Configure VPC Service Controls for Google SecOps
This guide describes how to configure VPC Service Controls for Google Security Operations.
VPC Service Controls lets you set up a service perimeter to guard against data exfiltration. Configure Google Security Operations with VPC Service Controls so that Google SecOps can access resources and services outside its service perimeter.
To learn more about VPC Service Controls, see Overview of VPC Service Controls. You can also see the Google Security Operations entry in the VPC Service Controls supported products table.
Before you begin
- Make sure that you have the required roles to configure VPC Service Controls at the organization level.
To use Google SecOps with VPC Service Controls, you can only use VPC Service Controls-compliant features. The following lists VPC Service Controls-compliant features:
- Google SecOps with VPC Service Controls supports only Google Cloud Identity authentication, third-party identity providers, and Workforce Identity Federation.
- Google SecOps feature RBAC must be enabled to use VPC Service Controls with Google SecOps.
Google SecOps with VPC Service Controls supports only the following public-facing APIs:
chronicle.googleapis.comchronicleservicemanager.googleapis.com
To onboard to VPC Service Controls, you must migrate all corresponding endpoints onto the
chronicle.googleapis.comAPI.Google SecOps with VPC Service Controls supports export of Google SecOps Unified Data Model (UDM) data only to a self-managed BigQuery project or using Advanced BigQuery Export.
VPC Service Controls supports only Google SecOps Dashboards.
You can create Cloud Storage feeds only with the
GOOGLE_CLOUD_STORAGE_V2source type using v2 connectors.When you create new Pub/Sub subscriptions when Google SecOps is restricted within a VPC Service Controls perimeter, Google SecOps requires that you write logs to Cloud Storage and use GOOGLE_CLOUD_STORAGE_V2 or GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN instead of your CLOUD_PUB_SUB feeds.
For a Google SecOps instance using customer-managed encryption keys (CMEK), Google strongly recommends that you either keep your Cloud Key Management Service project within the same perimeter as your Google SecOps-linked Google Cloud project or keep your keys inside the Google SecOps-linked Google Cloud project itself.
Limitations
The Google SecOps Chronicle API endpoint
ImportPushLogsdoesn't support VPC Service Controls. However, this limitation doesn't pose a data-exfiltration risk, because theImportPushLogsendpoint is only used for pushing data to a Google SecOps instance, not for accessing data.Google SecOps with VPC Service Controls doesn't support Looker dashboards.
Google Cloud Pub/Sub doesn't support creating a new Pub/Sub subscription that uses the Chronicle API endpoints to ingest logs (Pub/Sub entry in the VPC Service Controls supported products table). However, any existing Pub/Sub subscriptions (created before moving Google Cloud project inside the VPC Service Controls perimeter) will continue to ingest logs as expected.
Google SecOps with VPC Service Controls doesn't support legacy cloud bucket and third-party API feed connectors.
Configure the ingress and egress rules
Configure ingress and egress rules based on the service perimeter configuration. For more information, see Service perimeter overview.
If you encounter issues with VPC Service Controls, use the VPC Service Controls violation analyzer to debug and analyze the issue. For more information, see Diagnose an access denial in violation analyzer.
Configure the rules for SOAR
This section describes how to configure VPC Service Controls for the SOAR side of the platform.
Configure the following ingress rules for the Google Cloud user account that you specified when you set up Google SecOps:
- ingressFrom:
identityType: ANY_SERVICE_ACCOUNT
sources:
- accessLevel: "*"
ingressTo:
operations:
- serviceName: secretmanager.googleapis.com
methodSelectors:
- method: "*"
resources:
- projects/PROJECT_NUMBER
- ingressFrom:
identities:
- user:malachite-data-plane-api@prod.google.com
sources:
- accessLevel: "*"
ingressTo:
operations:
- serviceName: trafficdirector.googleapis.com
methodSelectors:
- method: "*"
resources:
- projects/PROJECT_NUMBER
Replace PROJECT_NUMBER with your Google SecOps-linked Google Cloud project number.
Configure the rule for SIEM
This section describes how to configure VPC Service Controls for the SIEM side of the platform.
