- JSON representation
- SecurityHealthAnalyticsModule
- SecurityHealthAnalyticsCustomModule
- CustomConfig
- CustomOutputSpec
- Property
- ResourceSelector
- OrgPolicyConstraint
- PolicyRule
- StringValues
- OrgPolicyConstraintCustom
- CustomConstraint
Metadata for a constraint in a Policy
.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field implementation . The implementation of the constraint. implementation can be only one of the following: |
|
securityHealthAnalyticsModule |
Optional. A built-in detector for Security Health Analytics. |
securityHealthAnalyticsCustomModule |
Optional. A custom module for Security Health Analytics. |
orgPolicyConstraint |
Optional. A predefined organization policy constraint. |
orgPolicyConstraintCustom |
Optional. A custom organization policy constraint. |
SecurityHealthAnalyticsModule
A built-in detector for Security Health Analytics.
JSON representation |
---|
{
"moduleName": string,
"moduleEnablementState": enum ( |
Fields | |
---|---|
moduleName |
Required. The name of the detector. For example, |
moduleEnablementState |
Whether the detector is enabled at a specified level of the resource hierarchy. |
SecurityHealthAnalyticsCustomModule
A custom module for Security Health Analytics.
JSON representation |
---|
{ "id": string, "displayName": string, "config": { object ( |
Fields | |
---|---|
id |
Output only. Immutable. The unique identifier for the custom module. Contains 1 to 20 digits. |
displayName |
Optional. The display name of the custom module. This value is used as the finding category for all findings that the custom module returns. The display name must contain between 1 and 128 alphanumeric characters or underscores, and it must start with a lowercase letter. |
config |
Required. Configuration settings for the custom module. |
moduleEnablementState |
Whether the custom module is enabled at a specified level of the resource hierarchy. |
CustomConfig
A custom module configuration for Security Health Analytics. Use CustomConfig
to create custom detectors that generate custom findings for resources that you specify.
JSON representation |
---|
{ "predicate": { object ( |
Fields | |
---|---|
predicate |
Required. The Common Expression Language (CEL) expression to evaluate. When the expression evaluates to |
customOutput |
Optional. Definitions of custom source properties to include in findings. |
resourceSelector |
Required. The resource types that the custom module operates on. |
severity |
Required. The severity of findings generated by the custom module. |
description |
Optional. A description of the vulnerability or misconfiguration that the custom module detects. The description appears in each finding. Provide enough information to help an investigator understand the finding. The value must be enclosed in quotation marks. |
recommendation |
Optional. An explanation of the steps that security teams can take to resolve the detected issue. The explanation appears in each finding. |
CustomOutputSpec
Definitions of custom source properties that can appear in findings.
JSON representation |
---|
{
"properties": [
{
object ( |
Fields | |
---|---|
properties[] |
Optional. The custom source properties that can appear in findings. |
Property
A name-value pair used as a custom source property.
JSON representation |
---|
{
"name": string,
"valueExpression": {
object ( |
Fields | |
---|---|
name |
Required. The name of the custom source property. |
valueExpression |
Optional. The CEL expression for the value of the custom source property. For resource properties, you can return the value of the property or a string enclosed in quotation marks. |
ResourceSelector
A selector for the resource types to run the detector on.
JSON representation |
---|
{ "resourceTypes": [ string ] } |
Fields | |
---|---|
resourceTypes[] |
Required. The resource types to run the detector on. Each custom module can specify up to 5 resource types. |
OrgPolicyConstraint
A predefined organization policy constraint.
JSON representation |
---|
{
"cannedConstraintId": string,
"policyRules": [
{
object ( |
Fields | |
---|---|
cannedConstraintId |
Required. A unique identifier for the constraint. |
policyRules[] |
Required. The rules enforced by the constraint. |
PolicyRule
A rule that defines the allowed and denied values for an organization policy constraint.
JSON representation |
---|
{ "condition": { object ( |
Fields | |
---|---|
condition |
A condition that determines whether this rule is used to evaluate the policy. When set, the The
For example: The
For example: |
Union field kind . The type of rule that the PolicyRule defines. kind can be only one of the following: |
|
values |
The allowed and denied values for a list constraint. Valid only for list constraints. |
allowAll |
Whether to allow any value for a list constraint. Valid only for list constraints. |
denyAll |
Whether to deny all values for a list constraint. Valid only for list constraints. |
enforce |
Whether to enforce the constraint. Valid only for boolean constraints. |
StringValues
The allowed and denied values for a list constraint.
For all constraints, these fields can contain literal values. Optionally, you can add the is:
prefix to these values. If the value contains a colon (:
), then the is:
prefix is required.
Some constraints allow you to specify a portion of the resource hierarchy, known as a hierarchy subtree, that the constraint applies to. To specify a hierarchy subtree, use the under:
prefix, followed by a value with one of these formats:
projects/{projectId}
(for example,projects/tokyo-rain-123
)folders/{folder_id}
(for example,folders/1234567890123
)organizations/{organization_id}
(for example,organizations/123456789012
)
A constraint's supportsUnder
field indicates whether you can specify a hierarchy subtree. To learn which predefined constraints let you specify a hierarchy subtree, see the constraints reference.
JSON representation |
---|
{ "allowedValues": [ string ], "deniedValues": [ string ] } |
Fields | |
---|---|
allowedValues[] |
The allowed values for the constraint. |
deniedValues[] |
The denied values for the constraint. |
OrgPolicyConstraintCustom
A custom organization policy constraint.
JSON representation |
---|
{ "customConstraint": { object ( |
Fields | |
---|---|
customConstraint |
Required. Metadata for the constraint. |
policyRules[] |
Required. The rules enforced by the constraint. |
CustomConstraint
A custom, user-defined constraint. You can apply the constraint only to the resource types specified in the constraint, and only within the organization where the constraint is defined.
When you create a custom constraint, it is not enforced automatically. You must use an organization policy to enforce the constraint.
JSON representation |
---|
{ "name": string, "resourceTypes": [ string ], "methodTypes": [ enum ( |
Fields | |
---|---|
name |
Immutable. The name of the constraint, in the format Must contain 1 to 62 characters, excluding the prefix |
resourceTypes[] |
Immutable. The resource type that the constraint applies to, in the format |
methodTypes[] |
The types of operations that the constraint applies to. |
condition |
A Common Expression Language (CEL) condition expression that must evaluate to For example:
|
actionType |
Whether to allow or deny the action. |
displayName |
A display name for the constraint. The maximum length is 200 characters. |
description |
A description of the constraint. The maximum length is 2000 characters. |
updateTime |
Output only. The last time at which the constraint was updated or created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |