Cloud Monitoring Not Enabled for Vertex AI Notebooks
ID: gcloud-vertexai-monitoring
Severity: medium
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,vertexai,security,monitoring,gcp-cloud-config
Description
Section titled “Description”Ensure that Cloud Monitoring is enabled for your Vertex AI notebook instances in order to gain visibility into their health and performance. Cloud Monitoring reports system and application metrics such as disk, CPU, network, and processes. This allows you to identify issues like resource bottlenecks or errors proactively. To enable the monitoring feature, you must install the Cloud Monitoring agent when you create your notebook instance.
YAML Source
Section titled “YAML Source”id: gcloud-vertexai-monitoring
info: name: Cloud Monitoring Not Enabled for Vertex AI Notebooks author: princechaddha severity: medium description: | Ensure that Cloud Monitoring is enabled for your Vertex AI notebook instances in order to gain visibility into their health and performance. Cloud Monitoring reports system and application metrics such as disk, CPU, network, and processes. This allows you to identify issues like resource bottlenecks or errors proactively. To enable the monitoring feature, you must install the Cloud Monitoring agent when you create your notebook instance. impact: | Without Cloud Monitoring enabled, you lack visibility into the health and performance of your notebook instances, making it difficult to detect and troubleshoot issues proactively. This can lead to degraded performance or service disruptions. remediation: | Re-create Vertex AI notebook instances with Cloud Monitoring enabled by using the 'gcloud workbench instances create' command with metadata parameter 'install-monitoring-agent=true'. reference: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/VertexAI/enable-cloud-monitoring.html - https://cloud.google.com/vertex-ai/docs/workbench/user-managed/manage-instance tags: cloud,devops,gcp,gcloud,vertexai,security,monitoring,gcp-cloud-config
flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) }
self-contained: true
code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)"
extractors: - type: json name: projectIds internal: true json: - '.[].projectId'
- engine: - sh - bash source: | gcloud workbench instances describe tm-vertex-ai-notebook-instance --location=us-central1-a --project=$projectId --format="yaml(gceSetup.metadata.install-monitoring-agent)"
matchers: - type: word words: - "null"
extractors: - type: dsl dsl: - '"Project " + projectId + " has Vertex AI notebook instances without Cloud Monitoring enabled"'# digest: 4a0a00473045022100c7bc99ba5cc3d543c53777ced4301fa9ece255d153202432c143fedcfab4955602206bc1d563f849b0db4fdcec3fc5d0fbf18372948eefe863ebdd7828364902ebe5:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/vertexai/gcloud-vertexai-monitoring.yaml"