Predefined posture for secure AI, essentials

This page describes the preventative and detective policies that are included in the v1.0.0 version of the predefined posture for secure AI, essentials. This posture includes two policy sets:

A policy set that includes organization policies that apply to Vertex AI workloads.
A policy set that includes custom Security Health Analytics detectors that apply to Vertex AI workloads.

You can use this posture to configure a security posture that helps protect Gemini and Vertex AI resources. You can deploy this predefined posture without making any changes.

Policy	Description	Compliance standards
`ainotebooks.disableFileDownloads`	This constraint prevents the creation of Vertex AI Workbench instances with the file download option enabled. By default, the file download option can be enabled on any Vertex AI Workbench instance. The value is `true` to turn off file downloads on new Vertex AI Workbench instances.	NIST SP 800-53 control: AC-3(1)
`ainotebooks.disableRootAccess`	This constraint prevents newly created Vertex AI Workbench user-managed notebooks and instances from enabling root access. By default, Vertex AI Workbench user-managed notebooks and instances can have root access enabled. The value is `true` to disable root access on new Vertex AI Workbench user-managed notebooks and instances.	NIST SP 800-53 control: AC-3 and AC-6(2)
`ainotebooks.disableTerminal`	This constraint prevents the creation of Vertex AI Workbench instances with the terminal enabled. By default, the terminal can be enabled on Vertex AI Workbench instances. The value is `true` to disable the terminal on new Vertex AI Workbench instances.	NIST SP 800-53 control: AC-3, AC-6, and CM-2
`ainotebooks.requireAutoUpgradeSchedule`	This constraint requires that newly created Vertex AI Workbench user-managed notebooks and instances have an automatic upgrade schedule set. The value is `true` to require automatic scheduled upgrades on new Vertex AI Workbench user-managed notebooks and instances.	NIST SP 800-53 control: AU-9, CM-2, and CM-6
`ainotebooks.restrictPublicIp`	This constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances. The value is `true` to restrict public IP access on new Vertex AI Workbench notebooks and instances.	NIST SP 800-53 control: AC-3, AC-4, and SC-7

Security Health Analytics detectors

The following table describes the custom modules for Security Health Analytics that are included in the predefined posture.

Detector name	Applicable resource	Description	Compliance standards
vertexAIDataSetCMEKDisabled	`aiplatform.googleapis.com/Dataset`	This detector checks whether any dataset isn't encrypted using a customer-managed encryption key (CMEK). To resolve this finding, verify that you created the key and key ring, set up permissions, and provided the key when you created your dataset. For instructions, see Configure CMEK for your resources	NIST SP 800-53 control: SC12 and SC13
vertexAIModelCMEKDisabled	`aiplatform.googleapis.com/Model`	This detector checks whether a model isn't encrypted using a CMEK. To resolve this finding, verify that you created the key and key ring, set up permissions, and provided the key when you created your model. For instructions, see Configure CMEK for your resources.	NIST SP 800-53 control: SC12 and SC13
vertexAIEndpointCMEKDisabled	`aiplatform.googleapis.com/Endpoint`	This detector checks whether an endpoint isn't encrypted using a CMEK. To resolve this finding, verify that you created the key and key ring, set up permissions, and provided the key when you created your endpoint. For instructions, see Configure CMEK for your resources.	NIST SP 800-53 control: SC12 and SC13
vertexAITrainingPipelineCMEKDisabled	`aiplatform.googleapis.com/TrainingPipeline`	This detector checks whether a training pipeline isn't encrypted using a CMEK. To resolve this finding, verify that you created the key and key ring, set up permissions, and provided the key when you created your training pipeline. For instructions, see Configure CMEK for your resources.	NIST SP 800-53 control: SC12 and SC13
vertexAIDataLabelingJobCMEKDisabled	`aiplatform.googleapis.com/DataLabelingJob`	This detector checks if a data label isn't encrypted using a CMEK. To resolve this finding, verify that you created the key and key ring, set up permissions, and provided the key when you created your data label. For instructions, see Configure CMEK for your resources.	NIST SP 800-53 control: SC12 and SC13
vertexAICustomJobCMEKDisabled	`aiplatform.googleapis.com/CustomJob`	This detector checks whether a job that runs a custom workload isn't encrypted using a CMEK. To resolve this finding, verify that you created the key and key ring, set up permissions, and provided the key when you created your custom job. For instructions, see Configure CMEK for your resources.	NIST SP 800-53 control: SC12 and SC13
vertexAIDataLabelingJobHyperparameterTuningJobCMEKDisabled	`aiplatform.googleapis.com/HyperparameterTuningJob`	This detector checks whether a hyperparameter tuning job isn't encrypted using a CMEK. To resolve this finding, verify that you created the key and key ring, set up permissions, and provided the key when you created your hyperparameter tuning job. For instructions, see Configure CMEK for your resources.	NIST SP 800-53 control: SC12 and SC13

