Using Secured Landing Zone service

This topic describes how to enforce security policies using the Secured Landing Zone service. The Secured Landing Zone service lets you keep track of the resources in a secured landing zone, identify policy violations made to these resources, and invoke appropriate remediation actions.

The Secured Landing Zone service uses input signals coming from a range of native Google Cloud services including Cloud Asset Inventory, Security Command Center findings, VPC service perimeters, and audit logs. These signals are validated against the security policies configured for the blueprint.

If an event or a group of events is found to violate a policy, the Secured Landing Zone service considers this as a policy violation. Every time a policy violation is identified, this is notified as findings in Security Command Center. The Secured Landing Zone service determines corrective and response actions for a subset of these policy violations based on the actual use case and context.

Premium tier requirements

The Secured Landing Zone service can be enabled only in the Security Command Center Premium tier. When enabled, this service displays findings if there are policy violations in the resources of the deployed blueprint, generates corresponding alerts, and selectively takes automatic remediation actions. With the help of audit log entries, you can view information about who caused the policy violation and when it occurred. For more information on the list of findings and remediations, see How to remediate Secured Landing Zone findings.

Before you begin

For the Secured Landing Zone service to identify which set of resources are required to be monitored, you must generate and configure the Terraform plan file. The Secured Landing Zone service requires the plan file to be generated in a JSON format. For more information on how to generate the Terraform plan file, see Terraform plan

Required IAM permissions

You must have the following roles and permissions at the organization level to be able to use the Secured Landing Zone service:

Description Role Permissions
Lets you view all properties of a Secured Landing Zone service instance securedlandingzone.googleapis.com/overwatchViewer
    cloudresourcemanager.googleapis.com/projects.get cloudresourcemanager.googleapis.com/projects.list securedlandingzone.googleapis.com/overwatches.get securedlandingzone.googleapis.com/overwatches.list securedlandingzone.googleapis.com/operations.get securedlandingzone.googleapis.com/operations.list
Lets you activate or suspend a Secured Landing Zone service instance securedlandingzone.googleapis.com/overwatchActivator
    cloudresourcemanager.googleapis.com/projects.get cloudresourcemanager.googleapis.com/projects.list securedlandingzone.googleapis.com/overwatches.activate securedlandingzone.googleapis.com/overwatches.suspend
Provides full access to a Secured Landing Zone service instance securedlandingzone.googleapis.com/overwatchAdmin
    securedlandingzone.googleapis.com/overwatches.create securedlandingzone.googleapis.com/overwatches.update securedlandingzone.googleapis.com/overwatches.delete

View the resources that are monitored by the Secured Landing Zone service

After you create a Secured Landing Zone service instance, security marks are added to the resources that are being monitored. To view the resources in Security Command Center, you can use these security marks.

To view the list of resources, do the following:

  1. Go to Security Command Center's Assets page in the Google Cloud console.

    Go to Assets.

  2. Place your cursor in the Filter field at the top of the list of assets. A menu opens.

  3. Scroll to the bottom of the menu and select Security marks. Security marks: is added to the Filter field anda list of existing security marks is displayed.

  4. In the displayed list of security marks, scroll to find the security mark that was created for your instance of the Secured Landing Zone service and select it. The security mark appears in the format securitymarks.marks.SLZ_SERVICE_INSTANCE_NAME, where SLZ_SERVICE_INSTANCE_NAME corresponds to the name of the Secured Landing Zone service instance.

    If you don't see the security mark you need, in the Filter field immediately following Security marks:, enter the name of your Secured Landing Zone instance.

The list displays all resources that are tied to a Secured Landing Zone service instance.

Test the Secured Landing Zone service instance

After you create a Secured Landing Zone service instance, you can carry out a sample test to verify if it's working as expected. To do this, you can manually create a policy violation.

Here are some examples on how to create a policy violation and test the Secured Landing Zone service instance.

Change the access control of the Cloud Storage bucket

Here's an example of creating an access control violation. The security policy in the deployed blueprint allows access control through IAM permissions at the bucket level. By changing this to a fine-grained access control, you increase the risk of data exfiltration for the Cloud Storage bucket. This violates the deployed policy because access to objects can now be granted at an individual object level. To create an access control violation, do the following:

  1. In the Google Cloud console, go to the Cloud Storage Browser page.

    Go to Browser

    Buckets that are part of the currently selected project appear in the browser list.
  2. In the list of buckets, click the bucket of your choice.
  3. Click the Permissions tab.
  4. In the Access Control field, click Switch to link. The field disappears 90 days after you enable uniform bucket-level access.
  5. In the dialog that appears, select Fine-grained.
  6. Click Save.

To view the findings generated, see View the findings in Security Command Center

Disable detailed audit log mode at the project level

Here's an example of disabling the detailed audit log mode at the project level. The security policy in the deployed blueprint enforces detailed request and response information for Cloud storage operations. By disabling this policy enforcement, it can limit the completeness of data captured and affect the regulatory compliance of the storage resource. To disable the detailed audit log mode at the project level, do the following:

  1. In the Google Cloud console, go to the Organizational Policies page.

    Go to Organization Policies

  2. Select the required project from the project drop-down menu.
  3. Filter the list for the policy name titled Detailed audit logging mode.
  4. Click the policy.
  5. In the Policy details page, click Edit.
  6. If there's an existing enforcement rule, delete the rule.
  7. Click Add rule.
  8. Click Off to disable the detailed audit logging mode.
  9. Save your changes.

To view the findings generated, see View the findings in Security Command Center

View the findings in Security Command Center

  1. In the Google Cloud console, go to the Security Command Center Findings page.

    Go to Findings

    1. If necessary, select your Google Cloud project or organization.

      Project selector

    2. On the Findings page, next to View by, click Source type.

    3. Select Secured Landing Zone. An active finding associated with the policy violation you created is displayed.

    4. To view details for a specific finding, click the finding name under Category in the table.

    5. To view the audit log information, click the Source Properties tab. The audit log entries provide information about who caused the policy violation and when it occurred.

    6. Refresh the page.

    7. On the Findings page, next to View by, click Source type. You can no longer see an active finding because the finding was remediated by the Secured Landing Zone service. The audit log entries are updated to provide information about who remediated the policy violation and when it was fixed.

View Secured Landing Zone service findings in Security Command Center

Every time the Secured Landing Zone service identifies a violation in the security policies of a deployed blueprint, it displays these findings on Security Command Center. For more information on how to build findings, see Build a findings query in the Google Cloud console.

To view Secured Landing Zone service findings for a specific asset type, do the following:

  1. Go to the Security Command Center Findings page in the Google Cloud console.

    Go to Findings

  2. In the Quick filters panel, select the following:

    • In the Source display name section, select Secured Landing Zone.
    • Optional: In the Project ID section, select the ID of the project in which to view assets.
    • In the Resource type section, select the resource type that you need to see.

The list of findings in the Findings query results panel updates to display only those findings that match your selections.