIp
        policy_rules:
        - enforce: true
    description: This boolean constraint, when enforced, restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IPs can access Vertex AI Workbench notebooks and instances.
  - policy_id: Disable VM nested virtualization
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.disableNestedVirtualization
        policy_rules:
        - enforce: true
    description: This boolean constraint disables hardware-accelerated nested virtualization for all Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True. By default, hardware-accelerated nested virtualization is allowed for all Compute Engine VMs running on Intel Haswell or newer CPU platforms.
  - policy_id: Define allowed external IPs for VM instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.vmExternalIpAccess
        policy_rules:
        - values:
            allowed_values:
            - is:projects/PROJECT_ID/zones/ZONE/instances/INSTANCE
    description: This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses. The allowed/denied list of VM instances must be identified by the VM instance name, in the form of projects/PROJECT_ID/zones/ZONE/instances/INSTANCE
  - policy_id: Restrict VPC networks on new Vertex AI Workbench instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: ainotebooks.restrictVpcNetworks
        policy_rules:
        - values:
            allowed_values:
            - is:organizations/ORGANIZATION_ID
            - is:folders/FOLDER_ID
            - is:projects/PROJECT_ID
            - is:projects/PROJECT_ID/global/networks/NETWORK_NAME
    description: This list constraint defines the VPC networks a user can select when creating new Vertex AI Workbench instances where this constraint is enforced. By default, a Vertex AI Workbench instance can be created with any VPC networks. The allowed or denied list of networks must be identified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.
  - policy_id: Restrict VM IP Forwarding
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.vmCanIpForward
        policy_rules:
        - values:
            allowed_values:
            - is:organizations/ORGANIZATION_ID
            - is:folders/FOLDER_ID
            - is:projects/PROJECT_ID
            - is:projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME.
    description: This list constraint defines the set of VM instances that can enable IP forwarding. By default, any VM can enable IP forwarding in any virtual network. VM instances must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME. This constraint is not retroactive.
- policy_set_id: VPCSC detective policy set
  description: 6 SHA modules that new customers can automatically enable.
  policies:
  - policy_id: Firewall not monitored
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: FIREWALL_NOT_MONITORED
  - policy_id: Network not monitored
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: NETWORK_NOT_MONITORED
  - policy_id: Route not monitored
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: ROUTE_NOT_MONITORED
  - policy_id: DNS logging disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: DNS_LOGGING_DISABLED
  - policy_id: Flow logs disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: FLOW_LOGS_DISABLED
  - policy_id: Flow logs settings not recommended
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED

What's next

Create a security posture using this predefined posture.