YAML definition

The following is the YAML definition for the predefined posture for secure AI.

name: organizations/123/locations/global/postureTemplates/secure_ai_essential
description: Posture Template to make your AI workload secure.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: Secure AI preventative policy set
  description: 5 org policies that new customers can automatically enable.
  policies:
  - policy_id: Disable file downloads on new Vertex AI Workbench instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3(1)
    constraint:
      org_policy_constraint:
        canned_constraint_id: ainotebooks.disableFileDownloads
        policy_rules:
        - enforce: true
    description: This boolean constraint, when enforced, prevents the creation of Vertex AI Workbench instances with the file download option enabled. By default, the file download option can be enabled on any Vertex AI Workbench instance.
  - policy_id: Disable root access on new Vertex AI Workbench user-managed notebooks and instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6(2)
    constraint:
      org_policy_constraint:
        canned_constraint_id: ainotebooks.disableRootAccess
        policy_rules:
        - enforce: true
    description: This boolean constraint, when enforced, prevents newly created Vertex AI Workbench user-managed notebooks and instances from enabling root access. By default, Vertex AI Workbench user-managed notebooks and instances can have root access enabled.
  - policy_id: Disable terminal on new Vertex AI Workbench instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    - standard: NIST SP 800-53
      control: CM-2
    constraint:
      org_policy_constraint:
        canned_constraint_id: ainotebooks.disableTerminal
        policy_rules:
        - enforce: true
    description: This boolean constraint, when enforced, prevents the creation of Vertex AI Workbench instances with the terminal enabled. By default, the terminal can be enabled on Vertex AI Workbench instances.
  - policy_id: Require automatic scheduled upgrades on new Vertex AI Workbench user-managed notebooks and instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: AU-9
    - standard: NIST SP 800-53
      control: CM-2
    - standard: NIST SP 800-53
      control: CM-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: ainotebooks.requireAutoUpgradeSchedule
        policy_rules:
        - enforce: true
    description: This boolean constraint, when enforced, requires that newly created Vertex AI Workbench user-managed notebooks and instances have an automatic upgrade schedule set. The automatic upgrade schedule can be defined by using the `notebook-upgrade-schedule` metadata flag to specify a cron schedule for the automatic upgrades.
  - policy_id: Restrict public IP access on new Vertex AI Workbench notebooks and instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-4
    - standard: NIST SP 800-53
      control: SC-7
    constraint:
      org_policy_constraint:
        canned_constraint_id: ainotebooks.restrictPublicIp
        policy_rules:
        - enforce: true
    description: This boolean constraint, when enforced, restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IPs can access Vertex AI Workbench notebooks and instances.
- policy_set_id: Secure AI detective policy set
  description: 5 SHA modules that new customers can automatically enable.
  policies:
  - policy_id: CMEK key is use for Vertex AI DataSet
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-12
    - standard: NIST SP 800-53
      control: SC-13
    constraint:
      security_health_analytics_custom_module:
        display_name: "vertexAIDataSetCMEKDisabled"
        config:
          customOutput: {}
          predicate:
            expression: "!has(resource.encryptionSpec)"
          resource_selector:
            resource_types:
            - aiplatform.googleapis.com/Dataset
          severity: CRITICAL
          description: "When enforced, this detector finds if any Data Set is not encrypted using CMEK. CMEKs, managed via Cloud KMS, offer advanced control over key operations."
          recommendation: "Restore SHA module- Reset the SHA module to its intended state. Consult documentation- Refer to the comprehensive guidance provided at
https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview"
        module_enablement_state: ENABLED
  - policy_id: CMEK key is use for Vertex AI Model
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-12
    - standard: NIST SP 800-53
      control: SC-13
    constraint:
      security_health_analytics_custom_module:
        display_name: "vertexAIModelCMEKDisabled"
        config:
          customOutput: {}
          predicate:
            expression: "!has(resource.encryptionSpec)"
          resource_selector:
            resource_types:
            - aiplatform.googleapis.com/Model
          severity: CRITICAL
          description: "When enforced, this detector finds if any Data Set is not encrypted using CMEK. CMEKs, managed via Cloud KMS, offer advanced control over key operations."
          recommendation: "Restore SHA module- Reset the SHA module to its intended state. Consult documentation- Refer to the comprehensive guidance provided at
