How does EchelonGraph detect CIS GCP 3.1 violations?

EchelonGraph automatically detects CIS GCP 3.1 violations using scanner rule GCP-NET-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS GCP 3.1?

Does any project still have the default VPC network? What is your process for ensuring new projects have the default network deleted? Are there organization policies preventing default network creation?

🔷CIS GCP 3.1Rule: GCP-NET-001medium

Ensure default VPC network is deleted

Description

The default VPC network has overly permissive firewall rules and should be deleted.

⚠️ Risk Impact

Default networks include allow-all firewall rules for internal traffic and SSH/RDP from any source. Resources accidentally deployed here are exposed.

🔍 How EchelonGraph Detects This

GCP-NET-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.

🖥️ Manual Verification

terminal

gcloud compute networks list --filter='name=default' --format='value(name)'

🔧 Remediation

Delete the default network: gcloud compute networks delete default --project=PROJECT_ID

💀 Real-World Attack Scenario

A new GCP project was created and an intern deployed a test VM into the default VPC. The default network's firewall rules allowed SSH from 0.0.0.0/0. Within hours, automated scanners found the VM, brute-forced the weak password, and installed a cryptominer that ran for 6 weeks undetected.

💰 Cost of Non-Compliance

Cryptomining on default VPC instances averages $8K-$25K/month in compute costs. GCP reports 86% of compromised instances involve default networks. Forensic investigation of default VPC incidents averages $45K.

📋 Audit Questions

1.Does any project still have the default VPC network?
2.What is your process for ensuring new projects have the default network deleted?
3.Are there organization policies preventing default network creation?

🎯 MITRE ATT&CK Mapping

T1190 — Exploit Public-Facing ApplicationT1133 — External Remote Services

🏗️ Infrastructure as Code Fix

main.tf

# Prevent default network creation with org policy:
resource "google_project" "project" {
  name                = var.project_name
  project_id          = var.project_id
  org_id              = var.org_id
  auto_create_network = false
}

⚡ Common Pitfalls

⛔Deleting the default network but not creating a custom VPC, leaving workloads without connectivity
⛔Not applying the auto_create_network=false policy for new projects
⛔Forgetting about the default network in sandbox/test projects

📈 Business Value

Eliminating default networks forces intentional network design. Every VPC is purpose-built with specific firewall rules, reducing accidental exposure to zero.

⏱️ Effort Estimate

Manual

30 minutes per project to audit and delete

With EchelonGraph

EchelonGraph detects default networks across all projects in <30 seconds

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.1

Automate CIS GCP 3.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →