Remediating Secured Landing Zone service findings

When security policies of the deployed blueprints are violated, the Secured Landing Zone service detects these violations and generates findings. Based on the security posture identified, Secured Landing Zone service triggers automatic responses that perform full or partial remediations, or an alert that requires a manual fix to the violation.

When the Secured Landing Zone service is enabled for the Secured Data Warehouse blueprint, it checks for any security violation of the deployed blueprint. When a security policy is found to be violated, the Secured Landing Zone service displays a finding. As a response to the finding, the Secured Landing Zone service does the following:

  • For full remediations, a remediation playbook is triggered to restore the policy violation. The corresponding Security Command Center finding is then updated to log details about the response.
  • For some violations, a finding is generated. The finding requires manual remediation steps to resolve the policy violation. To generate automatic alerts for these findings, see Enable finding notifications for Pub/Sub.

Stateful findings

These findings correspond to the configuration and vulnerability state of constituent resources, services, and data within the deployment.
Table 1. Secured Landing Zone service - Stateful findings
Category Finding description Next steps
Domain restricted sharing (DRS) organization policy changed at project level A change occurred in the organization policy that restricts the modification of IAM allow policies on resources to only members of the domains specified in the blueprint. Full remediation

The original DRS setting is automatically restored at the project level.

Project containing buckets must enforce uniform bucket-level access

An increase occurred in the risk of data exfiltration for buckets in this project. Due to this violation, access to objects might now be granted at an individual object level rather than being controlled through bucket-level IAM permissions. Full remediation

The original uniform-bucket-level setting is automatically restored at the project level.

Fine grained access control enabled on bucket

An increase occurred in the risk of data exfiltration for buckets in this project. Due to this violation, access to objects might now be granted at an individual object level rather than being controlled through bucket-level IAM permissions. Full remediation

The original uniform-bucket-level setting is automatically restored at the project level.

Detailed audit log mode disabled at project level Detailed request and response information for Cloud Storage operations have been disabled. This could limit the completeness of data captured. It could affect the regulatory compliance of the storage resource. Full remediation

The original detailed audit log mode policy is automatically restored at the project level.

Public bucket exposure Anyone with internet access can find, modify, and exfiltrate data from the bucket and/or individual objects as well as control the IAM policies for this resource. Full remediation

The AllUsers and AllAuthenticatedUsers permissions are automatically removed on the bucket.

Public resource exposure Anyone with internet access can find, modify, and exfiltrate data from the resources (such as BigQuery, Pub/Sub, Cloud Storage, Cloud Key Management Service, Data Catalog resources) specified in the blueprint. Full remediation

The AllUsers and AllAuthenticatedUsers permissions are automatically removed from the resource.

Cloud Storage bucket Public Access Prevention (PAP) not enforced Organization policy is enforced to prevent existing and future storage resources from being accessed through the public internet. This is done by disabling and blocking access control lists and IAM permissions that grant access to AllUsers and AllAuthenticatedUsers. Full remediation

The original PAP setting is restored at the project level.

CMEK disabled or not in use for service that stores data CMEK must be enabled and used for each service in the blueprint deployment that stores data such as BigQuery, Pub/Sub, and Cloud Storage. A finding is generated.

You must review the differences between the expected policy configuration and the violation detected.

Manual remediation

You can do one of the following:

Behavioural findings

These findings correspond to constraints on the events (such as actions or threats) that occur at, on, and within the deployed resources, services and data.
Table 2. Secured Landing Zone service - Behavioural findings
Category Finding description Next steps
Suspicious behavior: Public bucket exposure and bucket logging have been disabled A suspicious combination of events occurred where a bucket has been made public and logging has been disabled. Full remediation

The AllUsers and AllAuthenticatedUsers permissions are automatically removed on the bucket. The bucket logging policy is automatically restored at the project level.

Deletion of any resource in a blueprinted deployment Detects a deletion of an original blueprinted resource. A finding is generated.

You must review the differences between the expected constraints and the violation detected.

Manual remediation

You must redeploy the original Terraform blueprint.

Suspicious behavior: Resource exposed publicly and the resource data access logging has been disabled. A suspicious combination of events detected where a resource (such as Pub/Sub or Cloud Key Management Service resource) has been made public by granting AllUsers and AllAuthenticatedUsers permissions on the resource and its data access logging has been disabled.

Partial remediation

The AllUsers and AllAuthenticatedUsers permissions are automatically removed from the resource.

You must review the differences between the expected policy configuration and the violation detected.

Manual remediation

You can do one of the following:

Event Threat Detection: Possible data exfiltration from BigQuery An anomalous query attempt on a BigQuery table.

A finding is generated.

Event Threat Detection: Possible data exfiltration from BigQuery A BigQuery table has been copied to an external destination.

A finding is generated.

Environmental findings

These findings correspond to the constraints and associated state and behavior of the environment surrounding the resources and data and interacting with the deployment.
Table 3. Secured Landing Zone service - Environmental findings
Category Finding description Next steps
VPC service perimeter configuration has changed - Deleted projects One of the projects configured in the blueprint deployment that must be protected by a specific VPC service perimeter is no longer protected by that perimeter. A finding is generated.

You must review the differences between the expected constraints and the violation detected.

