Monitor an Assured Workloads folder for violations

Assured Workloads monitors a compliance regime's organization policy constraints, and highlights a violation if a change to a resource is non-compliant. You can then resolve these violations, or create exceptions for them where appropriate.

A violation can have one of three statuses:

Unresolved: The violation hasn't been addressed.
Resolved: The violation has been addressed by following steps to remediate the issue.
Exception: The violation has been granted an exception, and a business justification has been provided.

Before you begin

Make sure you've been granted the following roles, or add the relevant permissions to a custom role before monitoring compliance violations.

Role	Associated permissions
Assured Workloads Administrator (`roles/assuredworkloads.admin`)	`assuredworkloads.violations.get` `assuredworkloads.violations.list` `assuredworkloads.violations.update`
Assured Workloads Editor (`roles/assuredworkloads.editor`)	`assuredworkloads.violations.get` `assuredworkloads.violations.list` `assuredworkloads.violations.update`
Assured Workloads Reader (`roles/assuredworkloads.reader`)	`assuredworkloads.violations.get` `assuredworkloads.violations.list`

Additionally, to remediate organization policy violations and to view audit logs, grant the following roles to your account:

Organization Policy Administrator (roles/orgpolicy.policyAdmin)
Logs Viewer (roles/logging.viewer)

Set up violation email notifications

When a compliance violation occurs, is resolved, or an exception is made, members of the Legal category in Essential Contacts are emailed. This is because your legal team needs to be kept up to date with regulatory compliance issues.

Your team who manages the violations, whether that be a security team or otherwise, should also be added to the Legal category as contacts. This means they also receive email notifications as changes occur.

View violations in your organization

You can view violations across your organization in both the Google Cloud console and the gcloud CLI.

Console

You can view how many violations there are across your organization at a glance from the Assured Workloads page in the Google Cloud console.

Go to Assured Workloads

Additionally, you can click a folder Name on the Assured Workloads page to view its details, which provides at-a-glance violation details for that particular folder.

gcloud CLI

To list the current compliance violations in your organization, run the following command:

gcloud assured workloads violations list --location=LOCATION --organization=ORGANIZATION_ID --workload=WORKLOAD_ID

Where:

LOCATION is the location of the Assured Workload environment.
ORGANIZATION_ID is the organization ID to query.
WORKLOAD_ID is the parent workload ID, which can be found by listing your workloads.

The response includes the following information for each violation:

An audit log link for the violation.
The first time the violation occurred.
The type of violation.
A description of the violation.
The name of the violation, which can be used to retrieve more details.
The affected organization policy, and the related policy constraint.
The violation's current state. Valid values are unresolved, resolved, or exception.

For optional flags, see the Cloud SDK documentation.

View violation details

To view specific compliance violations and their details, complete the following steps:

Console

In the Google Cloud console, go to the Monitoring page.

Go to Monitoring
Optional: To view a specific Assured Workloads folder, select it from the All folders list.
By default, all violations in the selected workload environment are visible. To change this, select a filter in the Filter by Category section.
Click a violation ID to see more detailed information.

From the Violation details page, you can perform the following tasks:

Copy the violation ID.
View the folder where the violation has happened, and what time it first
occurred.
View the affected organization policy.
View the audit log, which includes:
When the violation happened.
Which policy was modified to cause the violation, and which user made that modification.
If an exception was granted, which user granted it.
Where applicable, view the specific resource the violation occurred on.
Add a compliance violation exception.
Follow the remediation steps to resolve the exception.

gcloud CLI

To view a compliance violation's details, run the following command:

gcloud assured workloads violations describe VIOLATION_PATH

Where VIOLATION_PATH is in the following format:

ORGANIZATION_ID/locations/LOCATION/workloads/WORKLOAD_ID/violations/VIOLATION_ID

The VIOLATION_PATH is returned in the list response's name field for each violation.

The response includes the following information:

An audit log link for the violation.
The first time the violation occurred.
The type of violation.
A description of the violation.
The affected organization policy, and the related policy constraint.
Remediation steps to resolve the violation.
The violation's current state. Valid values are unresolved, resolved, or exception.

For optional flags, see the Cloud SDK documentation.

Resolve violations

To remediate a violation, complete the following steps:

Console

In the Google Cloud console, go to the Monitoring page.

Go to Monitoring
Click the violation ID to see more detailed information.
In the Remediation section, follow the instructions for the Google Cloud console or CLI to address the issue.

gcloud CLI

View the violation details using the gcloud CLI.
Follow the remediation steps in the response to resolve the violation.

Add violation exceptions

Sometimes a violation might be valid for a particular situation. To add an exception for a violation, complete the following steps:

Console

In the Google Cloud console, go to the Monitoring page.

Go to Monitoring
In the Exception section, click Add.
Enter a business justification, click Submit, and then confirm the exception.

The violation status is now set to Exception.

gcloud CLI

To add an exception for a violation, run the following command:

gcloud assured workloads violations acknowledge VIOLATION_PATH --comment="BUSINESS_JUSTIFICATION"

Where BUSINESS_JUSTIFICATION is the reason for the exception, and VIOLATION_PATH is in the following format:

ORGANIZATION_ID/locations/LOCATION/workloads/WORKLOAD_ID/violations/VIOLATION_ID

The VIOLATION_PATH is returned in the list response's name field for each violation.

