Configure VPC Service Controls for Google SecOps

Google Cloud VPC Service Controls lets you set up a service perimeter to guard against data exfiltration. Configure Google Security Operations with VPC Service Controls so that Google SecOps can access resources and services outside its service perimeter.

Before you begin

• Make sure that you have the required roles to configure VPC Service Controls at the organization level.

Limitations

• VPC Service Controls supports only Google Cloud Identity authentication, third-party identity providers, and Workforce Identity Federation.
• Google SecOps feature RBAC must be enabled to use VPC Service Controls.
• VPC Service Controls supports only Google SecOps chronicle.googleapis.com and chronicleservicemanager.googleapis.com APIs. You can continue to use other Google SecOps APIs, but you might need to configure special rules to continue to use them, and the data and services using those other APIs aren't protected by VPC Service Controls perimeter restrictions.
• VPC Service Controls supports export of Google SecOps Unified Data Model (UDM) data only to a self-managed BigQuery project or using Advanced BigQuery Export. You can continue to use other Google SecOps export methods, but you might need to configure special rules to continue to use them, and exporting data using those methods isn't protected by VPC Service Controls perimeter restrictions. For more information, reach out to your Google SecOps representative.
• VPC Service Controls doesn't support Cloud Monitoring. However, to prevent non-compliant access, you can revoke permissions to view Cloud Monitoring data. You can continue to use Cloud Monitoring, but you might need to configure special rules to continue to use it, and the data transmission isn't protected by the VPC Service Controls perimeter restrictions. For more information, reach out to your Google SecOps representative.
• VPC Service Controls doesn't support Looker dashboards. VPC Service Controls supports only Google SecOps Dashboards. You can continue to use Looker dashboards, but you might need to configure special rules to continue to use them, and Looker dashboards aren't protected by VPC Service Controls perimeter restrictions.
• VPC Service Controls doesn't support legacy cloud bucket and third-party API feed connectors. You need to create the Cloud Storage feeds with the GOOGLE_CLOUD_STORAGE_V2 source type using v2 connectors. You can continue to use feeds created with legacy cloud bucket and third-party API feed connectors, but you might need to configure special rules to continue to use them, and the use of feeds created with them isn't protected by VPC Service Controls perimeter restrictions.
• VPC Service Controls doesn't support Google SecOps Security Validation to test your security by simulating attacks in your Google Cloud environment. You can continue to use Security Validation, but you might need to configure special rules to continue to use it, and the use of Security Validation isn't protected by VPC Service Controls perimeter restrictions.
• VPC Service Controls doesn't support DataTap.
• In projects restricted within a perimeter, VPC Service Controls doesn't support creating a Pub/Sub subscription that uses the Chronicle API endpoints to ingest logs—because of a Pub/Sub limitation. However, you can continue to use existing Pub/Sub subscriptions (created before moving your Google Cloud project inside the VPC Service Controls perimeter), which will continue to ingest logs as expected. To create new Pub/Sub subscriptions when Google SecOps is restricted within a VPC Service Controls perimeter, Google recommends that you write logs to Cloud Storage and use GOOGLE_CLOUD_STORAGE_V2 or GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN instead of your CLOUD_PUB_SUB feeds.
• The Chronicle API ImportPushLogs endpoint doesn't enforce the VPC Service Controls perimeter restrictions. However, this limitation doesn't pose a data-exfiltration risk because the ImportPushLogs endpoint is only used for pushing data to a Google SecOps instance, not for accessing data.
• If you use customer-managed encryption keys (CMEK), Google strongly recommends that you either keep your Cloud Key Management Service project in the same perimeter as your Google Cloud project or keep your keys inside the Google Cloud project itself. If you have a requirement to keep CMEKs and your Google Cloud project in different VPC Service Controls perimeters, please reach out to your Google SecOps representative.

Configure the ingress and egress rules

Configure ingress and egress rules based on the service perimeter configuration. For more information, see Service perimeter overview.

If you encounter issues with VPC Service Controls, use the VPC Service Controls violation analyzer to debug and analyze the issue. For more information, see Diagnose an access denial in violation analyzer.

Configure the rules for SOAR

This section describes how to configure VPC Service Controls for the SOAR side of the platform.

Configure the following ingress rules for the Google Cloud user account that you specified when you set up Google SecOps:

  - ingressFrom:
      identityType: ANY_SERVICE_ACCOUNT
      sources:
      - accessLevel: "*"
    ingressTo:
      operations:
      - serviceName: secretmanager.googleapis.com
        methodSelectors:
        - method: "*"
      resources:
      - projects/PROJECT_NUMBER
  - ingressFrom:
      identities:
      - user:malachite-data-plane-api@prod.google.com
      sources:
      - accessLevel: "*"
    ingressTo:
      operations:
      - serviceName: trafficdirector.googleapis.com
        methodSelectors:
        - method: "*"
      resources:
      - projects/PROJECT_NUMBER

Replace PROJECT_NUMBER with your Google Cloud bring your own project (BYOP) project number.

Configure the rules for SIEM

This section describes how to configure VPC Service Controls for the SIEM side of the platform.

Configure the following rules for the Google Cloud user account that you specified when you set up Google SecOps:

1. Configure the following ingress rule:

   - ingressFrom:
       identities:
       - serviceAccount:malachite-atlas@system.gserviceaccount.com
       sources:
       - accessLevel: "*"
     ingressTo:
       operations:
       - serviceName: pubsub.googleapis.com
         methodSelectors:
         - method: "*"
       resources:
       - projects/PROJECT_NUMBER
   

   Replace PROJECT_NUMBER with your Google SecOps-linked Google Cloud project number.

