Set up and view the violation dashboard

This page describes how to set up and use the VPC Service Controls violation dashboard to view the details about access denials by service perimeters in your organization.

Cost

When you use the VPC Service Controls violation dashboard, you need to consider the cost that you incur for using the following billable components of Google Cloud:

• Because you deploy Cloud Logging resources in your organization while setting up the violation dashboard, you incur cost for using these resources.

• Because you use an organization-level Log Router sink for the violation dashboard, VPC Service Controls duplicates all of your audit logs in the configured log bucket. You incur cost for using the log bucket. To estimate the potential cost for using the log bucket, query and calculate the volume of your audit logs. For more information about querying your existing logs, see View logs.

For information about the Cloud Logging and Cloud Monitoring pricing, see Google Cloud Observability pricing.

Before you begin

1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

3. Make sure that billing is enabled for your Google Cloud project.

4. Enable the Service Usage API.

   Enable the API

5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

6. Make sure that billing is enabled for your Google Cloud project.

7. Enable the Service Usage API.

   Enable the API

Required roles

• To get the permissions that you need to set up the violation dashboard, ask your administrator to grant you the Logging Admin (roles/logging.admin) IAM role on the project in which you configure a log bucket during the violation dashboard setup. For more information about granting roles, see Manage access to projects, folders, and organizations.

  This predefined role contains the permissions required to set up the violation dashboard. To see the exact permissions that are required, expand the Required permissions section:

  Required permissions

  The following permissions are required to set up the violation dashboard:

  • To list the log buckets from the selected project: logging.buckets.list
  • To create a new log bucket: logging.buckets.create
  • To enable Log Analytics in the selected log bucket: logging.buckets.update
  • To create a new Log Router sink: logging.sinks.create

  You might also be able to get these permissions with custom roles or other predefined roles.

• To get the permissions that you need to view the violation dashboard, ask your administrator to grant you the following IAM roles on the project in which you configure a log bucket during the violation dashboard setup:

  • Logs View Accessor (roles/logging.viewAccessor)
  • VPC Service Controls Troubleshooter Viewer (roles/accesscontextmanager.vpcScTroubleshooterViewer)

  For more information about granting roles, see Manage access to projects, folders, and organizations.

  These predefined roles contain the permissions required to view the violation dashboard. To see the exact permissions that are required, expand the Required permissions section:

  Required permissions

  The following permissions are required to view the violation dashboard:

  • To display the access policy names: accesscontextmanager.policies.list
  • To display the project names: resourcemanager.projects.get

  You might also be able to get these permissions with custom roles or other predefined roles.

Set up the dashboard

To set up the violation dashboard, you need to configure a log bucket to aggregate the VPC Service Controls audit logs and create an organization-level Log Router sink that will route all the VPC Service Controls audit logs to the log bucket.

To set up the violation dashboard for your organization, do the following one time:

1. In the Google Cloud console, go to the VPC Service Controls page.

   Go to VPC Service Controls

   If you are prompted, select your organization. You can access the VPC Service Controls page only at the organization level.

2. On the VPC Service Controls page, click Violation dashboard.

3. On the Violation dashboard setup page, in the Project field, select the project that contains the log bucket in which you want to aggregate the audit logs.

4. In the Log bucket field, select an existing log bucket or select Create new log bucket to create a new log bucket.

5. If you create a new log bucket, in the Log bucket name field, enter a name for your log bucket.

6. Click Create log router sink. VPC Service Controls creates a new Log Router sink named reserved_vpc_sc_dashboard_log_router in the selected project.

This operation takes about a minute to complete.

View access denials in the dashboard

After you set up the violation dashboard, you can use the dashboard to view the details about access denials by service perimeters in your organization.

1. In the Google Cloud console, go to the VPC Service Controls page.

   Go to VPC Service Controls

   If you are prompted, select your organization. You can access the VPC Service Controls page only at the organization level.

2. On the VPC Service Controls page, click Violation dashboard. The Violation dashboard page appears.

On the Violation dashboard page, you can do the following operations:

• Filtering: Using the filters available on the page such as access policy, resource, you can filter and view specific data.

• Time intervals: To select the time range for the data, click one of the predefined time intervals. To define a custom time range, click Custom.

• Tables: Scroll the Violation dashboard page to view the data categorized under different tables. The violation dashboard displays the following tables:

  • Violations

  • Top violations by principal

  • Top violations by principal IP

  • Top violations by service

  • Top violations by method

  • Top violations by resource

  • Top violations by service perimeter

• Troubleshoot access denials: Click the troubleshooting token of an access denial listed in the Violations table to diagnose the access denial using the violation analyzer. VPC Service Controls opens the violation analyzer and displays the troubleshooting result of the access denial.

  For information about using the violation analyzer, see Diagnose an access denial event using the VPC Service Controls violation analyzer (Preview).

• Pagination: The violation dashboard paginates the data displayed in all tables. Click chevron_left and chevron_right to navigate and view the paginated data.

• Modify Log Router sink: To modify the configured Log Router sink, click Edit log sink.

  For information about modifying a Log Router sink, see Manage sinks.

Troubleshoot

If you encounter issues while using the violation dashboard, then try troubleshooting and resolving the issues as described in the following sections.

A service perimeter denied access to your user account

If you encounter an error due to insufficient permissions, check if any service perimeter within your organization is denying access to the Cloud Logging API. To resolve this issue, create an ingress rule that lets you access the Cloud Logging API:

1. In the Google Cloud console, go to the VPC Service Controls page.

   Go to VPC Service Controls

   If you are prompted, select your organization.

2. On the VPC Service Controls page, click the service perimeter that protects the project containing your log bucket.

3. Create an ingress rule that lets you access the Cloud Logging API in the project.

A service perimeter denied access to the log bucket

If VPC Service Controls doesn't route your audit logs to the configured log bucket, you might have to create an ingress rule that allows the Log Router sink's service account to access the Cloud Logging API in your service perimeter:

1. In the Google Cloud console, go to the Log Router page.

   Go to Log Router

2. On the Log Router page, select more_vert Menu for the configured Log Router sink, and then select View sink details.

3. In the Sink details dialog, from the Writer identity field, copy the service account that the Log Router sink uses.

4. In the Google Cloud console, go to the VPC Service Controls page.

   Go to VPC Service Controls

   If you are prompted, select your organization.

5. On the VPC Service Controls page, click the service perimeter that protects the project containing your log bucket.

6. Create an ingress rule that allows the Log Router sink's service account to access the Cloud Logging API in the project.

Limitations

• VPC Service Controls doesn't backfill the audit logs from other project-level buckets:

  • If you create a new log bucket while setting up the violation dashboard, VPC Service Controls doesn't backfill the existing logs from other projects within your organization into the newly created log bucket. The dashboard appears empty until VPC Service Controls logs new violations and routes these logs to the new log bucket.

  • If you select an existing log bucket while setting up the violation dashboard, the dashboard displays information of all existing logs from the selected log bucket. The dashboard doesn't display logs from other projects within your organization because VPC Service Controls doesn't backfill these logs into the selected log bucket.

What's next

• VPC Service Controls audit logging
• Diagnose issues by using the VPC Service Controls troubleshooter
• Diagnose an access denial event using the VPC Service Controls violation analyzer (Preview)
• Troubleshoot common VPC Service Controls issues with Google Cloud services