Google Compute Subnetwork Logging | Vulnerability Database

Google Compute Subnetwork Logging Disabled

Flow logs for subnets should be enabled to capture network traffic details for security analysis.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable VPC Flow Logs for subnets.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
resource "google_compute_subnetwork" "good_example_with_log_config" {
  name          = "test-subnetwork"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.custom-test.id
  log_config {
    aggregation_interval = "INTERVAL_10_MIN"
    flow_sampling        = 0.5
    metadata             = "INCLUDE_ALL_METADATA"
  }
}
resource "google_compute_network" "custom-test" {
  name                    = "test-network"
  auto_create_subnetworks = false
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
resource "google_compute_subnetwork" "good_example_with_log_config" {
  name          = "test-subnetwork"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.custom-test.id
  purpose       = "REGIONAL_MANAGED_PROXY"
}
resource "google_compute_network" "custom-test" {
  name                    = "test-network"
  auto_create_subnetworks = false
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#enable_flow_logs