Logging metric filter and alert for network route changes should be configured Affecting Cloud Platform service in Google
Severity Framework
Snyk CCSS
Rule category
Logging / Logging
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Google
HIPAA
ISO-27001
NIST-800-53
PCI-DSS
SOC-2
- Snyk ID SNYK-CC-00440
- credit Snyk Research Team
Description
Logging metric filter and alert for network route changes should be configured. Routes define the paths network traffic takes from a VM instance to another destination, which can be inside the same VPC network or outside of it. Monitoring changes to route tables helps prevent accidental or malicious changes that could result in either dropped packets or network hijacking.
How to fix?
Logging metric filter and alert for network route changes should be configured.
Example Configuration
resource "google_logging_metric" "logging_metric" {
name = "logging_metric"
filter = "resource.type=\"gce_route\" AND protoPayload.methodName:\"compute.routes.delete\" OR protoPayload.methodName:\"compute.routes.insert\""
metric_descriptor {
value_type = "INT64"
metric_kind = "DELTA"
}
}
resource "google_monitoring_alert_policy" "alert_policy" {
depends_on = [google_logging_metric.logging_metric]
display_name = "Alert Policy"
combiner = "OR"
conditions {
display_name = "condition"
condition_threshold {
filter = "resource.type=\"global\" metric.type=\"logging.googleapis.com/user/logging_metric\""
duration = "60s"
comparison = "COMPARISON_GT"
}
}
}