Predefined posture for secure by default, extended

This page describes the preventative policies that are included in the v1.0 version of the predefined posture for secure by default, extended. This predefined posture helps prevent common misconfigurations and common security issues caused by default settings.

You can use this predefined posture to configure a security posture that helps protect Google Cloud resources. If you want to deploy this predefined posture, you must customize some of the policies so that they apply to your environment.

Policy	Description	Compliance standards
`iam.disableServiceAccountKeyCreation`	This constraint prevents users from creating persistent keys for service accounts to decrease the risk of exposed service account credentials. The value is `true` to disable service account key creation.	NIST SP 800-53 control: AC-2
`iam.automaticIamGrantsForDefaultServiceAccounts`	This constraint prevents default service accounts from receiving the overly-permissive Identity and Access Management (IAM) role Editor at creation. The value is `false` to disable automatic IAM grants for default service accounts.	NIST SP 800-53 control: AC-3
`iam.disableServiceAccountKeyUpload`	This constraint avoids the risk of leaked and reused custom key material in service account keys. The value is `true` to disable service account key uploads.	NIST SP 800-53 control: AC-6
`storage.publicAccessPrevention`	This policy prevents Cloud Storage buckets from being open to unauthenticated public access. The value is `true` to prevent public access to buckets.	NIST SP 800-53 control: AC-3 and AC-6
`iam.allowedPolicyMemberDomains`	This policy limits IAM policies to only allow managed user identities in selected domains to access resources inside this organization. The value is `directoryCustomerId` to restrict sharing between domains.	NIST SP 800-53 control: AC-3, AC-6, and IA-2
`essentialcontacts.allowedContactDomains`	This policy limits Essential Contacts to only allow managed user identities in selected domains to receive platform notifications. The value is `@google.com`. You must change the value to match your domain.	NIST SP 800-53 control: AC-3, AC-6, and IA-2
`storage.uniformBucketLevelAccess`	This policy prevents Cloud Storage buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing consistency for access management and auditing. The value is `true` to enforce uniform bucket-level access.	NIST SP 800-53 control: AC-3 and AC-6
`compute.requireOsLogin`	This policy requires OS Login on newly created VMs to more easily manage SSH keys, provide resource-level permission with IAM policies, and log user access. The value is `true` to require OS Login.	NIST SP 800-53 control: AC-3 and AU-12
`compute.disableSerialPortAccess`	This policy prevents users from accessing the VM serial port which can be used for backdoor access from the Compute Engine API control plane. The value is `true` to disable VM serial port access.	NIST SP 800-53 control: AC-3 and AC-6
`compute.restrictXpnProjectLienRemoval`	This policy prevents the accidental deletion of Shared VPC host projects by restricting the removal of project liens. The value is `true` to restrict Shared VPC project lien removal.	NIST SP 800-53 control: AC-3 and AC-6
`compute.vmExternalIpAccess`	This policy prevents the creation of Compute Engine instances with a public IP address, which can expose them to incoming internet traffic and outgoing internet traffic. The value is `denyAll` to turn off all access from public IP addresses.	NIST SP 800-53 control: AC-3 and AC-6
`compute.skipDefaultNetworkCreation`	This policy disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created. The value is `true` to avoid creating the default VPC network.	NIST SP 800-53 control: AC-3 and AC-6
`compute.setNewProjectDefaultToZonalDNSOnly`	This policy restricts application developers from choosing legacy DNS settings for Compute Engine instances that have lower service reliability than modern DNS settings. The value is `Zonal DNS only` for new projects.	NIST SP 800-53 control: AC-3 and AC-6
`sql.restrictPublicIp`	This policy prevents the creation of Cloud SQL instances with public IP addresses, which can expose them to incoming internet traffic and outgoing internet traffic. The value is `true` to restrict access to Cloud SQL instances by public IP addresses.	NIST SP 800-53 control: AC-3 and AC-6
`sql.restrictAuthorizedNetworks`	This policy prevents public or non-RFC 1918 network ranges from accessing Cloud SQL databases. The value is `true` to restrict authorized networks on Cloud SQL instances.	NIST SP 800-53 control: AC-3 and AC-6
`compute.restrictProtocolForwardingCreationForTypes`	This policy allows VM protocol forwarding for internal IP addresses only. The value is `INTERNAL` to restrict protocol forwarding based on the type of IP address.	NIST SP 800-53 control: AC-3 and AC-6
`compute.disableVpcExternalIpv6`	This policy prevents the creation of external IPv6 subnets, which can be exposed to incoming and outgoing internet traffic. The value is `true` to disable external IPv6 subnets.	NIST SP 800-53 control: AC-3 and AC-6
`compute.disableNestedVirtualization`	This policy disables nested virtualization to decrease security risk due to unmonitored nested instances. The value is `true` to turn off VM nested virtualization.	NIST SP 800-53 control: AC-3 and AC-6

YAML definition

The following is the YAML definition for the predefined posture for default settings.

