Predefined posture for VPC networking, extended

Premium and Enterprise service tiers (requiresorganization-level activation)

This page describes the preventative and detective policies that are included inthe v.1.0 version of the predefined posture for Virtual Private Cloud (VPC)networking, extended. This posture includes two policy sets:

A policy set that includes organization policy constraints that apply toVPC networking.
A policy set that includes Security Health Analytics detectors that apply toVPC networking.

You can use this predefined posture to configure a security posture that helpsprotect VPC networking. If you want to deploy this predefinedposture, you must customize some of the policies so that they apply to yourenvironment.

Organization policy constraints

The following table describes the organization policy constraints that areincluded in this posture.

Policy	Description	Compliance standard
`compute.skipDefaultNetworkCreation`	This boolean constraint disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created. The value is`true` to avoid creating the default VPC network.	NIST SP 800-53 control: SC-7 and SC-8
`ainotebooks.restrictPublicIp`	This boolean constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances. The value is`true` to restrict public IP access on new Vertex AI Workbench notebooks and instances.	NIST SP 800-53 control: SC-7 and SC-8
`compute.disableNestedVirtualization`	This boolean constraint disables nested virtualization for all Compute Engine VMs to decrease the security risk related to unmonitored nested instances. The value is`true` to turn off VM nested virtualization.	NIST SP 800-53 control: SC-7 and SC-8
`compute.vmExternalIpAccess`	This list constraint defines the Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses. The constraint uses the format`projects/PROJECT_ID/zones/ZONE/instances/INSTANCE`. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SC-7 and SC-8
`ainotebooks.restrictVpcNetworks`	This list constraint defines the VPC networks a user can select when creating new Vertex AI Workbench instances where this constraint is enforced. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SC-7 and SC-8
`compute.vmCanIpForward`	This list constraint defines the VPC networks that a user can select when creating new Vertex AI Workbench instances. By default, you can create a Vertex AI Workbench instance with any VPC network. You must configure this value when you adopt this predefined posture.	NIST SP 800-53 control: SC-7 and SC-8

Security Health Analytics detectors

The following table describes the Security Health Analytics detectors that are included inthe predefined posture. For more information about these detectors, seeVulnerability findings.

Detector name	Description
`FIREWALL_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes.
`NETWORK_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes.
`ROUTE_NOT_MONITORED`	This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes.
`DNS_LOGGING_DISABLED`	This detector checks whether DNS logging is enabled on the VPC network.
`FLOW_LOGS_DISABLED`	This detector checks whether flow logs are enabled on the VPC subnetwork.
`VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED`	This detector checks whether the`enableFlowLogs` property of VPC subnetworks is missing or set to`false`.

View the posture template

To view the posture template for VPC networking, extended, do the following:

gcloud

Before using any of the command data below, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

Execute thegcloud scc posture-templates describe command:

Linux, macOS, or Cloud Shell

gcloudsccposture-templatesdescribe\organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended

Windows (PowerShell)

gcloudsccposture-templatesdescribe`organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended

Windows (cmd.exe)

gcloudsccposture-templatesdescribe^organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended

The response contains the posture template.

REST

Before using any of the request data, make the following replacements:

ORGANIZATION_ID: the numeric ID of the organization

HTTP method and URL:

GET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.