https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview"
        module_enablement_state: ENABLED
  - policy_id: CMEK key is use for Vertex AI Endpoint
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-12
    - standard: NIST SP 800-53
      control: SC-13
    constraint:
      security_health_analytics_custom_module:
        display_name: "vertexAIEndpointCMEKDisabled"
        config:
          customOutput: {}
          predicate:
            expression: "!has(resource.encryptionSpec)"
          resource_selector:
            resource_types:
            - aiplatform.googleapis.com/Endpoint
          severity: CRITICAL
          description: "When enforced, this detector finds if any Data Set is not encrypted using CMEK. CMEKs, managed via Cloud KMS, offer advanced control over key operations."
          recommendation: "Restore SHA module- Reset the SHA module to its intended state. Consult documentation- Refer to the comprehensive guidance provided at
https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview"
        module_enablement_state: ENABLED
  - policy_id: CMEK key is use for Vertex AI TrainingPipeline
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-12
    - standard: NIST SP 800-53
      control: SC-13
    constraint:
      security_health_analytics_custom_module:
        display_name: "vertexAITrainingPipelineCMEKDisabled"
        config:
          customOutput: {}
          predicate:
            expression: "!has(resource.encryptionSpec)"
          resource_selector:
            resource_types:
            - aiplatform.googleapis.com/TrainingPipeline
          severity: CRITICAL
          description: "When enforced, this detector finds if any Data Set is not encrypted using CMEK. CMEKs, managed via Cloud KMS, offer advanced control over key operations."
          recommendation: "Restore SHA module- Reset the SHA module to its intended state. Consult documentation- Refer to the comprehensive guidance provided at
https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview"
        module_enablement_state: ENABLED
  - policy_id: CMEK key is use for Vertex AI DataLabelingJob
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-12
    - standard: NIST SP 800-53
      control: SC-13
    constraint:
      security_health_analytics_custom_module:
        display_name: "vertexAIDataLabelingJobCMEKDisabled"
        config:
          customOutput: {}
          predicate:
            expression: "!has(resource.encryptionSpec)"
          resource_selector:
            resource_types:
            - aiplatform.googleapis.com/DataLabelingJob
          severity: CRITICAL
          description: "When enforced, this detector finds if any Data Set is not encrypted using CMEK. CMEKs, managed via Cloud KMS, offer advanced control over key operations."
          recommendation: "Restore SHA module- Reset the SHA module to its intended state. Consult documentation- Refer to the comprehensive guidance provided at
https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview"
        module_enablement_state: ENABLED
  - policy_id: CMEK key is use for Vertex AI CustomJob
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-12
    - standard: NIST SP 800-53
      control: SC-13
    constraint:
      security_health_analytics_custom_module:
        display_name: "vertexAICustomJobCMEKDisabled"
        config:
          customOutput: {}
          predicate:
            expression: "!has(resource.encryptionSpec)"
          resource_selector:
            resource_types:
            - aiplatform.googleapis.com/CustomJob
          severity: CRITICAL
          description: "When enforced, this detector finds if any Data Set is not encrypted using CMEK. CMEKs, managed via Cloud KMS, offer advanced control over key operations."
          recommendation: "Restore SHA module- Reset the SHA module to its intended state. Consult documentation- Refer to the comprehensive guidance provided at
https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview"
        module_enablement_state: ENABLED
  - policy_id: CMEK key is use for Vertex AI HyperparameterTuningJob
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-12
    - standard: NIST SP 800-53
      control: SC-13
    constraint:
      security_health_analytics_custom_module:
        display_name: "vertexAIDataLabelingJobHyperparameterTuningJobCMEKDisabled"
        config:
          customOutput: {}
          predicate:
            expression: "!has(resource.encryptionSpec)"
          resource_selector:
            resource_types:
            - aiplatform.googleapis.com/HyperparameterTuningJob
          severity: CRITICAL
          description: "When enforced, this detector finds if any Data Set is not encrypted using CMEK. CMEKs, managed via Cloud KMS, offer advanced control over key operations."
          recommendation: "Restore SHA module- Reset the SHA module to its intended state. Consult documentation- Refer to the comprehensive guidance provided at
https://cloud.google.com/security-command-center/docs/custom-modules-sha-overview"
        module_enablement_state: ENABLED

What's next

Create a security posture using this predefined posture.