Predefined posture for VPC networking, essentials

This page describes the preventative and detective policies that are included in the v.1.0 version of the predefined posture for Virtual Private Cloud (VPC) networking, essentials. This posture includes two policy sets:

A policy set that includes organization policy constraints that apply to VPC networking.
A policy set that includes Security Health Analytics detectors that apply to VPC networking.

You can use this predefined posture to configure a security posture that helps protect VPC networking. You can deploy this predefined posture without making any changes.

Organization policy constraints

The following table describes the organization policy constraints that are included in this posture.

Policy Description Compliance standard

Policy	Description	Compliance standard
`compute.skipDefaultNetworkCreation`	This boolean constraint disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created. The value is `true` to avoid creating the default VPC network.	NIST SP 800-53 control: SC-7 and SC-8
`ainotebooks.restrictPublicIp`	This boolean constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances. The value is `true` to restrict public IP access on new Vertex AI Workbench notebooks and instances.	NIST SP 800-53 control: SC-7 and SC-8
`compute.disableNestedVirtualization`	This boolean constraint disables nested virtualization for all Compute Engine VMs to decrease the security risk related to unmonitored nested instances. The value is `true` to turn off VM nested virtualization.	NIST SP 800-53 control: SC-7 and SC-8

compute.skipDefaultNetworkCreation

This boolean constraint disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created.

The value is true to avoid creating the default VPC network.

NIST SP 800-53 control: SC-7 and SC-8

ainotebooks.restrictPublicIp

This boolean constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances.

The value is true to restrict public IP access on new Vertex AI Workbench notebooks and instances.

NIST SP 800-53 control: SC-7 and SC-8

compute.disableNestedVirtualization

This boolean constraint disables nested virtualization for all Compute Engine VMs to decrease the security risk related to unmonitored nested instances.

The value is true to turn off VM nested virtualization.

NIST SP 800-53 control: SC-7 and SC-8

Security Health Analytics detectors

The following table describes the Security Health Analytics detectors that are included in the predefined posture. For more information about these detectors, see Vulnerability findings.

Detector name	Description
`FIREWALL_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes.
`NETWORK_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes.
`ROUTE_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes.
`DNS_LOGGING_DISABLED`	This detector checks whether DNS logging is enabled on the VPC network.
`FLOW_LOGS_DISABLED`	This detector checks whether flow logs are enabled on the VPC subnetwork.

View the posture template

To view the posture template for VPC networking, essentials, do the following:

gcloud

Before using any of the command data below, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

Execute the gcloud scc posture-templates describe command:

Linux, macOS, or Cloud Shell

gcloud scc posture-templates describe \
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential

Windows (PowerShell)

gcloud scc posture-templates describe `
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential

Windows (cmd.exe)

gcloud scc posture-templates describe ^
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential

The response contains the posture template.

REST

Before using any of the request data, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

HTTP method and URL:

GET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential"

PowerShell (Windows)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential" | Select-Object -Expand Content

The response contains the posture template.

What's next

Create a security posture using this predefined posture.