VPC Service Controls 的预定义安全状况(扩展)

本页面介绍了 VPC Service Controls 预定义状况的 v1.0 版中扩展的预防性和检测政策。此安全状况包含两个政策集:

  • 一个政策集,其中包含适用于 VPC Service Controls 的组织政策。

  • 一个政策集,其中包含适用于 VPC Service Controls 的自定义 Security Health Analytics 检测器。

您可以使用此预定义状况来配置有助于保护 VPC Service Controls 的安全状况。如果要部署此预定义状态,您必须自定义某些政策,以便它们应用于您的环境。

组织政策限制条件

下表介绍了此安全状况中包含的组织政策。

政策 说明 合规性标准
compute.skipDefaultNetworkCreation

此政策禁止在每个新项目中自动创建默认 VPC 网络和默认防火墙规则,以确保是有意创建网络和防火墙规则。

值为 true 以避免创建默认 VPC 网络。

 NIST SP 800-53 对照组:SC-7 和 SC-8
ainotebooks.restrictPublicIp

此限制条件会限制对新创建的 Vertex AI Workbench 笔记本和实例的公共 IP 访问权限。默认情况下,公共 IP 地址可以访问 Vertex AI Workbench 笔记本和实例。

值为 true,用于限制新的 Vertex AI Workbench 笔记本和实例的公共 IP 访问权限。

 NIST SP 800-53 对照组:SC-7 和 SC-8
compute.disableNestedVirtualization

此政策会为所有 Compute Engine 虚拟机停用嵌套虚拟化,以降低与不受监控的嵌套实例相关的安全风险。

该值为 true,用于关闭虚拟机嵌套虚拟化。

 NIST SP 800-53 对照组:SC-7 和 SC-8
compute.vmExternalIpAccess

此限制条件定义了可以使用外部 IP 地址的 Compute Engine 虚拟机实例。默认情况下,所有虚拟机实例都可以使用外部 IP 地址。限制条件使用 projects/PROJECT_ID/zones/ZONE/instances/INSTANCE 格式。

采用此预定义折叠状态时,您必须配置此值。

 NIST SP 800-53 对照组:SC-7 和 SC-8
ainotebooks.restrictVpcNetworks

此列表定义了在创建强制执行此限制条件的新 Vertex AI Workbench 实例时,用户可以选择的 VPC 网络。

采用此预定义折叠状态时,您必须配置此值。

 NIST SP 800-53 对照组:SC-7 和 SC-8
compute.vmCanIpForward

此限制条件定义了用户在创建新的 Vertex AI Workbench 实例时可以选择的 VPC 网络。默认情况下,您可以使用任何 VPC 网络创建 Vertex AI Workbench 实例。

采用此预定义折叠状态时,您必须配置此值。

 NIST SP 800-53 对照组:SC-7 和 SC-8

Security Health Analytics 检测器

下表介绍了预定义状态中包含的 Security Health Analytics 检测器。如需详细了解这些检测器,请参阅漏洞发现结果

检测器名称 说明
FIREWALL_NOT_MONITORED

此检测器会检查是否未将日志指标和提醒配置为监控 VPC 防火墙规则更改。
NETWORK_NOT_MONITORED

此检测器会检查是否未将日志指标和提醒配置为监控 VPC 网络更改。
ROUTE_NOT_MONITORED

此检测器会检查是否未将日志指标和提醒配置为监控 VPC 网络路由更改。
DNS_LOGGING_DISABLED

此检测器会检查 VPC 网络是否启用了 DNS 日志记录。
FLOW_LOGS_DISABLED

此检测器会检查 VPC 子网是否启用了流日志。
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED

此检测器会检查 VPC 子网的 enableFlowLogs 属性是否缺失或设置为 false

YAML 定义

以下是 VPC Service Controls 预定义状态的 YAML 定义。

name: organizations/123/locations/global/postureTemplates/vpcsc_extended
description: VPCSC Posture Template
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: VPCSC preventative policy set
  description: 6 org policies that new customers can automatically enable.
  policies:
  - policy_id: Skip default network creation
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.skipDefaultNetworkCreation
        policy_rules:
        - enforce: true
    description: This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
  - policy_id: Restrict public IP access on new Vertex AI Workbench notebooks and instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: ainotebooks.restrictPublicIp
        policy_rules:
        - enforce: true
    description: This boolean constraint, when enforced, restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IPs can access Vertex AI Workbench notebooks and instances.
  - policy_id: Disable VM nested virtualization
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.disableNestedVirtualization
        policy_rules:
        - enforce: true
    description: This boolean constraint disables hardware-accelerated nested virtualization for all Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True. By default, hardware-accelerated nested virtualization is allowed for all Compute Engine VMs running on Intel Haswell or newer CPU platforms.
  - policy_id: Define allowed external IPs for VM instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.vmExternalIpAccess
        policy_rules:
        - values:
            allowed_values:
            - is:projects/PROJECT_ID/zones/ZONE/instances/INSTANCE
    description: This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses. The allowed/denied list of VM instances must be identified by the VM instance name, in the form of projects/PROJECT_ID/zones/ZONE/instances/INSTANCE
  - policy_id: Restrict VPC networks on new Vertex AI Workbench instances
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: ainotebooks.restrictVpcNetworks
        policy_rules:
        - values:
            allowed_values:
            - is:organizations/ORGANIZATION_ID
            - is:folders/FOLDER_ID
            - is:projects/PROJECT_ID
            - is:projects/PROJECT_ID/global/networks/NETWORK_NAME
    description: This list constraint defines the VPC networks a user can select when creating new Vertex AI Workbench instances where this constraint is enforced. By default, a Vertex AI Workbench instance can be created with any VPC networks. The allowed or denied list of networks must be identified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.
  - policy_id: Restrict VM IP Forwarding
    compliance_standards:
    - standard: NIST SP 800-53
      control: SC-7
    - standard: NIST SP 800-53
      control: SC-8
    constraint:
      org_policy_constraint:
        canned_constraint_id: compute.vmCanIpForward
        policy_rules:
        - values:
            allowed_values:
            - is:organizations/ORGANIZATION_ID
            - is:folders/FOLDER_ID
            - is:projects/PROJECT_ID
            - is:projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME.
    description: This list constraint defines the set of VM instances that can enable IP forwarding. By default, any VM can enable IP forwarding in any virtual network. VM instances must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME. This constraint is not retroactive.
- policy_set_id: VPCSC detective policy set
  description: 6 SHA modules that new customers can automatically enable.
  policies:
  - policy_id: Firewall not monitored
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: FIREWALL_NOT_MONITORED
  - policy_id: Network not monitored
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: NETWORK_NOT_MONITORED
  - policy_id: Route not monitored
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: ROUTE_NOT_MONITORED
  - policy_id: DNS logging disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: DNS_LOGGING_DISABLED
  - policy_id: Flow logs disabled
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: FLOW_LOGS_DISABLED
  - policy_id: Flow logs settings not recommended
    constraint:
      securityHealthAnalyticsModule:
        moduleEnablementState: ENABLED
        moduleName: VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED

后续步骤