本页面简要介绍了您为了定义安全状况政策而创建的 posture.yaml 文件中的键值对。如需创建安全状况 YAML 文件并将其部署到您的环境中,请参阅管理安全状况。
安全状况 YAML 文件结构
安全状况是具有以下结构的 YAML 文件:
name: posture_name
state: posture_state
description: posture_description
policy_sets:
- policy_set_id: policy_set_ID
- description: policy_set_description
policies:
- policy_id: policy_id
compliance_standards:
- standard: policy_standards
- control: policy_control
- description: policy_description
# Definition for a organization policy
constraint:
org_policy_constraint:
canned_constraint_id: constraint_ID
policy_rules:
- org_policy_kind: org_policy_kind_value
- condition:
expression: org_policy_expression
title: org_policy_title
description: org_policy_description
location: org_policy_location
# Definition for a custom organization policy constraint
constraint:
org_policy_constraint_custom:
custom_constraint:
name: custom_org_constraint_name
resource_types: custom_org_resource_type
method_types: custom_org_method_type
condition: custom_org_condition
action_type: custom_org_action_type
display_name: custom_org_constraint_display_name
description: custom_org_constraint_description
policy_rules:
- org_policy_kind: org_policy_kind_value
- condition:
expression: org_policy_expression
title: org_policy_title
description: org_policy_description
location: org_policy_location
# Definition for a Security Health Analytics detector
constraint:
security_health_analytics_module:
module_name: sha_detector_name
module_enablement_state: sha_detector_enabled
# Definition for a custom Security Health Analytics detector
constraint:
security_health_analytics_custom_module:
display_name: sha_custom_detector_name
config:
predicate:
expression: sha_custom_detector_expression
title: sha_custom_detector_predicate_title
description: sha_custom_detector_predicate_description
location: sha_custom_detector_predicate_location
- custom_output:
- property:
name: sha_custom_detector_output_name
value_expression:
expression: sha_custom_detector_output_expression
title: sha_custom_detector_output_title
description: sha_custom_detector_output_description
location: sha_custom_detector_output_location
resource_selector:
- resource_types: sha_custom_detector_resource
severity: sha_custom_severity_level
description: sha_custom_detector_description
recommendation: sha_custom_detector_recommendation
module_enablement_state: sha_detector_enabled
键值对说明
下表提供了 posture.yaml 文件中键值对的说明。
| 键值对 | 说明 |
|---|---|
name: posture_name |
折叠状态名称,以字母开头。此值是可选的,因为您在运行 gcloud scc postures create 命令时指定了折叠状态名称。 |
state: posture_state |
ENUM 可设置为 ACTIVE、DRAFT 或 DEPRECATED。如需详细了解折叠状态,请参阅更改折叠状态。 |
description: posture_description |
政策的说明。此值是可选的。 |
policy_set_id: policy_set_ID |
安全状况文件中设置的政策的唯一标识符。安全状况文件可以包含多个政策集。 |
description: policy_set_description |
政策集的说明。此值是可选的。 |
policy_id: policy_id |
政策集中的政策的唯一标识符。一个政策集可以包含多个政策。 |
standard: policy_compliance_standard |
此政策支持的合规性标准的名称。 |
control: policy_compliance_control |
此政策支持的合规性标准中的特定控制措施。 |
description: policy_compliance_description |
有关此政策支持的合规性标准的说明。 |
canned_constraint_id: constraint_ID |
组织政策限制条件的名称。例如 cloudbuild.allowedWorkerPools。请勿在 constraint_ID 中添加 constraints/ 前缀。 |
org_policy_kind |
列表组织政策的值为 allow_all、deny_all、allowed_values、denied_values。布尔值组织政策的值为 enforce。 |
org_policy_kind_value |
allow_all、deny_all、enforce 种类的值为 true 或 false。allowed_values 和 denied_values 类型的值分别是允许值或拒绝值的列表。 |
condition: |
