Políticas e tipos de recursos compatíveis com a validação de IaC

Este documento descreve os tipos de recursos e as políticas com suporte no recurso de validação de infraestrutura como código (IaC) no Security Command Center.

Tipos de recursos compatíveis

Confira a lista de tipos de recursos compatíveis com o Google Cloud:

  • artifactregistry.googleapis.com/Repository
  • bigquery.googleapis.com/Dataset
  • bigquery.googleapis.com/Table
  • cloudfunctions.googleapis.com/CloudFunction
  • cloudkms.googleapis.com/ImportJob
  • cloudkms.googleapis.com/KeyRing
  • cloudresourcemanager.googleapis.com/Folder
  • cloudresourcemanager.googleapis.com/Project
  • composer.googleapis.com/Environment
  • compute.googleapis.com/Autoscaler
  • compute.googleapis.com/BackendService
  • compute.googleapis.com/Disk
  • compute.googleapis.com/Firewall
  • compute.googleapis.com/ForwardingRule
  • compute.googleapis.com/GlobalForwardingRule
  • compute.googleapis.com/HealthCheck
  • compute.googleapis.com/Instance
  • compute.googleapis.com/InstanceGroup
  • compute.googleapis.com/Network
  • compute.googleapis.com/NodeGroup
  • compute.googleapis.com/NodeTemplate
  • compute.googleapis.com/ResourcePolicy
  • compute.googleapis.com/Route
  • compute.googleapis.com/Router
  • compute.googleapis.com/Snapshot
  • compute.googleapis.com/SslCertificate
  • compute.googleapis.com/SslPolicy
  • compute.googleapis.com/Subnetwork
  • compute.googleapis.com/TargetHttpProxy
  • compute.googleapis.com/TargetHttpsProxy
  • compute.googleapis.com/TargetPool
  • compute.googleapis.com/TargetSslProxy
  • compute.googleapis.com/UrlMap
  • compute.googleapis.com/VpnTunnel
  • container.googleapis.com/Cluster
  • container.googleapis.com/NodePool
  • dataflow.googleapis.com/Job
  • datastream.googleapis.com/ConnectionProfile
  • datastream.googleapis.com/PrivateConnection
  • datastream.googleapis.com/Stream
  • dns.googleapis.com/ManagedZone
  • dns.googleapis.com/Policy
  • file.googleapis.com/Instance
  • gkehub.googleapis.com/Membership
  • pubsub.googleapis.com/Subscription
  • pubsub.googleapis.com/Topic
  • run.googleapis.com/DomainMapping
  • run.googleapis.com/Job
  • run.googleapis.com/Service
  • serviceusage.googleapis.com/Service
  • spanner.googleapis.com/Database
  • spanner.googleapis.com/Instance
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket
  • vpcaccess.googleapis.com/Connector

Não há suporte para validações no campo disks[].initializeParams.sourceImage de compute.googleapis.com/Instance.

Políticas compatíveis

Esta seção descreve as políticas com suporte à validação de IaC.

Políticas da organização

Confira a seguir a lista de políticas da organização com suporte:

  • Allowed VPC egress settings (constraints/run.allowedVPCEgress)
  • Disable Guest Attributes of Compute Engine metadata (constraints/compute.disableGuestAttributesAccess)
  • Disable VM serial port access (constraints/compute.disableSerialPortAccess)
  • Disable VM serial port logging to Stackdriver (constraints/compute.disableSerialPortLogging)
  • Disable VPC External IPv6 usage (constraints/compute.disableVpcExternalIpv6)
  • Require OS Login (constraints/compute.requireOsLogin)
  • Restrict Authorized Networks on Cloud SQL instances (constraints/sql.restrictAuthorizedNetworks)
  • Require VPC Connector (Cloud Functions) (constraints/cloudfunctions.requireVPCConnector)
  • Disable VPC Internal IPv6 usage (constraints/compute.disableVpcInternalIpv6)
  • Allowed ingress settings (Cloud Run) (constraints/run.allowedIngress)
  • Enforce uniform bucket-level access (constraints/storage.uniformBucketLevelAccess)
  • Skip creation of default Compute Network (constraints/compute.skipDefaultNetworkCreation)

Restrição personalizada da política da organização

Todas as restrições personalizadas de políticas da organização são compatíveis. No entanto, não é possível validar políticas da organização que incluem tags.

Módulos personalizados da Análise de integridade da segurança

Todos os módulos personalizados do Security Health Analytics são compatíveis.