After successfully sending the command, the violation status is set to Exception.

Monitored violations

Assured Workloads monitors different organization policy constraint violations, depending on the compliance regime applied to your Assured Workloads folder.

Organization policy constraint	Violation type	Description	Affected compliance regimes
Non-compliant access to Cloud SQL data	Access	Occurs when non-compliant access to non-compliant Cloud SQL diagnostic data is allowed. This violation is caused by changing the platform control's compliant value for the `sql.restrictNoncompliantDiagnosticDataAccess` constraint.	EU Regions and Support
Non-compliant access to Compute Engine data	Access	Occurs when non-compliant access to Compute Engine instance data is allowed. This violation is caused by changing the platform control's compliant value for the `compute.disableInstanceDataAccessApis` constraint.	EU Regions and Support
Non-compliant Cloud Storage authentication types	Access	Occurs when non-compliant authentication types are allowed for use with Cloud Storage. This violation is caused by changing the platform control's compliant value for the `storage.restrictAuthTypes` constraint.	EU Regions and Support
Non-compliant access to Cloud Storage buckets	Access	Occurs when non-compliant non-uniform bucket-level access to Cloud Storage is allowed. This violation is caused by changing the platform control's compliant value for the `storage.uniformBucketLevelAccess` constraint.	EU Regions and Support
Non-compliant global IAP web access	Access	Occurs when non-compliant global IAP web access is allowed. This violation is caused by changing the platform control's compliant value for the `iap.requireGlobalIapWebDisabled` constraint.	EU Regions and Support
Non-compliant access to GKE data	Access	Occurs when non-compliant access to non-compliant GKE diagnostic data is allowed. This violation is caused by changing the platform control's compliant value for the `container.restrictNoncompliantDiagnosticDataAccess` constraint.	EU Regions and Support
Non-compliant Compute Engine serial port logging	Configuration	Occurs when non-compliant Compute Engine serial port logging has been enabled. This violation is caused by changing the platform control's compliant value for the `compute.disableSerialPortLogging` constraint.	EU Regions and Support
Non-compliant Compute Engine diagnostic features	Configuration	Occurs when non-compliant Compute Engine diagnostic features have been enabled. This violation is caused by changing the platform control's compliant value for the `compute.enableComplianceMemoryProtection` constraint.	EU Regions and Support
Non-compliant Compute Engine SSL setting	Configuration	Occurs when a non-compliant value has been set for global self-managed certificates. This violation is caused by changing the platform control's compliant value for the `compute.disableGlobalSelfManagedSslCertificate` constraint.	EU Regions and Support ITAR
Non-compliant Compute Engine SSH in browser setting	Configuration	Occurs when a non-compliant value has been set for the SSH in browser feature in Compute Engine. This violation is caused by changing the platform control's compliant value for the `compute.disableSshInBrowser` constraint.	EU Regions and Support with Sovereignty Controls
Non-compliant Cloud SQL resource creation	Configuration	Occurs when non-compliant Cloud SQL resource creation is allowed. This violation is caused by changing the platform control's compliant value for the `sql.restrictNoncompliantResourceCreation` constraint.	EU Regions and Support
Missing Cloud KMS key restriction	Encryption	Occurs when no projects are specified to provide encryption keys for CMEK . This violation is caused by changing the platform control's compliant value for the `gcp.restrictCmekCryptoKeyProjects` constraint, which helps to prevent unapproved folders or projects from providing encryption keys.	EU Regions and Support<\td>
Non-compliant non-CMEK-enabled service	Encryption	Occurs when a service that does not support CMEK is enabled for the workload. This violation is caused by changing the platform control's compliant value for the `gcp.restrictNonCmekServices` constraint.	EU Regions and Support
Non-compliant Cloud KMS protection levels	Encryption	Occurs when non-compliant protection levels are specified for use with Cloud Key Management Service (Cloud KMS). See the Cloud KMS reference for more information. This violation is caused by changing the platform control's compliant value for the `cloudkms.allowedProtectionLevels` constraint.	EU Regions and Support with Sovereignty Controls IL4/IL5
Non-compliant resource locations	Resource location	Occurs when resources of supported services for a given Assured Workloads platform control are either created outside of the allowed region for the workload or moved from an allowed location to a disallowed location. This violation is caused by changing the platform control's compliant value for the `gcp.resourceLocations` constraint.	FedRAMP Moderate FedRAMP High CJIS IL4/IL5 US Regions and Support HIPAA/HITRUST EU Regions and Support
Non-compliant services	Service usage	Occurs when a user enables a service that is not supported by a given Assured Workloads platform control in an Assured Workloads folder. This violation is caused by changing the platform control's compliant value for the `gcp.restrictServiceUsage` constraint.	FedRAMP Moderate FedRAMP High CJIS IL4/IL5 US Regions and Support HIPAA/HITRUST EU Regions and Support

What's next

Understand the platform controls for Assured Workloads.