Monitor an Assured Workloads folder for violations

Assured Workloads actively monitors your Assured Workloads folders for compliance violations by comparing the requirements of a folder's compliance program with the following details:

  • Organization policy: Each Assured Workloads folder is configured with specific organization policy constraint settings that help to ensure compliance. When these settings are changed in a non-compliant manner, a violation occurs. See the Monitored organization policy violations section for more information.
  • Resources: Depending on your Assured Workloads folder's organization policy settings, the resources beneath the folder may be restricted, such as their type and location. See the Monitored resource violations section for more information. If any resources are non-compliant, a violation occurs.

When a violation occurs, you can resolve them or create exceptions for them where appropriate. A violation can have one of three statuses:

Assured Workloads monitoring is automatically enabled when you create an Assured Workloads folder.

Before you begin

Required IAM roles and permissions

To view organization policy violations or resource violations, you must be granted an IAM role on the Assured Workloads folder that contains the following permissions:

  • assuredworkloads.violations.get
  • assuredworkloads.violations.list

These permissions are included in the following Assured Workloads IAM roles:

  • Assured Workloads Administrator (roles/assuredworkloads.admin)
  • Assured Workloads Editor (roles/assuredworkloads.editor)
  • Assured Workloads Reader (roles/assuredworkloads.reader)

To enable resource violation monitoring, you must be granted an IAM role on the Assured Workloads folder that contains the following permissions:

  • assuredworkloads.workload.update: This permission is included in the following roles:

    • Assured Workloads Administrator (roles/assuredworkloads.admin)
    • Assured Workloads Editor (roles/assuredworkloads.editor)
  • resourcemanager.folders.setIamPolicy: This permission is included in administrative roles, such as the following:

    • Organization Administrator (roles/resourcemanager.organizationAdmin)
    • Security Admin (roles/iam.securityAdmin)

To provide exceptions for compliance violations, you must be granted an IAM role on the Assured Workloads folder that contains the following permission:

  • assuredworkloads.violations.update: This permission is included in the following roles:

    • Assured Workloads Administrator (roles/assuredworkloads.admin)
    • Assured Workloads Editor (roles/assuredworkloads.editor)

Additionally, to resolve organization policy violations and to view audit logs, the following IAM roles must be granted:

  • Organization Policy Administrator (roles/orgpolicy.policyAdmin)
  • Logs Viewer (roles/logging.viewer)

Set up violation email notifications

When an organization compliance violation occurs or is resolved or when an exception is made, members of the Legal category in Essential Contacts are emailed by default. This behavior is necessary because your legal team needs to be kept up to date with any regulatory compliance issues.

Your team who manages the violations, whether that be a security team or otherwise, should also be added to the Legal category as contacts. This ensures that they are sent email notifications as changes occur.

Enable or disable notifications

To enable or disable notifications for a specific Assured Workloads folder:

  1. Go to the Assured Workloads page in the Google Cloud console:

    Go to Assured Workloads

  2. In the Name column, click the name of the Assured Workloads folder whose notification settings you want to change.

  3. In the Assured Workloads Monitoring card, clear the Enable notifications checkbox to disable notifications, or select it to enable notifications for the folder.

On the Assured Workloads folders page, folders that have notifications disabled show Monitoring email notifications disabled.

View violations in your organization

You can view violations across your organization in both the Google Cloud console and the gcloud CLI.

Console

You can view how many violations there are across your organization on either the Assured Workloads page in the Compliance section of the Google Cloud console or the Monitoring page in the Compliance section.

Assured Workloads page

Go to the Assured Workloads page to view violations at a glance:

Go to Assured Workloads

At the top of the page, a summary of organization policy violations and resource violations is shown. Click the View link to go to the Monitoring page.

For each Assured Workloads folder in the list, any violations are shown in the Org policy violations and Resource violations columns. Unresolved violations have the icon active, and exceptions have the icon active. You can select a violation or exception to see more details.

