本页面介绍了 Google Cloud 中 v1.0 版的 VPC Service Controls 预定义安全状况,基础知识。此安全状况 包含两个政策集:
一组政策,其中包含应用于 VPC Service Controls。
一组政策,其中包含适用于 VPC Service Controls。
您可以使用此预定义的安全状况来配置安全状况,以帮助 VPC Service Controls您可以部署此预定义的安全状况,而无需 更改。
组织政策限制条件
下表介绍了 这种安全状况。
| 政策 | 说明 | 合规性标准 |
|---|---|---|
compute.skipDefaultNetworkCreation |
这个 政策会禁止自动创建默认 VPC 网络,并将默认设置为 防火墙规则,确保网络和防火墙规则 。 值为 |
NIST SP 800-53 对照组:SC-7 和 SC-8 |
ainotebooks.restrictPublicIp |
此限制条件会限制公共 IP 对新创建的 Vertex AI Workbench 笔记本和实例的访问。默认情况下,公共 IP 地址可以访问 Vertex AI Workbench 笔记本和实例。 值为 |
NIST SP 800-53 对照组:SC-7 和 SC-8 |
compute.disableNestedVirtualization |
本政策 会为所有 Compute Engine 虚拟机停用嵌套虚拟化,以降低与不受监控的 嵌套实例。 值为 |
NIST SP 800-53 对照组:SC-7 和 SC-8 |
Security Health Analytics 检测器
下表介绍了 预定义的安全状况。如需详细了解这些检测器,请参阅 漏洞 发现结果。
| 检测器名称 | 说明 |
|---|---|
FIREWALL_NOT_MONITORED |
此检测器会检查是否未将日志指标和提醒配置为监控 VPC 防火墙规则更改。 |
NETWORK_NOT_MONITORED |
此检测器会检查是否未将日志指标和提醒配置为监控 VPC 网络更改。 |
ROUTE_NOT_MONITORED |
此检测器会检查是否未将日志指标和提醒配置为监控 VPC 网络路由更改。 |
DNS_LOGGING_DISABLED |
此检测器会检查 VPC 网络是否启用了 DNS 日志记录。 |
FLOW_LOGS_DISABLED |
此检测器会检查 VPC 子网是否启用了流日志。 |
YAML 定义
以下是 VPC Service Controls 预定义状况的 YAML 定义。
name: organizations/123/locations/global/postureTemplates/vpcsc_essential
description: VPCSC Posture Template
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: VPCSC preventative policy set
description: 3 org policies that new customers can automatically enable.
policies:
- policy_id: Skip default network creation
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.skipDefaultNetworkCreation
policy_rules:
- enforce: true
description: This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
- policy_id: Restrict public IP access on new Vertex AI Workbench notebooks and instances
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: ainotebooks.restrictPublicIp
policy_rules:
- enforce: true
description: This boolean constraint, when enforced, restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IPs can access Vertex AI Workbench notebooks and instances.
- policy_id: Disable VM nested virtualization
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.disableNestedVirtualization
policy_rules:
- enforce: true
description: This boolean constraint disables hardware-accelerated nested virtualization for all Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True. By default, hardware-accelerated nested virtualization is allowed for all Compute Engine VMs running on Intel Haswell or newer CPU platforms.
- policy_set_id: VPCSC detective policy set
description: 5 SHA modules that new customers can automatically enable.
policies:
- policy_id: Firewall not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FIREWALL_NOT_MONITORED
- policy_id: Network not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: NETWORK_NOT_MONITORED
- policy_id: Route not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ROUTE_NOT_MONITORED
- policy_id: DNS logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DNS_LOGGING_DISABLED
- policy_id: Flow logs disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FLOW_LOGS_DISABLED