Monitor an Assured Workloads folder for violations
Assured Workloads actively monitors your Assured Workloads folders for compliance violations by comparing the requirements of a folder's control package with the following details:
- Organization policy: Each Assured Workloads folder is configured with specific organization policy constraint settings that help to ensure compliance. When these settings are changed in a non-compliant manner, a violation occurs. See the Monitored organization policy violations section for more information.
- Resources: Depending on your Assured Workloads folder's organization policy settings, the resources beneath the folder may be restricted, such as their type and location. See the Monitored resource violations section for more information. If any resources are non-compliant, a violation occurs.
When a violation occurs, you can resolve them or create exceptions for them where appropriate. A violation can have one of three statuses:
- Unresolved: The violation hasn't been addressed, or was previously granted an exception before non-compliant changes were made on the folder or resource.
- Resolved: The violation has been addressed by following steps to remediate the issue.
- Exception: The violation has been granted an exception, and a business justification has been provided.
Assured Workloads monitoring is automatically enabled when you create an Assured Workloads folder.
Before you begin
Required IAM roles and permissions
To view organization policy violations or resource violations, you must be granted an IAM role on the Assured Workloads folder that contains the following permissions:
assuredworkloads.violations.get
assuredworkloads.violations.list
These permissions are included in the following Assured Workloads IAM roles:
- Assured Workloads Administrator (
roles/assuredworkloads.admin
) - Assured Workloads Editor (
roles/assuredworkloads.editor
) - Assured Workloads Reader (
roles/assuredworkloads.reader
)
To enable resource violation monitoring, you must be granted an IAM role on the Assured Workloads folder that contains the following permissions:
assuredworkloads.workload.update
: This permission is included in the following roles:- Assured Workloads Administrator (
roles/assuredworkloads.admin
) - Assured Workloads Editor (
roles/assuredworkloads.editor
)
- Assured Workloads Administrator (
resourcemanager.folders.setIamPolicy
: This permission is included in administrative roles, such as the following:- Organization Administrator (
roles/resourcemanager.organizationAdmin
) - Security Admin (
roles/iam.securityAdmin
)
- Organization Administrator (
To provide exceptions for compliance violations, you must be granted an IAM role on the Assured Workloads folder that contains the following permission:
assuredworkloads.violations.update
: This permission is included in the following roles:- Assured Workloads Administrator (
roles/assuredworkloads.admin
) - Assured Workloads Editor (
roles/assuredworkloads.editor
)
- Assured Workloads Administrator (
Additionally, to resolve organization policy violations and to view audit logs, the following IAM roles must be granted:
- Organization Policy Administrator (
roles/orgpolicy.policyAdmin
) - Logs Viewer (
roles/logging.viewer
)
Set up violation email notifications
When an organization compliance violation occurs or is resolved or when an exception is made, members of the Legal category in Essential Contacts are emailed by default. This behavior is necessary because your legal team needs to be kept up to date with any regulatory compliance issues.
Your team who manages the violations, whether that be a security team or otherwise, should also be added to the Legal category as contacts. This ensures that they are sent email notifications as changes occur.
Enable or disable notifications
To enable or disable notifications for a specific Assured Workloads folder:
Go to the Assured Workloads page in the Google Cloud console:
In the Name column, click the name of the Assured Workloads folder whose notification settings you want to change.
In the Assured Workloads Monitoring card, clear the Enable notifications checkbox to disable notifications, or select it to enable notifications for the folder.
On the Assured Workloads folders page, folders that have notifications disabled show
Monitoring email notifications disabled.View violations in your organization
You can view violations across your organization in both the Google Cloud console and the gcloud CLI.
Console
You can view how many violations there are across your organization on either the Assured Workloads page in the Compliance section of the Google Cloud console or the Monitoring page in the Compliance section.
Assured Workloads page
Go to the Assured Workloads page to view violations at a glance:
At the top of the page, a summary of organization policy violations and resource violations is shown. Click the View link to go to the Monitoring page.
For each Assured Workloads folder in the list, any violations are shown in the Org policy violations and Resource violations columns. Unresolved violations have the more details.
icon active, and exceptions have the icon active. You can select a violation or exception to seeIf resource violation monitoring is not enabled on a folder, the
icon is active in the Updates column with an Enable Resource violation monitoring link. Click the link to enable the feature. You can also enable it by clicking the Enable button on the Assured Workloads folder details page.Monitoring page
Go to the Monitoring page to view violations in more detail:
Two tabs are shown: Organization Policy Violations and Resource Violations. If more than one unresolved violation exists, the
icon is active on the tab.In either tab, unresolved violations are shown by default. See the View violation details section below for more information.
gcloud CLI
To list the current compliance violations in your organization, run the following command:
gcloud assured workloads violations list --location=LOCATION --organization=ORGANIZATION_ID --workload=WORKLOAD_ID
Where:
LOCATION is the location of the Assured Workloads folder.
