PolicySet

A group of one or more Policy resources.

JSON representation 
{
  "policySetId": string,
  "description": string,
  "policies": [
    {
      object (Policy)
    }
  ]
}
Fields
policySetId

string

Required. An identifier for the policy set.
description

string

Optional. A description of the policy set.
policies[]

object (Policy)

Required. The Policy resources in the policy set.

Each policy must have a policyId that's unique within the policy set.

Policy

The details of a policy, including the constraints that it includes.

JSON representation 
{
  "policyId": string,
  "complianceStandards": [
    {
      object (ComplianceStandard)
    }
  ],
  "constraint": {
    object (Constraint)
  },
  "description": string
}
Fields
policyId

string

Required. A user-specified identifier for the policy.

In a PolicySet, each policy must have a unique identifier.
complianceStandards[]

object (ComplianceStandard)

Optional. The compliance standards that the policy helps enforce.
constraint

object (Constraint)

Required. The constraints that the policy includes.
description

string

Optional. A description of the policy.

ComplianceStandard

Information about a compliance standard that the policy helps enforce.

JSON representation 
{
  "standard": string,
  "control": string
}
Fields
standard

string

Optional. The compliance standard that the policy helps enforce. For example, NIST SP 800-53.
control

string

Optional. The control in the compliance standard that the policy helps enforce. For example, AC-3.

Constraint

Metadata for a constraint in a Policy.

JSON representation 
{

  // Union field implementation can be only one of the following:
  "securityHealthAnalyticsModule": {
    object (SecurityHealthAnalyticsModule)
  },
  "securityHealthAnalyticsCustomModule": {
    object (SecurityHealthAnalyticsCustomModule)
  },
  "orgPolicyConstraint": {
    object (OrgPolicyConstraint)
  },
  "orgPolicyConstraintCustom": {
    object (OrgPolicyConstraintCustom)
  }
  // End of list of possible types for union field implementation.
}
Fields
Union field implementation. The implementation of the constraint. implementation can be only one of the following:
securityHealthAnalyticsModule

object (SecurityHealthAnalyticsModule)

Optional. A built-in detector for Security Health Analytics.
securityHealthAnalyticsCustomModule

object (SecurityHealthAnalyticsCustomModule)

Optional. A custom module for Security Health Analytics.
orgPolicyConstraint

object (OrgPolicyConstraint)

Optional. A predefined organization policy constraint.
orgPolicyConstraintCustom

object (OrgPolicyConstraintCustom)

Optional. A custom organization policy constraint.

SecurityHealthAnalyticsModule

A built-in detector for Security Health Analytics.

JSON representation 
{
  "moduleName": string,
  "moduleEnablementState": enum (EnablementState)
}
Fields
moduleName

string

Required. The name of the detector. For example, BIGQUERY_TABLE_CMEK_DISABLED.
moduleEnablementState

enum (EnablementState)

Whether the detector is enabled at a specified level of the resource hierarchy.

EnablementState

Whether a built-in detector or custom module is enabled at a specified level of the resource hierarchy.

Enums
ENABLEMENT_STATE_UNSPECIFIED Default value. This value is unused.
ENABLED The detector or custom module is enabled.
DISABLED The detector or custom module is disabled.

SecurityHealthAnalyticsCustomModule

A custom module for Security Health Analytics.

JSON representation 
{
  "id": string,
  "displayName": string,
  "config": {
    object (CustomConfig)
  },
  "moduleEnablementState": enum (EnablementState)
}
Fields
id

string

Output only. Immutable. The unique identifier for the custom module. Contains 1 to 20 digits.
displayName

string

Optional. The display name of the custom module. This value is used as the finding category for all findings that the custom module returns. The display name must contain between 1 and 128 alphanumeric characters or underscores, and it must start with a lowercase letter.
config

object (CustomConfig)

Required. Configuration settings for the custom module.
moduleEnablementState

enum (EnablementState)

Whether the custom module is enabled at a specified level of the resource hierarchy.

CustomConfig

A custom module configuration for Security Health Analytics. Use CustomConfig to create custom detectors that generate custom findings for resources that you specify.

