Skip to content

Latest commit

 

History

History
122 lines (98 loc) · 3.72 KB

1.10.md

File metadata and controls

122 lines (98 loc) · 3.72 KB
Raw

1.10 - Access attempts violating VPC Service Controls

Access attempt blocked by VPC Service Controls, indicating potential malicious activity like data exfiltration attempt and/or access from unauthorized networks using stolen credentials. To learn more about the security benefits of VPC Service Controls, see this VPC Service Controls overview.

Category: Login & Access Patterns
Use Cases: Detect, Audit
Data Sources: Audit Logs - Policy

Queries or Rules

BigQuery Log Analytics Google SecOps
SQL SQL Contribute rule

Event Generation

Copy Cloud Storage file from private storage bucket in a protected projected over to local workstation (i.e. outside the perimeter)

Test Prerequisites

  1. Install gcloud
  2. Create a service perimeter around test GCP project
  3. Create a Cloud Storage bucket in GCP project with private.txt file

Test Input

Name Description Type Default Value
protected-bucket Name of Cloud Storage bucket located in a protected GCP project within service perimeter String test-protected-bucket

Test Commands

gsutil cp gs://#{protected-bucket}/private.txt .

Sample Event

google.storage.objects.get-notInSameVPC

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "status": {
      "code": 7,
      "message": "PERMISSION_DENIED",
      "details": [
        {
          "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
          "violations": [
            {
              "type": "VPC_SERVICE_CONTROLS",
              "description": "HnoEeMFGeXlDeZykdkzUQbt4VJ7oyxjJWLsS93mFiXnJJHIS1ZbhmQ"
            }
          ]
        }
      ]
    },
    "authenticationInfo": {
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {
      },
      "destinationAttributes": {
      }
    },
    "serviceName": "storage.googleapis.com",
    "methodName": "google.storage.objects.get",
    "resourceName": "projects/1234",
    "metadata": {
      "resourceNames": [
        "projects/123/buckets/protected-bucket/objects/private.txt"
      ],
      "vpcServiceControlsUniqueId": "HnoEeMFGeXlDeZykdkzUQbt4VJ7oyxjAbLsS93mFiXnJJHIS1ZbhmQ",
      "violationReason": "NO_MATCHING_ACCESS_LEVEL",
      "ingressViolations": [
        {
          "targetResource": "projects/1234",
          "servicePerimeter": "accessPolicies/123456789/servicePerimeters/test-perimeter"
        }
      ],
      "securityPolicyInfo": {
        "servicePerimeterName": "accessPolicies/123456789/servicePerimeters/test-perimeter",
        "organizationId": "123"
      },
      "@type": "type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
    }
  },
  "insertId": "1lpqk13d1fdt",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "storage.googleapis.com",
      "method": "google.storage.objects.get",
      "project_id": "1234"
    }
  },
  "timestamp": "2022-02-15T21:51:50.071173943Z",
  "severity": "ERROR",
  "logName": "projects/1234/logs/cloudaudit.googleapis.com%2Fpolicy",
  "receiveTimestamp": "2022-02-15T21:51:50.900622321Z"
}

References