Stay organized with collections Save and categorize content based on your preferences.

Monitor an Assured Workloads folder for violations

Assured Workloads monitors a compliance regime's organization policy constraints, and highlights a violation if a change to a resource is non-compliant. You can then resolve these violations, or create exceptions for them where appropriate.

A violation can have one of three statuses:

Before you begin

Make sure you've been granted the following roles, or add the relevant permissions to a custom role before monitoring compliance violations.

Role Associated permissions
Assured Workloads Administrator (roles/assuredworkloads.admin)
  • assuredworkloads.violations.get
  • assuredworkloads.violations.list
  • assuredworkloads.violations.update
Assured Workloads Editor (roles/assuredworkloads.editor)
  • assuredworkloads.violations.get
  • assuredworkloads.violations.list
  • assuredworkloads.violations.update
Assured Workloads Reader (roles/assuredworkloads.reader)
  • assuredworkloads.violations.get
  • assuredworkloads.violations.list

Additionally, to remediate organization policy violations and to view audit logs, grant the following roles to your account:

  • Organization Policy Administrator (roles/orgpolicy.policyAdmin)
  • Logs Viewer (roles/logging.viewer)

Set up violation email notifications

When a compliance violation occurs, is resolved, or an exception is made, members of the Legal category in Essential Contacts are emailed. This is because your legal team needs to be kept up to date with regulatory compliance issues.

Your team who manages the violations, whether that be a security team or otherwise, should also be added to the Legal category as contacts. This means they also receive email notifications as changes occur.

View violations in your organization

You can view violations across your organization in both the Google Cloud console and the gcloud CLI.

Console

You can view how many violations there are across your organization at a glance from the Assured Workloads page in the Google Cloud console.

Go to Assured Workloads

Additionally, you can click a folder Name on the Assured Workloads page to view its details, which provides at-a-glance violation details for that particular folder.

gcloud CLI

To list the current compliance violations in your organization, run the following command:

gcloud assured workloads violations list --location=LOCATION --organization=ORGANIZATION_ID --workload=WORKLOAD_ID

Where:

The response includes the following information for each violation:

  • An audit log link for the violation.
  • The first time the violation occurred.
  • The type of violation.
  • A description of the violation.
  • The name of the violation, which can be used to retrieve more details.
  • The affected organization policy, and the related policy constraint.
  • The violation's current state. Valid values are unresolved, resolved, or exception.

For optional flags, see the Cloud SDK documentation.

View violation details

To view specific compliance violations and their details, complete the following steps:

Console

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. Optional: To view a specific Assured Workloads folder, select it from the All folders list.

  3. By default, all violations in the selected workload environment are visible. To change this, select a filter in the Filter by Category section.

  4. Click a violation ID to see more detailed information.

From the Violation details page, you can perform the following tasks:

  • Copy the violation ID.

  • View the folder where the violation has happened, and what time it first
    occurred.

  • View the affected organization policy.

  • View the audit log, which includes:

  • When the violation happened.

  • Which policy was modified to cause the violation, and which user made that modification.

  • If an exception was granted, which user granted it.

  • Where applicable, view the specific resource the violation occurred on.

  • Add a compliance violation exception.

  • Follow the remediation steps to resolve the exception.

gcloud CLI

To view a compliance violation's details, run the following command:

gcloud assured workloads violations describe VIOLATION_PATH

Where VIOLATION_PATH is in the following format:

ORGANIZATION_ID/locations/LOCATION/workloads/WORKLOAD_ID/violations/VIOLATION_ID

The VIOLATION_PATH is returned in the list response's name field for each violation.

The response includes the following information:

  • An audit log link for the violation.

  • The first time the violation occurred.

  • The type of violation.

  • A description of the violation.

  • The affected organization policy, and the related policy constraint.

  • Remediation steps to resolve the violation.

  • The violation's current state. Valid values are unresolved, resolved, or exception.

For optional flags, see the Cloud SDK documentation.

Resolve violations

To remediate a violation, complete the following steps:

Console

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. Click the violation ID to see more detailed information.

  3. In the Remediation section, follow the instructions for the Google Cloud console or CLI to address the issue.

gcloud CLI

  1. View the violation details using the gcloud CLI.

  2. Follow the remediation steps in the response to resolve the violation.

Add violation exceptions

Sometimes a violation might be valid for a particular situation. To add an exception for a violation, complete the following steps:

Console

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. In the Exception section, click Add.

  3. Enter a business justification, click Submit, and then confirm the exception.

The violation status is now set to Exception.

gcloud CLI

To add an exception for a violation, run the following command:

gcloud assured workloads violations acknowledge VIOLATION_PATH --comment="BUSINESS_JUSTIFICATION"

Where BUSINESS_JUSTIFICATION is the reason for the exception, and VIOLATION_PATH is in the following format:

ORGANIZATION_ID/locations/LOCATION/workloads/WORKLOAD_ID/violations/VIOLATION_ID

The VIOLATION_PATH is returned in the list response's name field for each violation.

After successfully sending the command, the violation status is set to Exception.

Monitored violations

Assured Workloads monitors different organization policy constraint violations, depending on the compliance regime applied to your Assured Workloads folder.

Organization policy constraint Violation type Description
Non-compliant access to Cloud SQL data Access

Occurs when non-compliant access to non-compliant Cloud SQL diagnostic data is allowed.

This violation is caused by changing the platform control's compliant value for the sql.restrictNoncompliantDiagnosticDataAccess constraint.

Non-compliant access to Compute Engine data Access

Occurs when non-compliant access to Compute Engine instance data is allowed.

This violation is caused by changing the platform control's compliant value for the compute.disableInstanceDataAccessApis constraint.

Non-compliant Cloud Storage authentication types Access

Occurs when non-compliant authentication types are allowed for use with Cloud Storage.

This violation is caused by changing the platform control's compliant value for the storage.restrictAuthTypes constraint.

Non-compliant access to Cloud Storage buckets Access

Occurs when non-compliant non-uniform bucket-level access to Cloud Storage is allowed.

This violation is caused by changing the platform control's compliant value for the storage.uniformBucketLevelAccess constraint.

Non-compliant global IAP web access Access

Occurs when non-compliant global IAP web access is allowed.

This violation is caused by changing the platform control's compliant value for the iap.requireGlobalIapWebDisabled constraint.

Non-compliant access to GKE data Access

Occurs when non-compliant access to non-compliant GKE diagnostic data is allowed.

This violation is caused by changing the platform control's compliant value for the container.restrictNoncompliantDiagnosticDataAccess constraint.

Non-compliant Compute Engine serial port logging Configuration

Occurs when non-compliant Compute Engine serial port logging has been enabled.

This violation is caused by changing the platform control's compliant value for the compute.disableSerialPortLogging constraint.

Non-compliant Compute Engine diagnostic features Configuration

Occurs when non-compliant Compute Engine diagnostic features have been enabled.

This violation is caused by changing the platform control's compliant value for the compute.enableComplianceMemoryProtection constraint.

Non-compliant Compute Engine SSL setting Configuration

Occurs when a non-compliant value has been set for global self-managed certificates.

This violation is caused by changing the platform control's compliant value for the compute.disableGlobalSelfManagedSslCertificate constraint.

Non-compliant Compute Engine SSH in browser setting Configuration

Occurs when a non-compliant value has been set for the SSH in browser feature in Compute Engine.

This violation is caused by changing the platform control's compliant value for the compute.disableSshInBrowser constraint.

Non-compliant Cloud SQL resource creation Configuration

Occurs when non-compliant Cloud SQL resource creation is allowed.

This violation is caused by changing the platform control's compliant value for the sql.restrictNoncompliantResourceCreation constraint.

Missing Cloud KMS key restriction Encryption

Occurs when no projects are specified to provide encryption keys for CMEK .

This violation is caused by changing the platform control's compliant value for the gcp.restrictCmekCryptoKeyProjects constraint, which helps to prevent unapproved folders or projects from providing encryption keys.

Non-compliant non-CMEK-enabled service Encryption

Occurs when a service that does not support CMEK is enabled for the workload.

This violation is caused by changing the platform control's compliant value for the gcp.restrictNonCmekServices constraint.

Non-compliant Cloud KMS protection levels Encryption

Occurs when non-compliant protection levels are specified for use with Cloud Key Management Service (Cloud KMS). See the Cloud KMS reference for more information.

This violation is caused by changing the platform control's compliant value for the cloudkms.allowedProtectionLevels constraint.

Non-compliant resource locations Resource location

Occurs when resources of supported services for a given Assured Workloads platform control are either created outside of the allowed region for the workload or moved from an allowed location to a disallowed location.

This violation is caused by changing the platform control's compliant value for the gcp.resourceLocations constraint.

Non-compliant services Service usage

Occurs when a user enables a service that is not supported by a given Assured Workloads platform control in an Assured Workloads folder.

This violation is caused by changing the platform control's compliant value for the gcp.restrictServiceUsage constraint.

What's next