ORGANIZATION_ID is the organization ID to query.
WORKLOAD_ID is the parent workload ID, which can be found by listing your workloads.
The response includes the following information for each violation:
- An audit log link for the violation.
- The first time the violation occurred.
- The type of violation.
- A description of the violation.
- The name of the violation, which can be used to retrieve more details.
- The affected organization policy, and the related policy constraint.
- The violation's current state. Valid values are unresolved, resolved, or exception.
For optional flags, see the Cloud SDK documentation.
View violation details
To view specific compliance violations and their details, complete the following steps:
Console
In the Google Cloud console, go to the Monitoring page.
On the Monitoring page, the Organization Policy Violations tab is selected by default. This tab displays all unresolved organization policy violations across Assured Workloads folders in the organization.
The Resource Violations tab displays all unresolved violations associated with the resource across all Assured Workloads folders in the organization.
For either tab, use the Quick filters options to filter by violation status, violation type, control package type, violation type, specific folders, specific organization policy constraints, or specific resource types.
For either tab, if there are existing violations, click a violation ID to see more detailed information.
From the Violation details page, you can perform the following tasks:
Copy the violation ID.
View the Assured Workloads folder where the violation has happened, and what time it first occurred.
View the audit log, which includes:
When the violation happened.
Which policy was modified to cause the violation, and which user made that modification.
If an exception was granted, which user granted it.
Where applicable, view the specific resource the violation occurred on.
View the affected organization policy.
View and add compliance violation exceptions. A list of previous exceptions for the folder or resource are shown, including the user that granted the exception and its user-provided justification.
- Follow the remediation steps to resolve the exception.
For organization policy violations, you can also see the following:
- Affected organization policy: To view the specific policy associated with the compliance violation, click View Policy.
- Child resource violations: Resource-based organization policy violations can cause child resource violations. To view or resolve child resource violations, click the Violation ID.
For resource violations, you can also see the following:
- Parent organization policy violations: When parent organization policy violations are the cause of a child resource violation, they need to be addressed at the parent level. To see the parent violation details, click View Violation.
- Any other violations on the specific resource that is causing the resource violation are also visible.
gcloud CLI
To view a compliance violation's details, run the following command:
gcloud assured workloads violations describe VIOLATION_PATH
Where VIOLATION_PATH is in the following format:
ORGANIZATION_ID/locations/LOCATION/workloads/WORKLOAD_ID/violations/VIOLATION_ID
The VIOLATION_PATH is returned in the list response's
name
field for each violation.
The response includes the following information:
An audit log link for the violation.
The first time the violation occurred.
The type of violation.
A description of the violation.
The affected organization policy, and the related policy constraint.
Remediation steps to resolve the violation.
The violation's current state. Valid values are
unresolved
,resolved
, orexception
.
For optional flags, see the Cloud SDK documentation.
Resolve violations
To remediate a violation, complete the following steps:
Console
In the Google Cloud console, go to the Monitoring page.
Click the violation ID to see more detailed information.
In the Remediation section, follow the instructions for the Google Cloud console or CLI to address the issue.
gcloud CLI
Follow the remediation steps in the response to resolve the violation.
Add violation exceptions
Sometimes a violation might be valid for a particular situation. You can add one or more exceptions for a violation by completing the following steps.
Console
In the Google Cloud console, go to the Monitoring page.
In the Violation ID column, click the violation you want to add the exception to.
In the Exceptions section, click Add New.
Enter a business justification for the exception. If you want the exception to apply to all child resources, select the Apply to all existing child resource violations checkbox and click Submit.
You can add additional exceptions as necessary by repeating these steps and clicking Add New.
The violation status is now set to Exception.
gcloud CLI
To add an exception for a violation, run the following command:
gcloud assured workloads violations acknowledge VIOLATION_PATH --comment="BUSINESS_JUSTIFICATION"
Where BUSINESS_JUSTIFICATION is the reason for the exception, and VIOLATION_PATH is in the following format:
ORGANIZATION_ID/locations/LOCATION/workloads/WORKLOAD_ID/violations/VIOLATION_ID
The VIOLATION_PATH is returned in the list response's
name
field for each violation.
After successfully sending the command, the violation status is set to Exception.
Monitored organization policy violations
Assured Workloads monitors different organization policy constraint violations, depending on the control package applied to your Assured Workloads folder. Use the following list to filter violations by their affected control package.