If you're using data tables, configure the following rule for the Google Cloud user account that you specified when you set up Google SecOps:
- ingressFrom:
identities:
- user:malachite-data-plane-api@prod.google.com
sources:
- accessLevel: "*"
ingressTo:
operations:
- serviceName: storage.googleapis.com
methodSelectors:
- method: "*"
resources:
- projects/PROJECT_NUMBER
Replace PROJECT_NUMBER with your Google SecOps-linked Google Cloud project number.
Configure the rules for Google SecOps with Security Command Center
This section describes how to configure VPC Service Controls for Google SecOps with Security Command Center.
The service accounts in the following rules are created only during Google SecOps provisioning, therefore, you should configure the Security Command Center rules after the provisioning, but before starting to use Security Command Center.
Complete the following tasks for the Google Cloud user account that you specified when you set up Google SecOps:
Configure the following ingress rule:
- ingressFrom: identities: - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@gcp-sa-chronicle-soar.iam.gserviceaccount.com - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@security-center-api.iam.gserviceaccount.com - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@gcp-sa-csc-hpsa.iam.gserviceaccount.com - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@gcp-sa-asm-hpsa.iam.gserviceaccount.com sources: - accessLevel: "*" ingressTo: operations: - serviceName: chronicle.googleapis.com methodSelectors: - method: "*" - serviceName: securitycenter.googleapis.com methodSelectors: - method: "*" - serviceName: compute.googleapis.com methodSelectors: - method: "*" - serviceName: cloudasset.googleapis.com methodSelectors: - method: "*" - serviceName: monitoring.googleapis.com methodSelectors: - method: "*" - serviceName: iam.googleapis.com methodSelectors: - method: "*" - serviceName: orgpolicy.googleapis.com methodSelectors: - method: "*" - serviceName: serviceusage.googleapis.com methodSelectors: - method: "*" - serviceName: dns.googleapis.com methodSelectors: - method: "*" resources: - projects/PROJECT_NUMBERReplace the following:
GOOGLE_ORGANIZATION_NUMBER: your Google Cloud organization numberPROJECT_NUMBER: your Google SecOps-linked Google Cloud project number
Configure the following egress rule:
- egressTo: operations: - serviceName: pubsub.googleapis.com methodSelectors: - method: "*" - serviceName: securitycenter.googleapis.com methodSelectors: - method: "*" - serviceName: cloudasset.googleapis.com methodSelectors: - method: "*" - serviceName: iam.googleapis.com methodSelectors: - method: "*" - serviceName: compute.googleapis.com methodSelectors: - method: "*" resources: - "*" egressFrom: identities: - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@gcp-sa-chronicle-soar.iam.gserviceaccount.com - serviceAccount: service-org-GOOGLE_ORGANIZATION_NUMBER@security-center-api.iam.gserviceaccount.com sources: - resource: projects/PROJECT_NUMBERReplace the following:
GOOGLE_ORGANIZATION_NUMBER: your Google Cloud organization numberPROJECT_NUMBER: your Google SecOps-linked Google Cloud project number
Configure the rule for customer-managed encryption keys (CMEKs)
This section describes how to configure VPC Service Controls for Google SecOps with customer-managed encryption keys (CMEKs). CMEKs are encryption keys that you own, manage, and store in Cloud Key Management Service.
Configure the following ingress rule:
- ingressFrom:
identities:
- serviceAccount: service-SECRET_MANAGER_PROJECT_NUMBER@gcp-sa-secretmanager.iam.gserviceaccount.com
sources:
- accessLevel: "*"
ingressTo:
operations:
- serviceName: secretmanager.googleapis.com
methodSelectors:
- method: "*"
- serviceName: cloudkms.googleapis.com
methodSelectors:
- method: "*"
resources:
- projects/CMEK_PROJECT_NUMBER
Replace the following:
SECRET_MANAGER_PROJECT_NUMBER: the project that Google uses to store secrets for some ingestion features, which you can get from your Google SecOps representativeCMEK_PROJECT_NUMBER: the project number storing the CMEKs