用于确定是否在评估政策时使用此规则的条件。设置后,Expr 中的 expression 字段必须包含 1 到 10 个通过 || 或 && 运算符联接的子表达式。每个子表达式都必须采用 resource.matchTag('ORG_ID/tag_key_short_name, 'tag_value_short_name') 或 resource.matchTagId('tagKeys/key_id', 'tagValues/value_id') 格式,其中 key_name 和 value_name 是标签键和值的资源名称。这些名称可通过跟踪代码管理器服务获取。示例表达式为:resource.matchTag('123456789/environment, 'prod') 或 resource.matchTagId('tagKeys/123', 'tagValues/456')。 |
expression: org_policy_expression |
以通用表达式语言语法表示的表达式的文本表示。此值是可选的。 |
title: org_policy_title |
对表达式的目的的说明。此值是可选的。 |
description: org_policy_description |
表达式的说明。此值是可选的。 |
location: org_policy_location |
一个字符串,指示用于报告错误的表达式的位置。例如,文件名和文件中的位置。此值是可选的。 |
name: custom_org_constraint_name |
自定义限制条件的名称,格式为 organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME。例如 organizations/3589215982/customConstraints/custom.disableGkeAutoUpgrade。CONSTRAINT_NAME 的长度不得超过 62 个字符。前缀 organizations/{organization_id}/customConstraints/custom 不计入在内。在折叠状态文件中定义自定义限制条件会创建新的自定义限制条件。 |
resource_types: custom_org_resource_type |
包含您要限制的对象和字段的 Google Cloud REST 资源的完全限定名称。每种资源类型最多有 20 个自定义限制条件。 |
method_types: custom_org_method_type |
要为其强制执行限制条件的 RESTful 方法列表。 |
condition: custom_org_condition |
引用受支持服务资源的 CEL 条件。此字段的长度上限为 1000 个字符。 |
action_type: custom_org_action_type |
满足条件时要执行的操作。 |
display_name: custom_org_constraint_display_name |
限制条件的直观易懂的名称。此字段的最大长度为 200 个字符。 |
description: custom_org_constraint_description |
对违反政策时以错误消息显示的限制条件的说明。此字段的最大长度为 2000 个字符。 |
module_name: sha_detector_name |
Security Health Analytics 检测器的名称。例如 BIGQUERY_TABLE_CMEK_DISABLED。 |
module_enablement_state: sha_detector_enabled |
是否启用了 Security Health Analytics 检测器。ENABLED 或 DISABLED。 |
display_name: sha_custom_detector_name |
Security Health Analytics 自定义模块的名称。名称必须介于 1 到 128 个字符之间,以小写字母开头,并且只能包含字母数字字符或下划线。 |
expression: sha_custom_detector_expression |
用于检查要扫描的资源类型属性的 CEL 表达式。 |
title: sha_custom_detector_predicate_title |
Security Health Analytics 自定义模块的谓词属性的名称。 |
description: sha_custom_detector_predicate_description |
Security Health Analytics 自定义模块的谓词属性的说明。 |
location: sha_custom_detector_predicate_location |
谓词属性适用的位置。 |
name: sha_custom_detector_output_name |
custom_output 属性的名称。 |
expression: sha_custom_detector_output_expression |
要在输出中返回的表达式。 |
title: sha_custom_detector_output_title |
输出的标题。 |
description: sha_custom_detector_output_description |
Security Health Analytics 自定义模块的输出说明。 |
location: sha_custom_detector_output_location |
输出内容所适用的位置。 |
resource_types: sha_custom_detector_resource |
自定义模块扫描的资源类型。 |
severity: sha_custom_severity_level |
此模块创建的发现结果的严重性。 |
description: sha_custom_detector_description |
自定义模块检测到的漏洞或配置错误。 |
recommendation: sha_custom_detector_recommendation |
有关如何解决检测到的问题的说明。 |
示例 posture.yaml
createTime: '2024-04-01T15:27:27.188366349Z'
etag: h5ulCqzUqOcaIjKjxHFrOrrZpmneG8A0K1mdO-uHsLM
name: organizations/123/locations/global/postures/mixedcasposture
policySets:
- policies:
- constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BIGQUERY_TABLE_CMEK_DISABLED
description: enable BIGQUERY_TABLE_CMEK_DISABLED
policyId: SHA module BIGQUERY_TABLE_CMEK_DISABLED
- constraint:
orgPolicyConstraint:
cannedConstraintId: iam.allowServiceAccountCredentialLifetimeExtension
policyRules:
- allowAll: true
- condition:
expression: resource.matchTag("123/location", "us-east3")
title: policy for us-east3
description: apply policy to us-east3
policyId: test/123/policies/iam.allowServiceAccountCredentialLifetimeExtension
- constraint:
orgPolicyConstraintCustom:
customConstraint:
actionType: ALLOW
condition: resource.management.autoUpgrade == false
description: Only allow GKE NodePool resource to be created or updated if
AutoUpgrade is not enabled where this custom constraint is enforced.
