本页面介绍了 Google Cloud 中 v1.0 版的 Cloud Storage 预定义状况基础知识。此安全状况 包含两个政策集:
一组政策,其中包含应用于 Cloud Storage
一组政策,其中包含适用于 Cloud Storage
您可以使用此预定义的安全状况来配置安全状况,以帮助 保护 Cloud Storage。您可以部署此预定义的安全状况,而无需 更改。
组织政策限制条件
下表介绍了 这种安全状况。
| 政策 | 说明 | 合规性标准 |
|---|---|---|
storage.publicAccessPrevention |
此政策可防止 Cloud Storage 存储分区从开放到未经身份验证的公开 访问权限。 值为 |
NIST SP 800-53 对照组:AC-3、AC-17 和 AC-20 |
storage.uniformBucketLevelAccess |
本政策 可防止 Cloud Storage 存储分区使用对象 ACL(一个独立的系统 来自 IAM 政策)以提供访问权限,从而对 访问管理和审核。 值为 |
NIST SP 800-53 对照组:AC-3、AC-17 和 AC-20 |
Security Health Analytics 检测器
下表介绍了 预定义的安全状况。如需详细了解这些检测器,请参阅 漏洞 发现结果。
| 检测器名称 | 说明 |
|---|---|
BUCKET_LOGGING_DISABLED |
此检测器会检查是否存在未启用日志记录的存储桶。 |
LOCKED_RETENTION_POLICY_NOT_SET |
此检测器会检查是否为日志设置了锁定的保留政策。 |
OBJECT_VERSIONING_DISABLED |
此检测器会检查对于具有接收器的存储分区,是否启用了对象版本控制。 |
BUCKET_CMEK_DISABLED |
此检测器会检查存储分区是否使用客户管理的加密密钥 (CMEK) 进行了加密。 |
BUCKET_POLICY_ONLY_DISABLED |
此检测器会检查是否配置了统一存储桶级访问权限。 |
PUBLIC_BUCKET_ACL |
此检测器会检查存储桶是否可公开访问。 |
PUBLIC_LOG_BUCKET |
此检测器会检查具有日志接收器的存储桶是否可公开访问。 |
ORG_POLICY_LOCATION_RESTRICTION |
此检测器会检查 Compute Engine 资源是否不符合 |
YAML 定义
以下是预定义 Cloud Storage 状况的 YAML 定义。
name: organizations/123/locations/global/postureTemplates/cloud_storage_essential
description: Posture Template to make your Cloud storage workload secure.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: Cloud storage preventative policy set
description: 2 org policies that new customers can automatically enable.
policies:
- policy_id: Enforce Public Access Prevention
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-17
- standard: NIST SP 800-53
control: AC-20
constraint:
org_policy_constraint:
canned_constraint_id: storage.publicAccessPrevention
policy_rules:
- enforce: true
description: This governance policy prevents access to existing and future resources via the public internet by disabling and blocking Access Control Lists (ACLs) and IAM permissions that grant access to allUsers and allAuthenticatedUsers.
- policy_id: Enforce uniform bucket-level access
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-17
- standard: NIST SP 800-53
control: AC-20
constraint:
org_policy_constraint:
canned_constraint_id: storage.uniformBucketLevelAccess
policy_rules:
- enforce: true
description: This boolean constraint requires buckets to use uniform bucket-level access where this constraint is set to TRUE.
- policy_set_id: Cloud storage detective policy set
description: 8 SHA modules that new customers can automatically enable.
policies:
- policy_id: Bucket logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_LOGGING_DISABLED
- policy_id: Locked retention policy not set
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LOCKED_RETENTION_POLICY_NOT_SET
- policy_id: Object versioning disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OBJECT_VERSIONING_DISABLED
- policy_id: Bucket CMEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_CMEK_DISABLED
- policy_id: Bucket policy only disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_POLICY_ONLY_DISABLED
- policy_id: Public bucket ACL
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_BUCKET_ACL
- policy_id: Public log bucket
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_LOG_BUCKET
- policy_id: Org policy location restriction
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ORG_POLICY_LOCATION_RESTRICTION