Manual remediation

You can do one of the following:
VPC service perimeter configuration has been changed. Access to a VPC perimeter for one of the original allowed services GCS enabled in the blueprint has been removed The Cloud Storage resource configured in the blueprint deployment for access to the service perimeter has been removed from the list of allowed services.

Full remediation

The removed service is automatically restored. The list of restricted services for the specific VPC Service Controls perimeter is automatically updated.

VPC service perimeter configuration has been changed. Access to a VPC perimeter for one of the original allowed services BQ enabled in the blueprint has been removed The BigQuery resource configured in the blueprint deployment for access to service perimeter has been removed from the list of allowed services.

Full remediation

The removed service is automatically restored. The list of restricted services for the specific VPC Service Controls perimeter is automatically updated.

VPC service perimeter configuration has been changed. Access to a VPC perimeter for one of the original allowed services Cloud KMS enabled in the blueprint has been removed The Cloud Key Management Service resource configured in the blueprint deployment for access to service perimeter has been removed from the list of allowed services.

Full remediation

The removed service is automatically restored. The list of restricted services for the specific VPC Service Controls perimeter is automatically updated.

VPC service perimeter configuration has been changed. Access to a VPC perimeter for one of the original allowed services Pub/Sub enabled in the blueprint has been removed The Pub/Sub resource configured in the blueprint deployment for access to service perimeter has been removed from the list of allowed services.

Full remediation

The removed service is automatically restored. The list of restricted services for the specific VPC Service Controls perimeter is automatically updated.

VPC service perimeter configuration has been changed. Access to a VPC perimeter for one of the original allowed services Dataflow enabled in the blueprint has been removed The Dataflow resource configured in the blueprint deployment for access to service perimeter has been removed from the list of allowed services.

Full remediation

The removed service is automatically restored. The list of restricted services for the specific VPC Service Controls perimeter is automatically updated.

VPC service perimeter configuration has been changed. Access to a VPC perimeter for one of the original allowed services Data Catalog enabled in the blueprint has been removed The Data Catalog resource configured in the blueprint deployment for access to service perimeter has been removed from the list of allowed services.

Full remediation

The removed service is automatically restored. The list of restricted services for the specific VPC Service Controls perimeter is automatically updated.

VPC service perimeter configuration has been changed. Access to a VPC perimeter for one of the original allowed services Sensitive Data Protection enabled in the blueprint has been removed The Sensitive Data Protection resource configured in the blueprint deployment for access to service perimeter has been removed from the list of allowed services.

Full remediation

The removed service is automatically restored. The list of restricted services for the specific VPC Service Controls perimeter is automatically updated.

Customer specified label has been removed from a blueprint deployed resource Customer-specified labels attached at the time of blueprint deployment should be enforced and not be changed at runtime.

Full remediation

The original labels on the actual resource are automatically restored.

Manual remediation steps

This section includes instructions for Secured Landing Zone service findings that require manual remediation steps.

CMEK disabled or not in use for service that stores data

With CMEK, keys that you create and manage in Cloud KMS wrap the keys that Google Cloud uses to encrypt your data, giving you more control over access to your data. For more information, see Protecting data with Cloud KMS keys.

CMEK not in use for service that stores data

A BigQuery table is not configured to use a customer-managed encryption key (CMEK).

To remediate this finding, do the following:

  1. Create a table protected by Cloud Key Management Service.
  2. Copy your table to the new CMEK-enabled table.
  3. Delete the original table.

To set a default CMEK key that encrypts all new tables in a dataset, see Set a dataset default key.

CMEK disabled

A BigQuery dataset is not configured to use a default customer-managed encryption key (CMEK).

To remediate this finding, do the following:

You can't switch a table in place between default encryptions and CMEK encryption. To set a default CMEK key with which to encrypt all new tables in the dataset, follow the instructions to Set a dataset default key.

Setting a default key will not retroactively re-encrypt tables currently in the dataset with a new key. To use CMEK for existing data, do the following:

  1. Create a new dataset.
  2. Set a default CMEK key on the dataset you created.
  3. To copy tables to your CMEK-enabled dataset, follow the instructions for Copying a table.
  4. After copying data successfully, delete the original datasets.

Suspicious behavior: Resource exposed publicly and the resource data access logging has been disabled

Audit logging has been disabled for this resource.

Enable Cloud Logging for all services to track all admin activities, read access, and write access to user data Depending on the quantity of information, Cloud Logging costs can be significant. To understand your usage of the service and its cost, see Cost optimization for Google Cloud Observability. .

To remediate this finding, do the following:

  1. Go to the Default audit configuration page in the Google Cloud console.

    Go to Default audit configuration

  2. Under the Log Type tab, select Admin Read, Data Read, and Data Write.

  3. Click Save.

  4. Under the Exempted Users tab, remove all listed users by clicking Delete next to each name.

  5. Click Save.

VPC service perimeter configuration has changed - deleted projects

If a project was deleted from a service perimeter, do the following to restore the deleted project:

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. If you are prompted, select your organization.

  3. On the Security Command Center page, in the table, click the name of the service perimeter that you want to modify.

  4. On the Edit VPC Service Perimeter page, update the service perimeter.

  5. To restore the projects that were deleted from the service perimeter, do the following:

    1. Click Projects.
    2. In the Projects pane, click Add projects.
    3. Add the deleted project back to the list of projects.

  6. Click Save.