Detectores integrados da Análise de integridade da segurança

Confira a lista de detectores integrados compatíveis:

  • ALPHA_CLUSTER_ENABLED
  • AUTO_BACKUP_DISABLED
  • AUTO_REPAIR_DISABLED
  • AUTO_UPGRADE_DISABLED
  • BIGQUERY_TABLE_CMEK_DISABLED
  • BUCKET_CMEK_DISABLED
  • BUCKET_LOGGING_DISABLED
  • BUCKET_POLICY_ONLY_DISABLED
  • CLUSTER_LOGGING_DISABLED
  • CLUSTER_MONITORING_DISABLED
  • CLUSTER_SECRETS_ENCRYPTION_DISABLED
  • CLUSTER_SHIELDED_NODES_DISABLED
  • COMPUTE_SECURE_BOOT_DISABLED
  • COMPUTE_SERIAL_PORTS_ENABLED
  • CONFIDENTIAL_COMPUTING_DISABLED
  • COS_NOT_USED
  • DATAPROC_CMEK_DISABLED
  • DATAPROC_IMAGE_OUTDATED
  • DEFAULT_SERVICE_ACCOUNT_USED
  • DISK_CMEK_DISABLED
  • DISK_CSEK_DISABLED
  • FIREWALL_RULE_LOGGING_DISABLED
  • FLOW_LOGS_DISABLED
  • FULL_API_ACCESS
  • VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
  • INTEGRITY_MONITORING_DISABLED
  • INTRANODE_VISIBILITY_DISABLED
  • IP_ALIAS_DISABLED
  • IP_FORWARDING_ENABLED
  • KMS_KEY_NOT_ROTATED
  • KMS_PUBLIC_KEY
  • LEGACY_AUTHORIZATION_ENABLED
  • LEGACY_METADATA_ENABLED
  • LOAD_BALANCER_LOGGING_DISABLED
  • MASTER_AUTHORIZED_NETWORKS_DISABLED
  • NETWORK_POLICY_DISABLED
  • NODEPOOL_BOOT_CMEK_DISABLED
  • NODEPOOL_SECURE_BOOT_DISABLED
  • OPEN_CASSANDRA_PORT
  • OPEN_CISCOSECURE_WEBSM_PORT
  • OPEN_DIRECTORY_SERVICES_PORT
  • OPEN_DNS_PORT
  • OPEN_ELASTICSEARCH_PORT
  • OPEN_FIREWALL
  • OPEN_FTP_PORT
  • OPEN_HTTP_PORT
  • OPEN_LDAP_PORT
  • OPEN_MEMCACHED_PORT
  • OPEN_MONGODB_PORT
  • OPEN_MYSQL_PORT
  • OPEN_NETBIOS_PORT
  • OPEN_ORACLEDB_PORT
  • OPEN_POP3_PORT
  • OPEN_POSTGRESQL_PORT
  • OPEN_RDP_PORT
  • OPEN_REDIS_PORT
  • OPEN_SMTP_PORT
  • OPEN_SSH_PORT
  • OPEN_TELNET_PORT
  • OVER_PRIVILEGED_ACCOUNT
  • OVER_PRIVILEGED_SCOPES
  • OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
  • PRIMITIVE_ROLES_USED
  • PRIVATE_CLUSTER_DISABLED
  • PRIVATE_GOOGLE_ACCESS_DISABLED
  • PUBLIC_BUCKET_ACL
  • PUBLIC_COMPUTE_IMAGE
  • PUBLIC_DATASET
  • PUBLIC_IP_ADDRESS
  • PUBLIC_SQL_INSTANCE
  • PUBSUB_CMEK_DISABLED
  • REDIS_ROLE_USED_ON_ORG
  • RELEASE_CHANNEL_DISABLED
  • RSASHA1_FOR_SIGNING
  • SERVICE_ACCOUNT_KEY_NOT_ROTATED
  • SHIELDED_VM_DISABLED
  • SSL_NOT_ENFORCED
  • SQL_CMEK_DISABLED
  • SQL_CONTAINED_DATABASE_AUTHENTICATION
  • SQL_CROSS_DB_OWNERSHIP_CHAINING
  • SQL_EXTERNAL_SCRIPTS_ENABLED
  • SQL_LOCAL_INFILE
  • SQL_LOG_CHECKPOINTS_DISABLED
  • SQL_LOG_CONNECTIONS_DISABLED
  • SQL_LOG_DISCONNECTIONS_DISABLED
  • SQL_LOG_DURATION_DISABLED
  • SQL_LOG_ERROR_VERBOSITY
  • SQL_LOG_EXECUTOR_STATS_ENABLED
  • SQL_LOG_HOSTNAME_ENABLED
  • SQL_LOG_LOCK_WAITS_DISABLED
  • SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
  • SQL_LOG_MIN_ERROR_STATEMENT
  • SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
  • SQL_LOG_MIN_MESSAGES
  • SQL_LOG_PARSER_STATS_ENABLED
  • SQL_LOG_PLANNER_STATS_ENABLED
  • SQL_LOG_STATEMENT
  • SQL_LOG_STATEMENT_STATS_ENABLED
  • SQL_LOG_TEMP_FILES
  • SQL_PUBLIC_IP
  • SQL_REMOTE_ACCESS_ENABLED
  • SQL_SKIP_SHOW_DATABASE_DISABLED
  • SQL_TRACE_FLAG_3625
  • SQL_USER_CONNECTIONS_CONFIGURED
  • SQL_USER_OPTIONS_CONFIGURED
  • USER_MANAGED_SERVICE_ACCOUNT_KEY
  • WEB_UI_ENABLED
  • WORKLOAD_IDENTITY_DISABLED

A seguir