REST Resource: organizations.locations.cloudControls

Resource: CloudControl

A cloud control is a set of rules and associated metadata that you can use to define your organization's security or compliance intent.

JSON representation 
{
  "name": string,
  "majorRevisionId": string,
  "description": string,
  "displayName": string,
  "supportedEnforcementModes": [
    enum (EnforcementMode)
  ],
  "parameterSpec": [
    {
      object (ParameterSpec)
    }
  ],
  "rules": [
    {
      object (Rule)
    }
  ],
  "severity": enum (Severity),
  "findingCategory": string,
  "supportedCloudProviders": [
    enum (CloudProvider)
  ],
  "relatedFrameworks": [
    string
  ],
  "remediationSteps": string,
  "categories": [
    enum (CloudControlCategory)
  ],
  "createTime": string,
  "supportedTargetResourceTypes": [
    enum (TargetResourceType)
  ]
}
Fields
name

string

Required. Identifier. The name of the cloud control, in the format organizations/{organization}/locations/{location}/cloudControls/{cloudControlId}. The only supported location is global.
majorRevisionId

string (int64 format)

Output only. The major version of the cloud control, which is incremented in ascending order.
description

string

Optional. A description of the cloud control. The maximum length is 2000 characters.
displayName

string

Optional. The friendly name of the cloud control. The maximum length is 200 characters.
supportedEnforcementModes[]

enum (EnforcementMode)

Output only. The supported enforcement modes for the cloud control.
parameterSpec[]

object (ParameterSpec)

Optional. The parameter specifications for the cloud control.
rules[]

object (Rule)

Optional. The rules that you can enforce to meet your security or compliance intent.
severity

enum (Severity)

Optional. The severity of the findings that are generated by the cloud control.
findingCategory

string

Optional. The finding category for the cloud control findings. The maximum length is 255 characters.
supportedCloudProviders[]

enum (CloudProvider)

Optional. The supported cloud providers.
relatedFrameworks[]

string

Output only. The frameworks that include this cloud control.
remediationSteps

string

Optional. The remediation steps for the cloud control findings. The maximum length is 400 characters.
categories[]

enum (CloudControlCategory)

Optional. The categories for the cloud control.
createTime

string (Timestamp format)

Output only. The time that the cloud control was last updated. createTime is used because a new cloud control is created whenever an existing cloud control is updated.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
supportedTargetResourceTypes[]

enum (TargetResourceType)

Optional. The target resource types that are supported by the cloud control.

ParameterSpec

The parameter specification for the cloud control.

JSON representation 
{
  "name": string,
  "displayName": string,
  "description": string,
  "isRequired": boolean,
  "valueType": enum (ValueType),
  "defaultValue": {
    object (ParamValue)
  },
  "substitutionRules": [
    {
      object (ParameterSubstitutionRule)
    }
  ],
  "subParameters": [
    {
      object (ParameterSpec)
    }
  ],
  "validation": {
    object (Validation)
  }
}
Fields
name

string

Required. The name of the parameter.
displayName

string

Optional. The friendly name of the parameter. The maximum length is 200 characters.
description

string

Optional. The description of the parameter. The maximum length is 2000 characters.
isRequired

boolean

Required. Whether the parameter is required.
valueType

enum (ValueType)

Required. The parameter value type.
defaultValue

object (ParamValue)

Optional. The default value of the parameter.
substitutionRules[]

object (ParameterSubstitutionRule)

Optional. The list of parameter substitutions.
subParameters[]

object (ParameterSpec)

Optional. The parameter specification for oneOf attributes.
validation

object (Validation)

Optional. The permitted set of values for the parameter.

ValueType

The type of parameter value.

Enums
VALUE_TYPE_UNSPECIFIED Default value. This value is unused.
STRING A string value.
BOOLEAN A boolean value.
STRINGLIST A string list value.
NUMBER A numeric value.
ONEOF A oneOf value.

ParameterSubstitutionRule

The parameter substitution rules.

JSON representation 
{

  // Union field substitution_type can be only one of the following:
  "placeholderSubstitutionRule": {
    object (PlaceholderSubstitutionRule)
  },
  "attributeSubstitutionRule": {
    object (AttributeSubstitutionRule)
  }
  // End of list of possible types for union field substitution_type.
}
Fields
Union field substitution_type. The type of substitution. substitution_type can be only one of the following:
placeholderSubstitutionRule

object (PlaceholderSubstitutionRule)

The placeholder substitution rule.
attributeSubstitutionRule

object (AttributeSubstitutionRule)

The attribute substitution rule.

PlaceholderSubstitutionRule

The placeholder that's substituted in the rendered string.

JSON representation 
{
  "attribute": string
}
Fields
attribute

string

The fully qualified proto attribute path, in dot notation.

AttributeSubstitutionRule

The attribute at the given path that's substituted entirely.

JSON representation 
{
  "attribute": string
}
Fields
attribute

string

The fully qualified proto attribute path, in dot notation. For example: rules[0].cel_expression.resource_types_values

Validation

The validation of the parameter.

JSON representation 
{

  // Union field constraint can be only one of the following:
  "allowedValues": {
    object (AllowedValues)
  },
  "intRange": {
    object (IntRange)
  },
  "regexpPattern": {
    object (RegexpPattern)
  }
  // End of list of possible types for union field constraint.
}
Fields
Union field constraint. Defines validators for parameter values. constraint can be only one of the following:
allowedValues

object (AllowedValues)

The permitted set of values for the parameter.
intRange

object (IntRange)

The permitted range for numeric parameters.
regexpPattern

object (RegexpPattern)

The regular expression for string parameters.

AllowedValues

The allowed set of values for the parameter.