If resource violation monitoring is not enabled on a folder, the icon is active in the Updates column with an Enable Resource violation monitoring link. Click the link to enable the feature. You can also enable it by clicking the Enable button on the Assured Workloads folder details page.

Monitoring page

Go to the Monitoring page to view violations in more detail:

Go to Monitoring

Two tabs are shown: Organization Policy Violations and Resource Violations. If more than one unresolved violation exists, the icon is active on the tab.

In either tab, unresolved violations are shown by default. See the View violation details section below for more information.

gcloud CLI

To list the current compliance violations in your organization, run the following command:

gcloud assured workloads violations list --location=LOCATION --organization=ORGANIZATION_ID --workload=WORKLOAD_ID

Where:

The response includes the following information for each violation:

  • An audit log link for the violation.
  • The first time the violation occurred.
  • The type of violation.
  • A description of the violation.
  • The name of the violation, which can be used to retrieve more details.
  • The affected organization policy, and the related policy constraint.
  • The violation's current state. Valid values are unresolved, resolved, or exception.

For optional flags, see the Cloud SDK documentation.

View violation details

To view specific compliance violations and their details, complete the following steps:

Console

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

    On the Monitoring page, the Organization Policy Violations tab is selected by default. This tab displays all unresolved organization policy violations across Assured Workloads folders in the organization.

    The Resource Violations tab displays all unresolved violations associated with the resource across all Assured Workloads folders in the organization.

  2. For either tab, use the Quick filters options to filter by violation status, violation type, compliance program type, violation type, specific folders, specific organization policy constraints, or specific resource types.

  3. For either tab, if there are existing violations, click a violation ID to see more detailed information.

From the Violation details page, you can perform the following tasks:

  • Copy the violation ID.

  • View the Assured Workloads folder where the violation has happened, and what time it first occurred.

  • View the audit log, which includes:

    • When the violation happened.

    • Which policy was modified to cause the violation, and which user made that modification.

    • If an exception was granted, which user granted it.

    • Where applicable, view the specific resource the violation occurred on.

  • View the affected organization policy.

  • View and add compliance violation exceptions.

  • Follow the remediation steps to resolve the exception.

For organization policy violations, you can also see the following:

  • Affected organization policy: To view the specific policy associated with the compliance violation, click View Policy.
  • Child resource violations: Resource-based organization policy violations can cause child resource violations. To view or resolve child resource violations, click the Violation ID.

For resource violations, you can also see the following:

  • Parent organization policy violations: When parent organization policy violations are the cause of a child resource violation, they need to be addressed at the parent level. To see the parent violation details, click View Violation.
  • Any other violations on the specific resource that is currently causing the resource violation are also visible.

gcloud CLI

To view a compliance violation's details, run the following command:

gcloud assured workloads violations describe VIOLATION_PATH

Where VIOLATION_PATH is in the following format:

ORGANIZATION_ID/locations/LOCATION/workloads/WORKLOAD_ID/violations/VIOLATION_ID

The VIOLATION_PATH is returned in the list response's name field for each violation.

The response includes the following information:

  • An audit log link for the violation.

  • The first time the violation occurred.

  • The type of violation.

  • A description of the violation.

  • The affected organization policy, and the related policy constraint.

  • Remediation steps to resolve the violation.

  • The violation's current state. Valid values are unresolved, resolved, or exception.

For optional flags, see the Cloud SDK documentation.

Resolve violations

To remediate a violation, complete the following steps:

Console

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. Click the violation ID to see more detailed information.

  3. In the Remediation section, follow the instructions for the Google Cloud console or CLI to address the issue.

gcloud CLI

  1. View the violation details using the gcloud CLI.

  2. Follow the remediation steps in the response to resolve the violation.

Add violation exceptions

Sometimes a violation might be valid for a particular situation. You can add one or more exceptions for a violation by completing the following steps:

Console

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. In the Violation ID column, click the violation you want to add the exception to.