name: organizations/123/locations/global/postureTemplates/secure_by_default
description: Posture Template to make your cloud environment more secure.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: Secure-By-Default policy_set
  description: 18 org policies that new customers can automatically enable.
  policies:
  - policy_id: Disable service account key creation
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-2
    constraint:
      org_policy_constraint:
        canned_constraint_id: iam.disableServiceAccountKeyCreation
        policy_rules:
        - enforce: true
    description: Prevent users from creating persistent keys for service accounts to decrease the risk of exposed service account credentials.
  - policy_id: Disable Automatic IAM Grants for Default Service Accounts
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    constraint:
      org_policy_constraint:
        canned_constraint_id: iam.automaticIamGrantsForDefaultServiceAccounts
        policy_rules:
        - enforce: true
    description: Prevent default service accounts from receiving the overly-permissive IAM role Editor at creation.
  - policy_id: Disable Service Account Key Upload
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: iam.disableServiceAccountKeyUpload
        policy_rules:
        - enforce: true
    description: Avoid the risk of leaked and reused custom key material in service account keys.
  - policy_id: Enforce Public Access Prevention
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: storage.publicAccessPrevention
        policy_rules:
        - enforce: true
    description: Enforce that Storage Buckets cannot be configured as open to unauthenticated public access.
  - policy_id: Domain restricted sharing
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    - standard: NIST SP 800-53
      control: IA-2
    constraint:
      org_policy_constraint:
        canned_constraint_id: iam.allowedPolicyMemberDomains
        policy_rules:
        - values:
            allowed_values:
            - directoryCustomerId
    description: Limit IAM policies to only allow managed user identities in my selected domain(s) to access resources inside this organization.
  - policy_id: Domain restricted contacts
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    - standard: NIST SP 800-53
      control: IA-2
    constraint:
      org_policy_constraint:
        canned_constraint_id: essentialcontacts.allowedContactDomains
        policy_rules:
        - values:
            allowed_values:
            - "@google.com"
    description: Limit Essential Contacts to only allow managed user identities in my selected domain(s) to receive platform notifications.
  - policy_id: Enforce uniform bucket-level access
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: storage.uniformBucketLevelAccess
        policy_rules:
        - enforce: true
    description: Prevent GCS buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing a consistency for access management and auditing.
  - policy_id: Require OS Login
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AU-12
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.requireOsLogin
        policy_rules:
        - enforce: true
    description: Require OS Login on newly created VMs to more easily manage SSH keys, provide resource-level permission with IAM policies, and log user access.
  - policy_id: Disable VM serial port access
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.disableSerialPortAccess
        policy_rules:
        - enforce: true
    description: Prevent users from accessing the VM serial port which can be used for backdoor access from the Compute Engine API control plane
  - policy_id: Restrict shared VPC project lien removal
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.restrictXpnProjectLienRemoval
        policy_rules:
        - enforce: true
    description: Prevent the accidental deletion of Shared VPC host projects by restricting the removal of project liens.
  - policy_id: Define allowed external IPs for VM instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.vmExternalIpAccess
        policy_rules:
        - deny_all: true
    description: Prevent the creation of Compute instances with a public IP, which can expose them to internet ingress and egress.
  - policy_id: Skip default network creation
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.skipDefaultNetworkCreation
        policy_rules:
        - enforce: true
    description: Disable the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that my network and firewall rules are intentionally created.
  - policy_id: Sets the internal DNS setting for new projects to Zonal DNS Only
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.setNewProjectDefaultToZonalDNSOnly
        policy_rules:
        - enforce: true
    description: Set guardrails that application developers cannot choose legacy DNS settings for compute instances that have lower service reliability than modern DNS settings.
  - policy_id: Restrict Public IP access on Cloud SQL instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: sql.restrictPublicIp
        policy_rules:
        - enforce: true
    description: Prevent the creation of Cloud SQL instances with a public IP, which can expose them to internet ingress and egress.
  - policy_id: Restrict Authorized Networks on Cloud SQL instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: sql.restrictAuthorizedNetworks
        policy_rules:
        - enforce: true
    description: Prevent public or non-RFC 1918 network ranges from accessing my Cloud SQL databases.
  - policy_id: Restrict Protocol Forwarding Based on type of IP Address
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.restrictProtocolForwardingCreationForTypes
        policy_rules:
        - values:
            allowed_values:
            - INTERNAL
    description: Allow VM protocol forwarding for internal IP addresses only.
  - policy_id: Disable VPC External IPv6 usage
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.disableVpcExternalIpv6
        policy_rules:
        - enforce: true
    description: Prevent the creation of external IPv6 subnets, which can be exposed to internet ingress and egress.
  - policy_id: Disable VM nested virtualization
    compliance_standards:
    - standard: NIST SP 800-53
      control: AC-3
    - standard: NIST SP 800-53
      control: AC-6
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.disableNestedVirtualization
        policy_rules:
        - enforce: true
    description: Disable nested virtualization to decrease my security risk due to unmonitored nested instances.

What's next

Create a security posture using this predefined posture.