Skip to main content

Cloud VPN Deleted

This alert occurs when Lacework detects an existing VPN connection was deleted in the Google Cloud environment.

Related policy: LW_AT_RESOURCE_171: Cloud VPN Deleted

Why this alert is important

When a cloud VPN connection is deleted, it can indicate that a user or application has intentionally or unintentionally removed a critical component of your network infrastructure, which can potentially lead to network downtime or unauthorized access to your resources, especially if the VPN was used to connect to critical resources or sensitive data.

By detecting this incident, you can take action to mitigate any potential security risks and ensure that your network infrastructure remains secure.

Investigation

Follow these steps to investigate the alert:

  1. Review the Audit Logs to identify who deleted the cloud VPN and when it was deleted. Look for unusual activity, such as access from unknown IP addresses or abnormal user behavior.
  2. Review your Google Cloud logs and look for any other suspicious activity, such as failed login attempts, access to sensitive data, or unusual network traffic.
  3. Check the IAM permissions of the user who deleted the cloud VPN. Ensure that the user had the appropriate permissions to perform this action and that their account was not compromised.
  4. Review your firewall rules to ensure they are properly configured to avoid unauthorized access.
  5. Review your network policies to ensure they are properly configured to avoid unauthorized access.
  6. Check your systems for malware or other malicious software that may have been used to gain access to your Google Cloud environment.

Resolution

Use the following steps to resolve an unauthorized cloud VPN deletion:

  1. If you have a backup of your VPN configuration, you can use it to restore the connection. If not, you may need to create a new VPN connection and reconfigure your network settings.
  2. If the VPN was deleted due to unauthorized access, take steps to remove the access immediately. This may involve revoking user permissions, resetting passwords, and implementing additional security measures to prevent further unauthorized access.
  3. Implement best practices for Google Cloud security, such as two-factor authentication, regular password changes, and restricting access to sensitive resources.
  4. Monitor your Google Cloud environment for further unauthorized access or suspicious activity. This may involve implementing additional monitoring tools and regularly reviewing logs and other data.
  5. If necessary, consider working with a Google Cloud security expert or consultant to help identify any other potential security risks and recommend additional security measures to prevent future incidents.