GCP Network
Analyzes GCP networking infrastructure including VPC firewall rules, subnets, Cloud DNS, and Cloud Logging. Identifies overly permissive firewall rules, missing flow logs, disabled logging, and default network usage.
Required Blueprints: GCP
Sightlines
| Sightline | Description |
|---|---|
| Firewall Rules | Highlights VPC firewall rules that allow unrestricted ingress from the internet (0.0.0.0/0). |
| Subnets | Focuses on VPC subnet flow log enablement for security monitoring and forensics. |
| Cloud DNS | Monitors Cloud DNS managed zone configuration and query logging status. |
| Cloud Logging | Monitors Cloud Logging sink configuration and identifies disabled sinks. |
Explorer Node Types
Use these node types in Explorer or KAI to query resources surfaced by this analyzer:
gcp.vpc.FirewallRule, gcp.vpc.Network, gcp.vpc.Subnetwork, gcp.dns.ManagedZone, gcp.cloudarmor.SecurityPolicy, gcp.cloudarmor.SecurityPolicyRule
Related Analyzers
- GCP IAM — Network access controlled by IAM bindings
- GCP Compute — Compute instances connected via VPC networks
- GCP Database — Database private IP and firewall configuration
- GCP Storage — Bucket access endpoint configurations
Insight Feed Alerts
- Firewall Rule Allowing All Ingress -- Rules allowing ingress from 0.0.0.0/0 (CIS GCP 3.6).
- Subnet Without Flow Logs -- Subnets without VPC Flow Logs enabled (CIS GCP 3.8).
- DNS Zone Without Logging -- DNS zones with query logging disabled.
- Disabled Log Sink -- Logging sinks that are disabled, creating compliance gaps.
- Firewall Rule Allowing SSH from Internet -- SSH (port 22) open to 0.0.0.0/0 (CIS GCP 3.6).
- Firewall Rule Allowing RDP from Internet -- RDP (port 3389) open to 0.0.0.0/0 (CIS GCP 3.7).
- Default VPC Network In Use -- Projects using the default VPC with permissive pre-configured rules (CIS GCP 3.1).
- Subnets Without Private Google Access -- Instances must use external IPs to reach Google APIs (CIS GCP 3.8).
- Firewall Rule Without Logging -- Firewall rules with logging disabled (CIS GCP 3.12).
- Audit Logging Not Configured for All Services -- Cloud Audit Logging not set for allServices (CIS GCP 2.1).