  3. In the Exceptions section, click Add New.

  4. Enter a business justification for the exception. If you want the exception to apply to all child resources, select the Apply to all existing child resource violations checkbox and click Submit.

  5. You can add additional exceptions as necessary by repeating these steps and clicking Add New.

The violation status is now set to Exception.

gcloud CLI

To add an exception for a violation, run the following command:

gcloud assured workloads violations acknowledge VIOLATION_PATH --comment="BUSINESS_JUSTIFICATION"

Where BUSINESS_JUSTIFICATION is the reason for the exception, and VIOLATION_PATH is in the following format:

ORGANIZATION_ID/locations/LOCATION/workloads/WORKLOAD_ID/violations/VIOLATION_ID

The VIOLATION_PATH is returned in the list response's name field for each violation.

After successfully sending the command, the violation status is set to Exception.

Monitored organization policy violations

Assured Workloads monitors different organization policy constraint violations, depending on the compliance program applied to your Assured Workloads folder. Use the following list to filter violations by their affected compliance program.

Organization policy constraint Violation type Description Affected compliance programs
Non-compliant access to Cloud SQL data Access

Occurs when non-compliant access to non-compliant Cloud SQL diagnostic data is allowed.

This violation is caused by changing the compliance program's compliant value for the sql.restrictNoncompliantDiagnosticDataAccess constraint.

EU Regions and Support with Sovereignty Controls
Non-compliant access to Compute Engine data Access

Occurs when non-compliant access to Compute Engine instance data is allowed.

This violation is caused by changing the compliance program's compliant value for the compute.disableInstanceDataAccessApis constraint.

CJIS
EU Regions and Support with Sovereignty Controls
ITAR
Non-compliant Cloud Storage authentication types Access

Occurs when non-compliant authentication types are allowed for use with Cloud Storage.

This violation is caused by changing the compliance program's compliant value for the storage.restrictAuthTypes constraint.

EU Regions and Support with Sovereignty Controls
Non-compliant access to Cloud Storage buckets Access

Occurs when non-compliant non-uniform bucket-level access to Cloud Storage is allowed.

This violation is caused by changing the compliance program's compliant value for the storage.uniformBucketLevelAccess constraint.

EU Regions and Support with Sovereignty Controls
Non-compliant access to GKE data Access

Occurs when non-compliant access to GKE diagnostic data is allowed.

This violation is caused by changing the compliance program's compliant value for the container.restrictNoncompliantDiagnosticDataAccess constraint.

EU Regions and Support with Sovereignty Controls
IL4
IL5
ITAR
Non-compliant Compute Engine diagnostic features Configuration

Occurs when non-compliant Compute Engine diagnostic features have been enabled.

This violation is caused by changing the compliance program's compliant value for the compute.enableComplianceMemoryProtection constraint.

EU Regions and Support with Sovereignty Controls
ITAR
Non-compliant Compute Engine global load balancing setting Configuration

Occurs when a non-compliant value has been set for the global load balancing setting in Compute Engine.

This violation is caused by changing the compliance program's compliant value for the compute.disableGlobalLoadBalancing constraint.

ITAR
Non-compliant Compute Engine FIPS setting Configuration

Occurs when a non-compliant value has been set for the FIPS setting in Compute Engine.

This violation is caused by changing the compliance program's compliant value for the compute.disableNonFIPSMachineTypes constraint.

ITAR
Non-compliant Compute Engine SSL setting Configuration

Occurs when a non-compliant value has been set for global self-managed certificates.

This violation is caused by changing the compliance program's compliant value for the compute.disableGlobalSelfManagedSslCertificate constraint.

ITAR
Non-compliant Compute Engine SSH in browser setting Configuration

Occurs when a non-compliant value has been set for the SSH in browser feature in Compute Engine.