JSON representation 
{
  "values": [
    {
      object (ParamValue)
    }
  ]
}
Fields
values[]

object (ParamValue)

Required. The list of allowed values for the parameter.

IntRange

The number range for number parameters.

JSON representation 
{
  "min": string,
  "max": string
}
Fields
min

string (int64 format)

Required. The minimum permitted value for the numeric parameter (inclusive).
max

string (int64 format)

Required. The maximum permitted value for the numeric parameter (inclusive).

RegexpPattern

The regular expression (regex) validator for parameter values.

JSON representation 
{
  "pattern": string
}
Fields
pattern

string

Required. The regex pattern to match the values of the parameter with.

Rule

A rule in the cloud control.

JSON representation 
{
  "description": string,
  "ruleActionTypes": [
    enum (RuleActionType)
  ],

  // Union field implementation can be only one of the following:
  "celExpression": {
    object (CELExpression)
  }
  // End of list of possible types for union field implementation.
}
Fields
description

string

Optional. The rule description. The maximum length is 2000 characters.
ruleActionTypes[]

enum (RuleActionType)

Required. The functionality that's enabled by the rule.
Union field implementation. The rule implementation. implementation can be only one of the following:
celExpression

object (CELExpression)

The rule's logic expression in Common Expression Language (CEL).

CELExpression

A Common Expression Language (CEL) expression that's used to create a rule.

JSON representation 
{
  "expression": string,

  // Union field criteria can be only one of the following:
  "resourceTypesValues": {
    object (StringList)
  }
  // End of list of possible types for union field criteria.
}
Fields
expression

string

Required. The logical expression in CEL. The maximum length of the condition is 1000 characters. For more information, see CEL expression.
Union field criteria. The criteria of the CEL expression. criteria can be only one of the following:
resourceTypesValues

object (StringList)

The resource instance types on which this expression is defined. The format is <SERVICE_NAME>/<type>. For example: compute.googleapis.com/Instance

RuleActionType

The action type of the rule.

Enums
RULE_ACTION_TYPE_UNSPECIFIED Default value. This value is unused.
RULE_ACTION_TYPE_PREVENTIVE The rule is intended to prevent non-compliance.
RULE_ACTION_TYPE_DETECTIVE The rule is intended to detect non-compliance.
RULE_ACTION_TYPE_AUDIT The rule is intended to audit non-compliance.

Severity

The severity of the finding.

Enums
SEVERITY_UNSPECIFIED Default value. This value is unused.
CRITICAL

A critical vulnerability is easily discoverable by an external actor, exploitable, and results in the direct ability to execute arbitrary code, exfiltrate data, and otherwise gain additional access and privileges to cloud resources and workloads. Examples include publicly accessible unprotected user data and public SSH access with weak or no passwords.

A critical threat is a threat that can access, modify, or delete data or execute unauthorized code within existing resources.
HIGH

A high-risk vulnerability can be easily discovered and exploited in combination with other vulnerabilities to gain direct access and the ability to execute arbitrary code, exfiltrate data, and otherwise gain additional access and privileges to cloud resources and workloads. An example is a database with weak or no passwords that is only accessible internally. This database could easily be compromised by an actor that had access to the internal network.

A high-risk threat is a threat that can create new computational resources in an environment but can't access data or execute code in existing resources.
MEDIUM

A medium-risk vulnerability can be used by an actor to gain access to resources or privileges that enable them to eventually (through multiple steps or a complex exploit) gain access and the ability to execute arbitrary code or exfiltrate data. An example is a service account with access to more projects than it should have. If an actor gains access to the service account, they could potentially use that access to manipulate a project the service account was not intended to.

A medium-risk threat can cause operational impact but might not access data or execute unauthorized code.
LOW

A low-risk vulnerability hampers a security organization's ability to detect vulnerabilities or active threats in their deployment, or prevents the root cause investigation of security issues. An example is monitoring and logs being disabled for resource configurations and access.

A low-risk threat is a threat that has obtained minimal access to an environment but can't access data, execute code, or create resources.

CloudControlCategory

The category for the cloud control.

Enums
CLOUD_CONTROL_CATEGORY_UNSPECIFIED Default value. This value is unused.
CC_CATEGORY_INFRASTRUCTURE The infrastructure security category.
CC_CATEGORY_ARTIFICIAL_INTELLIGENCE The artificial intelligence category.
CC_CATEGORY_PHYSICAL_SECURITY The physical security category.
CC_CATEGORY_DATA_SECURITY The data security category.
CC_CATEGORY_NETWORK_SECURITY The network security category.
CC_CATEGORY_INCIDENT_MANAGEMENT The incident management category.
CC_CATEGORY_IDENTITY_AND_ACCESS_MANAGEMENT The identity and access management category.
CC_CATEGORY_ENCRYPTION The encryption category.
CC_CATEGORY_LOGS_MANAGEMENT_AND_INFRASTRUCTURE The logs management and infrastructure category.
CC_CATEGORY_HR_ADMIN_AND_PROCESSES The HR, admin, and processes category.
CC_CATEGORY_THIRD_PARTY_AND_SUB_PROCESSOR_MANAGEMENT The third-party and sub-processor management category.
CC_CATEGORY_VULNERABILITY_MANAGEMENT The vulnerability management category.
CC_CATEGORY_PRIVACY The privacy category.
CC_CATEGORY_BCDR The business continuity and disaster recovery (BCDR) category.

Methods

create

 Creates a custom cloud control in a given parent resource.

delete

 Deletes a custom cloud control, including all its major and minor revisions.

get

 Gets details about a cloud control.

list

 Lists the cloud controls (both built-in and custom) that are available in a given parent resource.

patch

 Updates a custom cloud control.