This document describes the asset types and policies that are supported in the infrastructure as code (IaC) validation feature in Security Command Center.
Supported asset types
The following is the list of supported Google Cloud asset types:
bigquery.googleapis.com/Datasetbigquery.googleapis.com/Tablecloudkms.googleapis.com/KeyRingcloudresourcemanager.googleapis.com/Foldercloudresourcemanager.googleapis.com/Projectcompute.googleapis.com/BackendServicecompute.googleapis.com/Diskcompute.googleapis.com/Firewallcompute.googleapis.com/ForwardingRulecompute.googleapis.com/GlobalForwardingRulecompute.googleapis.com/Instancecompute.googleapis.com/Networkcompute.googleapis.com/Snapshotcompute.googleapis.com/SslPolicycompute.googleapis.com/Subnetworkcompute.googleapis.com/TargetHttpsProxycompute.googleapis.com/TargetSslProxycontainer.googleapis.com/Clustercontainer.googleapis.com/NodePooldns.googleapis.com/ManagedZonedns.googleapis.com/Policyfile.googleapis.com/Instancepubsub.googleapis.com/Subscriptionpubsub.googleapis.com/Topicrun.googleapis.com/DomainMappingrun.googleapis.com/Serviceserviceusage.googleapis.com/Servicespanner.googleapis.com/Databasespanner.googleapis.com/Instancesqladmin.googleapis.com/Instancestorage.googleapis.com/Bucketvpcaccess.googleapis.com/Connector
Validations on the disks[].initializeParams.sourceImage field of
compute.googleapis.com/Instance are not supported.
Supported policies
This section describes the policies that are supported by IaC validation.
Organization policies
The following is the list of supported organization policies:
Disable Guest Attributes of Compute Engine metadata(constraints/compute.disableGuestAttributesAccess)Disable VM serial port logging to Stackdriver(constraints/compute.disableSerialPortLogging)Disable VPC External IPv6 usage(constraints/compute.disableVpcExternalIpv6)Require OS Login(constraints/compute.requireOsLogin)Shielded VMs(constraints/compute.requireShieldedVm)Restrict VM IP Forwarding(c constraints/compute.vmCanIpForward)Restrict Authorized Networks on Cloud SQL instances(constraints/sql.restrictAuthorizedNetworks)
Organization policy custom constraint
All organization policy custom constraints are supported. However, you can't validate organization policies that include tags.
Security Health Analytics custom modules
All Security Health Analytics custom modules are supported.
Security Health Analytics built-in detectors
The following is the list of supported built-in detectors:
AUTO_BACKUP_DISABLEDAUTO_REPAIR_DISABLEDAUTO_UPGRADE_DISABLEDBIGQUERY_TABLE_CMEK_DISABLEDBUCKET_CMEK_DISABLEDBUCKET_LOGGING_DISABLEDBUCKET_POLICY_ONLY_DISABLEDCLUSTER_LOGGING_DISABLEDCLUSTER_MONITORING_DISABLEDCLUSTER_SECRETS_ENCRYPTION_DISABLEDCLUSTER_SHIELDED_NODES_DISABLEDCOS_NOT_USEDFIREWALL_RULE_LOGGING_DISABLEDFLOW_LOGS_DISABLEDVPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDEDINTEGRITY_MONITORING_DISABLEDINTRANODE_VISIBILITY_DISABLEDKMS_KEY_NOT_ROTATEDKMS_PUBLIC_KEYLEGACY_AUTHORIZATION_ENABLEDLEGACY_METADATA_ENABLEDMASTER_AUTHORIZED_NETWORKS_DISABLEDNETWORK_POLICY_DISABLEDNODEPOOL_BOOT_CMEK_DISABLEDNODEPOOL_SECURE_BOOT_DISABLEDOVER_PRIVILEGED_ACCOUNTOVER_PRIVILEGED_SCOPESPRIVATE_GOOGLE_ACCESS_DISABLEDPUBLIC_BUCKET_ACLPUBLIC_DATASETPUBLIC_SQL_INSTANCERELEASE_CHANNEL_DISABLEDRSASHA1_FOR_SIGNINGSQL_CMEK_DISABLEDSQL_CONTAINED_DATABASE_AUTHENTICATIONSQL_CROSS_DB_OWNERSHIP_CHAININGSQL_EXTERNAL_SCRIPTS_ENABLEDSQL_LOCAL_INFILESQL_LOG_CHECKPOINTS_DISABLEDSQL_LOG_CONNECTIONS_DISABLEDSQL_LOG_DISCONNECTIONS_DISABLEDSQL_LOG_DURATION_DISABLEDSQL_LOG_ERROR_VERBOSITYSQL_LOG_EXECUTOR_STATS_ENABLEDSQL_LOG_HOSTNAME_ENABLEDSQL_LOG_LOCK_WAITS_DISABLEDSQL_LOG_MIN_DURATION_STATEMENT_ENABLEDSQL_LOG_MIN_ERROR_STATEMENTSQL_LOG_MIN_ERROR_STATEMENT_SEVERITYSQL_LOG_MIN_MESSAGESSQL_LOG_PARSER_STATS_ENABLEDSQL_LOG_PLANNER_STATS_ENABLEDSQL_LOG_STATEMENTSQL_LOG_STATEMENT_STATS_ENABLEDSQL_LOG_TEMP_FILESSQL_PUBLIC_IPSQL_REMOTE_ACCESS_ENABLEDSQL_SKIP_SHOW_DATABASE_DISABLEDSQL_TRACE_FLAG_3625SQL_USER_CONNECTIONS_CONFIGUREDSQL_USER_OPTIONS_CONFIGUREDWEB_UI_ENABLEDWORKLOAD_IDENTITY_DISABLED