VPC Service Controls is a powerful tool to help mitigate the risk of cloud data breaches stemming from stolen credentials, compromised clients, malicious insiders, and misconfigured IAM policies. It allows admins to define policies and enforce security perimeters that segment and isolate resources of multi-tenant services such as Cloud Storage, BigQuery, and Stackdriver Logging. VPC Service Controls secures communication across three network interfaces of such resources: internet, VPC networks, and service backend paths.
Managing a powerful and centrally configured policy requires admins to understand the impact of the policy on specific service interactions. Today, we are making it easier to understand and debug denials caused by VPC Service Controls with the VPC Service Controls Unique Identifier. This feature allows Google Cloud users to easily communicate errors that arise from VPC Service Controls denials to security admins, and lets admins quickly correlate the denied requests to corresponding Cloud Audit Log entries. This helps admins resolve access issues quickly while controls to mitigate exfiltration risks remain in place.
Configuring and troubleshooting VPC Service Controls
When you use VPC Service Controls, you define service perimeters that protect the Google Cloud services used in specific projects under your organization. Service perimeter configurations include:
1. Protected services (i.e. BigQuery, Cloud Storage, etc.)
2. Protected projects including the network projects identifying authorized networks
3. Access Levels that define the IP ranges and identities of clients outside the perimeter that can access resources within the perimeter.
When VPC Service Controls denies an incoming data access request, a 403 error message is shown and a Cloud Audit Log entry is generated. Now, with Unique Identifier, we are making it easier to connect the 403 error message to the relevant Cloud Audit Log entry to help customers troubleshoot VPC Service Controls faster.
Here’s how it works:
1. When users are denied access by VPC Service Controls, the 403 error messages now include a unique identifier (UID) that does not expose the underlying policy details to the potentially unauthorized or compromised client.