This violation is caused by changing the compliance program's compliant value for the compute.disableSshInBrowser constraint.

EU Regions and Support with Sovereignty Controls
Non-compliant Cloud SQL resource creation Configuration

Occurs when non-compliant Cloud SQL resource creation is allowed.

This violation is caused by changing the compliance program's compliant value for the sql.restrictNoncompliantResourceCreation constraint.

EU Regions and Support with Sovereignty Controls
Missing Cloud KMS key restriction Encryption

Occurs when no projects are specified to provide encryption keys for CMEK .

This violation is caused by changing the compliance program's compliant value for the gcp.restrictCmekCryptoKeyProjects constraint, which helps to prevent unapproved folders or projects from providing encryption keys.

EU Regions and Support with Sovereignty Controls
ITAR
CJIS
Non-compliant non-CMEK-enabled service Encryption

Occurs when a service that does not support CMEK is enabled for the workload.

This violation is caused by changing the compliance program's compliant value for the gcp.restrictNonCmekServices constraint.

EU Regions and Support with Sovereignty Controls
ITAR
CJIS
Non-compliant Cloud KMS protection levels Encryption

Occurs when non-compliant protection levels are specified for use with Cloud Key Management Service (Cloud KMS). See the Cloud KMS reference for more information.

This violation is caused by changing the compliance program's compliant value for the cloudkms.allowedProtectionLevels constraint.

EU Regions and Support with Sovereignty Controls
Non-compliant resource locations Resource location

Occurs when resources of supported services for a given Assured Workloads compliance program are either created outside of the allowed region for the workload or moved from an allowed location to a disallowed location.

This violation is caused by changing the compliance program's compliant value for the gcp.resourceLocations constraint.

Australian Regions with Assured Support
Canada Protected B
Canada Regions and Support
CJIS
EU Regions and Support
EU Regions and Support with Sovereignty Controls
FedRAMP Moderate
FedRAMP High
HIPAA (Preview)
HITRUST (Preview)
IL4
IL5
Israel Regions and Support
ITAR
Japan Regions
US Regions and Support
Non-compliant services Service usage

Occurs when a user enables a service that is not supported by a given Assured Workloads compliance program in an Assured Workloads folder.

This violation is caused by changing the compliance program's compliant value for the gcp.restrictServiceUsage constraint.

Australian Regions with Assured Support
Canada Protected B
Canada Regions and Support
CJIS
EU Regions and Support
EU Regions and Support with Sovereignty Controls
FedRAMP Moderate
FedRAMP High
HIPAA (Preview)
HITRUST (Preview)
IL4
IL5
Israel Regions and Support
ITAR
Japan Regions
US Regions and Support

Monitored resource violations

Assured Workloads monitors different resource violations, depending on the compliance program applied to your Assured Workloads folder. Use the following list to filter violations by their affected compliance program:

Organization policy constraint Description Affected compliance programs
Non-compliant resource location

Occurs when a resource's location is in a non-compliant region.

This violation is caused by the gcp.resourceLocations constraint.

Australian Regions with Assured Support
Canada Protected B
Canada Regions and Support
CJIS
EU Regions and Support
EU Regions and Support with Sovereignty Controls
FedRAMP Moderate
FedRAMP High
HIPAA (Preview)
HITRUST (Preview)
IL4
IL5
Israel Regions and Support
ITAR
Japan Regions
US Regions and Support
Non-compliant resources in folder

Occurs when a resource for an unsupported service is created in the Assured Workloads folder.

This violation is caused by the gcp.restrictServiceUsage constraint.

Australian Regions with Assured Support
Canada Protected B
Canada Regions and Support
CJIS
EU Regions and Support
EU Regions and Support with Sovereignty Controls
FedRAMP Moderate
FedRAMP High
HIPAA (Preview)
HITRUST (Preview)
IL4
IL5
Israel Regions and Support
ITAR
Japan Regions
US Regions and Support

What's next