JSON representation 
{
  "predicate": {
    object (Expr)
  },
  "customOutput": {
    object (CustomOutputSpec)
  },
  "resourceSelector": {
    object (ResourceSelector)
  },
  "severity": enum (Severity),
  "description": string,
  "recommendation": string
}
Fields
predicate

object (Expr)

Required. The Common Expression Language (CEL) expression to evaluate. When the expression evaluates to true for a resource, a finding is generated.
customOutput

object (CustomOutputSpec)

Optional. Definitions of custom source properties to include in findings.
resourceSelector

object (ResourceSelector)

Required. The resource types that the custom module operates on.
severity

enum (Severity)

Required. The severity of findings generated by the custom module.
description

string

Optional. A description of the vulnerability or misconfiguration that the custom module detects.

The description appears in each finding. Provide enough information to help an investigator understand the finding.

The value must be enclosed in quotation marks.
recommendation

string

Optional. An explanation of the steps that security teams can take to resolve the detected issue. The explanation appears in each finding.

Expr

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec.

Example (Comparison):

title: "Summary size limit"
description: "Determines if a summary is less than 100 chars"
expression: "document.summary.size() < 100"

Example (Equality):

title: "Requestor is owner"
description: "Determines if requestor is the document owner"
expression: "document.owner == request.auth.claims.email"

Example (Logic):

title: "Public documents"
description: "Determine whether the document should be publicly visible"
expression: "document.type != 'private' && document.type != 'internal'"

Example (Data Manipulation):

title: "Notification string"
description: "Create a notification string with a timestamp."
expression: "'New message received at ' + string(document.create_time)"

The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

JSON representation 
{
  "expression": string,
  "title": string,
  "description": string,
  "location": string
}
Fields
expression

string

Textual representation of an expression in Common Expression Language syntax.
title

string

Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
description

string

Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
location

string

Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

CustomOutputSpec

Definitions of custom source properties that can appear in findings.

JSON representation 
{
  "properties": [
    {
      object (Property)
    }
  ]
}
Fields
properties[]

object (Property)

Optional. The custom source properties that can appear in findings.

Property

A name-value pair used as a custom source property.

JSON representation 
{
  "name": string,
  "valueExpression": {
    object (Expr)
  }
}
Fields
name

string

Required. The name of the custom source property.
valueExpression

object (Expr)

Optional. The CEL expression for the value of the custom source property. For resource properties, you can return the value of the property or a string enclosed in quotation marks.

ResourceSelector

A selector for the resource types to run the detector on.

JSON representation 
{
  "resourceTypes": [
    string
  ]
}
Fields
resourceTypes[]

string

Required. The resource types to run the detector on. Each custom module can specify up to 5 resource types.

Severity

The severity of a finding.

Enums
SEVERITY_UNSPECIFIED Default value. This value is unused.
CRITICAL Critical severity.
HIGH High severity.
MEDIUM Medium severity.
LOW Low severity.

OrgPolicyConstraint

A predefined organization policy constraint.

JSON representation 
{
  "cannedConstraintId": string,
  "policyRules": [
    {
      object (PolicyRule)
    }
  ]
}
Fields
cannedConstraintId

string

Required. A unique identifier for the constraint.
policyRules[]

object (PolicyRule)

Required. The rules enforced by the constraint.

PolicyRule

A rule that defines the allowed and denied values for an organization policy constraint.

JSON representation 
{
  "condition": {
    object (Expr)
  },

  // Union field kind can be only one of the following:
  "values": {
    object (StringValues)
  },
  "allowAll": boolean,
  "denyAll": boolean,
  "enforce": boolean
  // End of list of possible types for union field kind.
}
Fields
condition

object (Expr)

A condition that determines whether this rule is used to evaluate the policy.

When set, the google.type.Expr.expression field must contain 1 to 10 subexpressions, joined by the || or && operators. Each subexpression must use the resource.matchTag() or resource.matchTagId() Common Expression Language (CEL) function.

The resource.matchTag() function takes the following arguments:

  • key_name: the namespaced name of the tag key, with the organization ID and a slash (/) as a prefix; for example, 123456789012/environment
  • value_name: the short name of the tag value

For example: resource.matchTag('123456789012/environment, 'prod')

The resource.matchTagId() function takes the following arguments:

  • key_id: the permanent ID of the tag key; for example, tagKeys/123456789012
  • value_id: the permanent ID of the tag value; for example, tagValues/567890123456

For example: resource.matchTagId('tagKeys/123456789012', 'tagValues/567890123456')
Union field kind. The type of rule that the PolicyRule defines. kind can be only one of the following:
values

object (StringValues)

The allowed and denied values for a list constraint. Valid only for list constraints.
allowAll

boolean

Whether to allow any value for a list constraint. Valid only for list constraints.
denyAll

boolean

Whether to deny all values for a list constraint. Valid only for list constraints.
enforce

boolean

Whether to enforce the constraint. Valid only for boolean constraints.