2. If you're streaming data with Advanced BigQuery Export, configure the following ingress rule:

   - ingressFrom:
       identities:
       - serviceAccount:malachite-advanced-bq-exporter@system.gserviceaccount.com
       - serviceAccount:malachite-data-export-service@system.gserviceaccount.com
       sources:
       - accessLevel: "*"
     ingressTo:
       operations:
       - serviceName: analyticshub.googleapis.com
         methodSelectors:
         - method: "*"
       - serviceName: bigquery.googleapis.com
         methodSelectors:
         - method: "*"
       resources:
       - projects/PROJECT_NUMBER
   

   Replace PROJECT_NUMBER with your Google SecOps-linked Google Cloud project number.

3. If you're using data tables, configure the following ingress rule:

   - ingressFrom:
       identities:
       - user:malachite-data-plane-api@prod.google.com
       sources:
       - accessLevel: "*"
     ingressTo:
       operations:
       - serviceName: storage.googleapis.com
         methodSelectors:
         - method: "*"
       resources:
       - projects/PROJECT_NUMBER
   

   Replace PROJECT_NUMBER with your Google SecOps-linked Google Cloud project number.

4. Configure the following egress rule:

     - egressTo:
         operations:
         - serviceName: pubsub.googleapis.com
           methodSelectors:
           - method: "*"
         resources:
         - projects/389186463911
       egressFrom:
         identities:
         - user: "*"
         sources:
         - resource: projects/PROJECT_NUMBER
   

   Replace PROJECT_NUMBER with your Google SecOps-linked Google Cloud project number.

Configure the rules for Google SecOps with Security Command Center

This section describes how to configure VPC Service Controls for Google SecOps with Security Command Center.

The service accounts in the following rules are created only during Google SecOps provisioning, therefore, you should configure the Security Command Center rules after the provisioning, but before starting to use Security Command Center.

Complete the following tasks for the Google Cloud user account that you specified when you set up Google SecOps:

1. Configure the following ingress rules:

   - ingressFrom:
       identities:
       - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@gcp-sa-chronicle-soar.iam.gserviceaccount.com
       sources:
       - accessLevel: "*"
     ingressTo:
       operations:
       - serviceName: chronicle.googleapis.com
         methodSelectors:
         - method: "*"
       resources:
       - projects/PROJECT_NUMBER
   - ingressFrom:
       identities:
       - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@security-center-api.iam.gserviceaccount.com
       sources:
       - accessLevel: "*"
     ingressTo:
       operations:
       - serviceName: compute.googleapis.com
         methodSelectors:
         - method: "*"
       - serviceName: cloudasset.googleapis.com
         methodSelectors:
         - method: "*"
       - serviceName: monitoring.googleapis.com
         methodSelectors:
         - method: "*"
       - serviceName: iam.googleapis.com
         methodSelectors:
         - method: "*"
       resources:
       - projects/PROJECT_NUMBER
   - ingressFrom:
       identities:
       - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@gcp-sa-csc-hpsa.iam.gserviceaccount.com
       sources:
       - accessLevel: "*"
     ingressTo:
       operations:
       - serviceName: orgpolicy.googleapis.com
         methodSelectors:
         - method: "*"
       - serviceName: cloudasset.googleapis.com
         methodSelectors:
         - method: "*"
       - serviceName: dns.googleapis.com
         methodSelectors:
         - method: "*"
       resources:
       - projects/PROJECT_NUMBER
   

   Replace PROJECT_NUMBER with your Google SecOps-linked Google Cloud project number.

2. Configure the following egress rules:

   - egressTo:
       operations:
       - serviceName: pubsub.googleapis.com
         methodSelectors:
         - method: "*"
       - serviceName: securitycenter.googleapis.com
         methodSelectors:
         - method: "*"
       - serviceName: cloudasset.googleapis.com
         methodSelectors:
         - method: "*"
       - serviceName: iam.googleapis.com
         methodSelectors:
         - method: "*"
       resources:
       - "*"
     egressFrom:
       identities:
       - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@gcp-sa-chronicle-soar.iam.gserviceaccount.com
       sources:
       - resource: projects/PROJECT_NUMBER
   - egressTo:
       operations:
       - serviceName: compute.googleapis.com
         methodSelectors:
         - method: "*"
       resources:
       - "*"
     egressFrom:
       identities:
       - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@security-center-api.iam.gserviceaccount.com
       sources:
       - resource: projects/PROJECT_NUMBER
   

   Replace the following:

   • GOOGLE_ORGANIZATION_NUMBER: your Google Cloud organization number
   • PROJECT_NUMBER: your Google SecOps-linked Google Cloud project number

Configure the rule for customer-managed encryption keys (CMEKs)

This section describes how to configure VPC Service Controls for Google SecOps with customer-managed encryption keys (CMEKs). CMEKs are encryption keys that you own, manage, and store in Cloud Key Management Service.

Configure the following ingress rule:

  - ingressFrom:
    identities:
    - serviceAccount: service-SECRET_MANAGER_PROJECT_NUMBER@gcp-sa-secretmanager.iam.gserviceaccount.com
      sources:
      - accessLevel: "*"
    ingressTo:
      operations:
      - serviceName: secretmanager.googleapis.com
        methodSelectors:
        - method: "*"
      - serviceName: cloudkms.googleapis.com
        methodSelectors:
        - method: "*"
      resources:
      - projects/CMEK_PROJECT_NUMBER 

Replace the following:

• SECRET_MANAGER_PROJECT_NUMBER: the project that Google uses to store secrets for some ingestion features, which you can get from your Google SecOps representative
• CMEK_PROJECT_NUMBER: the project number storing the CMEKs

What's next

• Learn more about VPC Service Controls.
• See the Google Security Operations entry in the VPC Service Controls supported products table.