Organization policy constraint | Violation type | Description | Affected control packages | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Non-compliant access to Cloud SQL data | Access |
Occurs when non-compliant access to non-compliant Cloud SQL diagnostic data is allowed. This violation is caused by changing the control package's
compliant value for the
|
|
||||||||||||||||||||||||||||||||||||||
Non-compliant access to Compute Engine data | Access |
Occurs when non-compliant access to Compute Engine instance data is allowed. This violation is caused by changing the control package's
compliant value for the
|
|
||||||||||||||||||||||||||||||||||||||
Non-compliant Cloud Storage authentication types | Access |
Occurs when non-compliant authentication types are allowed for use with Cloud Storage. This violation is caused by changing the control package's
compliant value for the |
|
||||||||||||||||||||||||||||||||||||||
Non-compliant access to Cloud Storage buckets | Access |
Occurs when non-compliant non-uniform bucket-level access to Cloud Storage is allowed. This violation is caused by changing the control package's
compliant value for the
|
|
||||||||||||||||||||||||||||||||||||||
Non-compliant access to GKE data | Access |
Occurs when non-compliant access to GKE diagnostic data is allowed. This violation is caused by changing the control package's
compliant value for the
|
|
||||||||||||||||||||||||||||||||||||||
Non-compliant Compute Engine diagnostic features | Configuration |
Occurs when non-compliant Compute Engine diagnostic features have been enabled. This violation is caused by changing the control package's
compliant value for the
|
|
||||||||||||||||||||||||||||||||||||||
Non-compliant Compute Engine global load balancing setting | Configuration |
Occurs when a non-compliant value has been set for the global load balancing setting in Compute Engine. This violation is caused by changing the control package's
compliant value for the
|
|
||||||||||||||||||||||||||||||||||||||
Non-compliant Compute Engine FIPS setting | Configuration |
Occurs when a non-compliant value has been set for the FIPS setting in Compute Engine. This violation is caused by changing the control package's
compliant value for the |
|
||||||||||||||||||||||||||||||||||||||
Non-compliant Compute Engine SSL setting | Configuration |
Occurs when a non-compliant value has been set for global self-managed certificates. This violation is caused by changing the control package's
compliant value for the
|
|
||||||||||||||||||||||||||||||||||||||
Non-compliant Compute Engine SSH in browser setting | Configuration |
Occurs when a non-compliant value has been set for the SSH in browser feature in Compute Engine. This violation is caused by changing the control package's
compliant value for the |
|
||||||||||||||||||||||||||||||||||||||
Non-compliant Cloud SQL resource creation | Configuration |
Occurs when non-compliant Cloud SQL resource creation is allowed. This violation is caused by changing the control package's
compliant value for the
|
|
||||||||||||||||||||||||||||||||||||||
Missing Cloud KMS key restriction | Encryption |
Occurs when no projects are specified to provide encryption keys for CMEK . This violation is caused by changing the control package's
compliant value for the |
|
||||||||||||||||||||||||||||||||||||||
Non-compliant non-CMEK-enabled service | Encryption |
Occurs when a service that does not support CMEK is enabled for the workload. This violation is caused by changing the control package's
compliant value for the |
|
||||||||||||||||||||||||||||||||||||||
Non-compliant Cloud KMS protection levels | Encryption |
Occurs when non-compliant protection levels are specified for use with Cloud Key Management Service (Cloud KMS). See the Cloud KMS reference for more information. This violation is caused by changing the control package's
compliant value for the |
|
||||||||||||||||||||||||||||||||||||||
Non-compliant resource locations | Resource location |
Occurs when resources of supported services for a given Assured Workloads control package are either created outside of the allowed region for the workload or moved from an allowed location to a disallowed location.
This violation is caused by changing the control package's
compliant value for the
|
|
||||||||||||||||||||||||||||||||||||||
Non-compliant services | Service usage |
Occurs when a user enables a service that is not supported by a given Assured Workloads control package in an Assured Workloads folder. This violation is caused by changing the control package's
compliant value for the |
|
Monitored resource violations
Assured Workloads monitors different resource violations, depending on the control package applied to your Assured Workloads folder. To see which resource types are monitored, see Supported resource types in the Cloud Asset Inventory documentation. Use the following list to filter violations by their affected control package:
Organization policy constraint | Description | Affected control packages | |||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Non-compliant resource location |
Occurs when a resource's location is in a non-compliant region. This violation is caused by the
|
|
|||||||||||||||||||||||||||||||||||||
Non-compliant resources in folder |
Occurs when a resource for an unsupported service is created in the Assured Workloads folder. This violation is caused by the
|
|
|||||||||||||||||||||||||||||||||||||
Unencrypted (non-CMEK) resources |
Occurs when a resource is created without CMEK encryption for a service that requires CMEK encryption. This violation is caused by the
|
|
What's next
- Understand the control packages for Assured Workloads.
- Learn which products are supported for each control package.