StringValues

The allowed and denied values for a list constraint.

For all constraints, these fields can contain literal values. Optionally, you can add the is: prefix to these values. If the value contains a colon (:), then the is: prefix is required.

Some constraints allow you to specify a portion of the resource hierarchy, known as a hierarchy subtree, that the constraint applies to. To specify a hierarchy subtree, use the under: prefix, followed by a value with one of these formats:

  • projects/{projectId} (for example, projects/tokyo-rain-123)
  • folders/{folder_id} (for example, folders/1234567890123)
  • organizations/{organization_id} (for example, organizations/123456789012)

A constraint's supportsUnder field indicates whether you can specify a hierarchy subtree. To learn which predefined constraints let you specify a hierarchy subtree, see the constraints reference.

JSON representation 
{
  "allowedValues": [
    string
  ],
  "deniedValues": [
    string
  ]
}
Fields
allowedValues[]

string

The allowed values for the constraint.
deniedValues[]

string

The denied values for the constraint.

OrgPolicyConstraintCustom

A custom organization policy constraint.

JSON representation 
{
  "customConstraint": {
    object (CustomConstraint)
  },
  "policyRules": [
    {
      object (PolicyRule)
    }
  ]
}
Fields
customConstraint

object (CustomConstraint)

Required. Metadata for the constraint.
policyRules[]

object (PolicyRule)

Required. The rules enforced by the constraint.

CustomConstraint

A custom, user-defined constraint. You can apply the constraint only to the resource types specified in the constraint, and only within the organization where the constraint is defined.

When you create a custom constraint, it is not enforced automatically. You must use an organization policy to enforce the constraint.

JSON representation 
{
  "name": string,
  "resourceTypes": [
    string
  ],
  "methodTypes": [
    enum (MethodType)
  ],
  "condition": string,
  "actionType": enum (ActionType),
  "displayName": string,
  "description": string,
  "updateTime": string
}
Fields
name

string

Immutable. The name of the constraint, in the format organizations/{organization_id}/customConstraints/custom.{custom_constraint_id}. For example, organizations/123456789012/customConstraints/custom.createOnlyE2TypeVms.

Must contain 1 to 62 characters, excluding the prefix organizations/{organization_id}/customConstraints/custom..
resourceTypes[]

string

Immutable. The resource type that the constraint applies to, in the format {canonical_service_name}/{resource_type_name}. For example, compute.googleapis.com/Instance.
methodTypes[]

enum (MethodType)

The types of operations that the constraint applies to.
condition

string

A Common Expression Language (CEL) condition expression that must evaluate to true for the constraint to be enforced. The maximum length is 1000 characters.

For example:

  • resource.instanceName.matches('(production|test)_(.+_)?[\d]+'): Evaluates to true if the resource's instanceName attribute contains the following:
    • The prefix production or test
    • An underscore (_)
    • Optional: One or more characters, followed by an underscore (_)
    • One or more digits
  • resource.management.auto_upgrade == true: Evaluates to true if the resource's management.auto_upgrade attribute is true.
actionType

enum (ActionType)

Whether to allow or deny the action.
displayName

string

A display name for the constraint. The maximum length is 200 characters.
description

string

A description of the constraint. The maximum length is 2000 characters.
updateTime

string (Timestamp format)

Output only. The last time at which the constraint was updated or created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

MethodType

A type of operation that the constraint applies to.

If a constraint applies to MethodType.UPDATE operations, then it must also apply to MethodType.CREATE operations.

Enums
METHOD_TYPE_UNSPECIFIED Default value. This value is unused.
CREATE Constraint applied when creating the resource.
UPDATE Constraint applied when updating the resource.
DELETE Not supported. Constraint applied when deleting the resource.

ActionType

Whether to allow or deny the action.

Enums
ACTION_TYPE_UNSPECIFIED Default value. This value is unused.
ALLOW Allow the action.
DENY Deny the action.