| Plugin Title | VPC Firewall Rule Logging |
| Cloud | |
| Category | Logging |
| Description | Ensures that logging and log alerts exist for firewall rule changes |
| More Info | Project Ownership is the highest level of privilege on a project, any changes in firewall rule should be heavily monitored to prevent unauthorized changes. |
| GOOGLE Link | https://cloud.google.com/logging/docs/logs-based-metrics/ |
| Recommended Action | Ensure that log alerts exist for firewall rule changes. |
- Log in to the Google Cloud Platform Console.
- Navigate to "Logbased metrics" under "Logging" (https://console.cloud.google.com/logs/metrics?walkthrough_id=panels--logging--query) and click on the "CREATE METRIC" button at the top.
- On the "Metric editor" tab, enter the "Name" as "VPCFirewall". For the required filter field, enter: (resource.type="gce_firewall_rule" AND protoPayload.methodName="v1.compute.firewalls.patch") OR (protoPayload.methodName="v1.compute.firewalls.insert")
- Click on the "Create metric" button at the bottom to create the logging metric.
- On the "Logs-based metrics", under the "User-defined metrics" click on the 3 dots next to the newly created "VPC Firewall Rule Logging" metric and click on the "create alert from metric."
- On the "Create alert" page, select the "Aggregator" as per the requirement and select the "Configuration" from the dropdown menu accordingly.
- Enter the "Condition, Threshold and Minute" of the above "Configuration" accordingly and click on the "Save" button to make the changes.
- Once the settings are "Saved", enter the name of the alarm and select "Policy triggers" condition from the dropdown menu.
- Click on the "Save" button at the bottom to make the chanes.