displayName: Disable GKE auto upgrade
methodTypes:
- CREATE
name: organizations/123/customConstraints/custom.gke123
resourceTypes:
- container.googleapis.com/NodePool
policyRules:
- enforce: true
policyId: orgPolicycustomconstraint
- constraint:
securityHealthAnalyticsModule:
moduleEnablementState: DISABLED
moduleName: PUBLIC_BUCKET_ACL
description: PUBLIC_BUCKET_ACL disabled
policyId: sha module PUBLIC_BUCKET_ACL
- constraint:
securityHealthAnalyticsCustomModule:
config:
customOutput: {}
description: Test Custom Module
predicate:
expression: resource.rotationPeriod > duration('2592000s')
recommendation: Testing custom modules
resourceSelector:
resourceTypes:
- cloudkms.googleapis.com/CryptoKey
severity: CRITICAL
displayName: customSHA
moduleEnablementState: ENABLED
policyId: sha_custom_module
- constraint:
securityHealthAnalyticsCustomModule:
config:
customOutput: {}
description: Test Custom Module
predicate:
expression: resource.rotationPeriod > duration('2592000s')
recommendation: Testing custom modules
resourceSelector:
resourceTypes:
- cloudkms.googleapis.com/CryptoKey
severity: CRITICAL
displayName: customSHA2
moduleEnablementState: ENABLED
policyId: sha_custom_module_2
policySetId: PolicySetmix
- policy_set_id: BigQuery detective policy set
description: SHA module that new customers can automatically enable.
policies:
- policy_id: Public dataset
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_DATASET
state: ACTIVE
示例
如需查看示例,请参阅预定义的折叠状态模板。
以下是包含适用于 AWS 和 Google Cloud 的 Security Health Analytics 检测器的状态文件:
description: Posture to help make storage workloads more secure across Google Cloud and AWS.
state: ACTIVE
policy_sets:
- policy_set_id: Google Cloud policy set
description: Policy set containing organization policies and Security Health Analytics modules for securing Cloud Storage.
policies:
- policy_id: Enforce Public Access Prevention
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-17
- standard: NIST SP 800-53
control: AC-20
constraint:
org_policy_constraint:
canned_constraint_id: storage.publicAccessPrevention
policy_rules:
- enforce: true
description: This policy prevents access to existing and future resources via the public internet by disabling and blocking access control lists (ACLs) and IAM permissions that grant access to allUsers and allAuthenticatedUsers.
- policy_id: Bucket IAM not monitored
compliance_standards:
- standard: NIST 800-53 R5
control: AC-12
- standard: NIST 800-53 R5
control: AC-2
- standard: NIST 800-53 R5
control: AC-7
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_IAM_NOT_MONITORED
description: This detector logs metric filter and creates alerts for Cloud Storage IAM permission changes. By monitoring changes to Cloud Storage bucket permissions, this detector can help you identify over-privileged users or suspicious activity at early stages.
- policy_set_id: AWS policy set
description: Policy set containing AWS built-in Security Health Analytics modules for securing S3 buckets.
policies:
- policy_id: S3 bucket replication enabled
compliance_standards:
- standard: NIST 800-53 R5
control: SI-13(5)
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: S3_BUCKET_REPLICATION_ENABLED
description: This control checks whether an Amazon S3 bucket has cross-region replication enabled. The control fails if the bucket doesn't have cross-region replication enabled or if same-region replication is also enabled.
- policy_id: S3 bucket logging enabled
compliance_standards:
- standard: NIST 800-53 R5
control: SI-13(5)
- standard: PCI DSS 3.2.1
control: 10.3.1
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: S3_BUCKET_LOGGING_ENABLED
description: AWS S3 Server Access Logging feature records access requests to storage buckets which is useful for security audits. By default, server access logging is not enabled for S3 buckets.
后续步骤
- 创建安全状况 YAML 文件并将其部署在您的环境中。
- 详细了解 Security Health Analytics 的自定义模块,包括任何限制。
- 详细了解自定义组织政策限制条件。
- 创建针对折叠状态的 Terraform 资源。