Predefined posture for VPC networking, extended

This page describes the preventative and detective policies that are included in the v.1.0 version of the predefined posture for Virtual Private Cloud (VPC) networking, extended. This posture includes two policy sets:

A policy set that includes organization policy constraints that apply to VPC networking.
A policy set that includes Security Health Analytics detectors that apply to VPC networking.

You can use this predefined posture to configure a security posture that helps protect VPC networking. If you want to deploy this predefined posture, you must customize some of the policies so that they apply to your environment.

Organization policy constraints

The following table describes the organization policy constraints that are included in this posture.

Policy	Description	Compliance standard
`compute.skipDefaultNetworkCreation`	This boolean constraint disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created. The value is `true` to avoid creating the default VPC network.	NIST SP 800-53 control: SC-7 and SC-8
`ainotebooks.restrictPublicIp`	This boolean constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances. The value is `true` to restrict public IP access on new Vertex AI Workbench notebooks and instances.	NIST SP 800-53 control: SC-7 and SC-8
`compute.disableNestedVirtualization`	This boolean constraint disables nested virtualization for all Compute Engine VMs to decrease the security risk related to unmonitored nested instances. The value is `true` to turn off VM nested virtualization.	NIST SP 800-53 control: SC-7 and SC-8
`compute.vmExternalIpAccess`	This list constraint defines the Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses. The constraint uses the format `projects/PROJECT_ID/zones/ZONE/instances/INSTANCE`. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SC-7 and SC-8
`ainotebooks.restrictVpcNetworks`	This list constraint defines the VPC networks a user can select when creating new Vertex AI Workbench instances where this constraint is enforced. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SC-7 and SC-8
`compute.vmCanIpForward`	This list constraint defines the VPC networks that a user can select when creating new Vertex AI Workbench instances. By default, you can create a Vertex AI Workbench instance with any VPC network. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SC-7 and SC-8

Security Health Analytics detectors

The following table describes the Security Health Analytics detectors that are included in the predefined posture. For more information about these detectors, see Vulnerability findings.

Detector name	Description
`FIREWALL_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes.
`NETWORK_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes.
`ROUTE_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes.
`DNS_LOGGING_DISABLED`	This detector checks whether DNS logging is enabled on the VPC network.
`FLOW_LOGS_DISABLED`	This detector checks whether flow logs are enabled on the VPC subnetwork.
`VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED`	This detector checks whether the `enableFlowLogs` property of VPC subnetworks is missing or set to `false`.

View the posture template

To view the posture template for VPC networking, extended, do the following:

gcloud

Before using any of the command data below, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

Execute the gcloud scc posture-templates describe command:

Linux, macOS, or Cloud Shell

gcloud scc posture-templates describe \
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended

Windows (PowerShell)

gcloud scc posture-templates describe `
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended

Windows (cmd.exe)

gcloud scc posture-templates describe ^
    organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended

The response contains the posture template.

REST

Before using any of the request data, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

HTTP method and URL:

GET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended"

PowerShell (Windows)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended" | Select-Object -Expand Content

The response contains the posture template.

What's next

Create a security posture using this predefined posture.