VPC flow logs for VPC network subnets are disabled Affecting Compute Engine service in Google

Snyk CCSS

Logging / Configuration

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google HIPAA ISO-27001 NIST-800-53 SOC-2

Snyk ID SNYK-CC-00386
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Flow logs should be enabled for every business-critical VPC subnet, as they provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or insight during security workflows.

How to fix?

Define a log_config field with aggregation_interval, flow_sampling and metadata subfields.

Example Configuration

resource "google_compute_subnetwork" "test" {
  name          = "test-subnetwork"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-east1"
  network       = google_compute_network.test.id
  log_config {
    aggregation_interval = "INTERVAL_10_MIN"
    flow_sampling        = 0.5
    metadata = "INCLUDE_ALL_METADATA"
  }
}

Terraform

Resource: google_compute_subnetwork

References

Using VPC Flow Logs