# 1.10 - Access attempts violating VPC Service Controls Access attempt blocked by VPC Service Controls, indicating potential malicious activity like data exfiltration attempt and/or access from unauthorized networks using stolen credentials. To learn more about the security benefits of VPC Service Controls, see this [VPC Service Controls overview](https://cloud.google.com/vpc-service-controls/docs/overview#benefits). **Category:** Login & Access Patterns
**Use Cases:** Detect, Audit
**Data Sources:** Audit Logs - Policy
## Queries or Rules BigQuery | Log Analytics | Google SecOps --- | --- | --- [SQL](../../backends/bigquery/sql/1_10_access_attempts_blocked_by_VPC_SC.sql) | [SQL](../../backends/log_analytics/sql/1_10_access_attempts_blocked_by_VPC_SC.sql) | [Contribute rule](../../CONTRIBUTING.md) ## Event Generation Copy Cloud Storage file from private storage bucket in a protected projected over to local workstation (i.e. outside the perimeter) ### Test Prerequisites 1. [Install gcloud](https://cloud.google.com/sdk/docs/install) 1. [Create a service perimeter around test GCP project](https://cloud.google.com/vpc-service-controls/docs/create-service-perimeters) 1. Create a Cloud Storage bucket in GCP project with `private.txt` file ### Test Input | Name | Description | Type | Default Value | |------|-------------|------|---------------| | protected-bucket | Name of Cloud Storage bucket located in a protected GCP project within service perimeter | String | test-protected-bucket| ### Test Commands ``` gsutil cp gs://#{protected-bucket}/private.txt . ``` ## Sample Event ### google.storage.objects.get-notInSameVPC ``` { "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "status": { "code": 7, "message": "PERMISSION_DENIED", "details": [ { "@type": "type.googleapis.com/google.rpc.PreconditionFailure", "violations": [ { "type": "VPC_SERVICE_CONTROLS", "description": "HnoEeMFGeXlDeZykdkzUQbt4VJ7oyxjJWLsS93mFiXnJJHIS1ZbhmQ" } ] } ] }, "authenticationInfo": { }, "requestMetadata": { "callerIp": "203.0.113.255", "requestAttributes": { }, "destinationAttributes": { } }, "serviceName": "storage.googleapis.com", "methodName": "google.storage.objects.get", "resourceName": "projects/1234", "metadata": { "resourceNames": [ "projects/123/buckets/protected-bucket/objects/private.txt" ], "vpcServiceControlsUniqueId": "HnoEeMFGeXlDeZykdkzUQbt4VJ7oyxjAbLsS93mFiXnJJHIS1ZbhmQ", "violationReason": "NO_MATCHING_ACCESS_LEVEL", "ingressViolations": [ { "targetResource": "projects/1234", "servicePerimeter": "accessPolicies/123456789/servicePerimeters/test-perimeter" } ], "securityPolicyInfo": { "servicePerimeterName": "accessPolicies/123456789/servicePerimeters/test-perimeter", "organizationId": "123" }, "@type": "type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" } }, "insertId": "1lpqk13d1fdt", "resource": { "type": "audited_resource", "labels": { "service": "storage.googleapis.com", "method": "google.storage.objects.get", "project_id": "1234" } }, "timestamp": "2022-02-15T21:51:50.071173943Z", "severity": "ERROR", "logName": "projects/1234/logs/cloudaudit.googleapis.com%2Fpolicy", "receiveTimestamp": "2022-02-15T21:51:50.900622321Z" } ``` ### References - https://cloud.google.com/vpc-service-controls/docs/troubleshooting#gcs_vm_outside_perimeter - https://cloud.google.com/vpc-service-controls/docs/overview#benefits