GCP VPC subnets have VPC Flow Logs enabled at the subnet scope to capture connection metadata for traffic to and from VM interfaces.
Risk
Without VPC Flow Logs, network activity lacks visibility, weakening detection and response. Blind spots enable covert data exfiltration (C), undetected lateral movement and policy bypass (I), and hinder containment and recovery (A). Forensics and cost insights are degraded.
prowler gcp --checks compute_subnet_flow_logs_enabled
Recommendation
Enable VPC Flow Logs on all production subnets. Tune aggregation, sampling, and metadata to balance visibility and cost.
Export to centralized logging for analytics and alerting, apply least privilege to log access, and use organization guardrails to enforce consistent coverage as part of defense in depth.
Remediation
gcloud compute networks subnets update <SUBNET_NAME> --region <REGION> --enable-flow-logs
- In the Google Cloud console, go to Networking > VPC networks
- Open the Subnets tab and click the target subnet
- Click Edit
- Set Flow logs to On
- Click Save
Source Code
Resource Type
compute.googleapis.com/Subnetwork
References
- https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging
- https://docs.cloud.google.com/vpc/docs/flow-logs
- https://docs.cloud.google.com/vpc/docs/org-policy-flow-logs
- https://docs.cloud.google.com/vpc/docs/access-flow-logs
- https://cloud.google.com/blog/products/networking/how-to-use-vpc-flow-logs-in-gcp-for-network-traffic-analysis
- https://docs.cloud.google.com/vpc/docs/using-flow-logs
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudVPC/enable-vpc-flow-logs.html