Secure And Audit The Google Cloud Platform Perimeter
Audit
This article describes how Google Cloud Platform addresses the following traditional perimeter security question described in the concepts article: how do you audit traffic and data access, i.e. how do you know the controls worked as intended?
Google Cloud Platform provides a number of audit services corresponding to the solution components described in the prior articles…
Load Balancing logs (alpha)
HTTP(S) Load Balancing logs contain the general information shown in most GCP logs as well as HttpRequest log fields.
Limitations:
- This product is in alpha.
- HttpRequest.protocol is not populated.
App Engine HTTP request logs
App Engine HTTP request logs record requests sent to all App Engine Standard and Flexible apps, and are provided by default. You can supplement these with app logs in the App Engine Flexible environment.
If using a reverse proxy such as NGINX, add an HTTP header for the end user IP to be able to surface it in the App Engine request logs.
VPC flow logs
VPC flow logs record a sample of TCP and UDP network flows sent from and received by VM instances. This includes RDP traffic, since it’s TCP (and sometimes UDP).
Limitions:
- VPC flow logs are downstream from the VM only.
- They provide limited insight into managed data service (eg. Google Cloud Storage) access.
What’s next
Read the following to learn more about the concepts and solution components described in this article:
- Best practices for enterprise organizations: logging, monitoring, and auditing.
- HTTP(S) Load Balancing logs.
- App Engine HTTP request logs.
- VPC flow logs.
Read the following to learn about:
