Se usó la API de Cloud Translation para traducir esta página.

Tipos de elementos y políticas admitidos para la validación de la IaC

En este documento, se describen las políticas y los tipos de activos admitidos en el de validación de infraestructura como código (IaC) en Security Command Center.

Tipos de elementos admitidos

A continuación, se muestra una lista de los tipos de recursos de Google Cloud admitidos:

bigquery.googleapis.com/Dataset
bigquery.googleapis.com/Table
cloudkms.googleapis.com/KeyRing
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project
compute.googleapis.com/BackendService
compute.googleapis.com/Disk
compute.googleapis.com/Firewall
compute.googleapis.com/ForwardingRule
compute.googleapis.com/GlobalForwardingRule
compute.googleapis.com/Instance
compute.googleapis.com/Network
compute.googleapis.com/Snapshot
compute.googleapis.com/SslPolicy
compute.googleapis.com/Subnetwork
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetSslProxy
container.googleapis.com/Cluster
container.googleapis.com/NodePool
dns.googleapis.com/ManagedZone
dns.googleapis.com/Policy
file.googleapis.com/Instance
pubsub.googleapis.com/Subscription
pubsub.googleapis.com/Topic
run.googleapis.com/DomainMapping
run.googleapis.com/Service
serviceusage.googleapis.com/Service
spanner.googleapis.com/Database
spanner.googleapis.com/Instance
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
vpcaccess.googleapis.com/Connector

Validaciones en el campo disks[].initializeParams.sourceImage de No se admiten compute.googleapis.com/Instance.

Políticas admitidas

En esta sección, se describen las políticas compatibles con la validación de la IaC.

Políticas de la organización

La siguiente es la lista de políticas de la organización admitidas:

Allowed VPC egress settings (constraints/run.allowedVPCEgress)
Disable Guest Attributes of Compute Engine metadata (constraints/compute.disableGuestAttributesAccess)
Disable VM serial port access (constraints/compute.disableSerialPortAccess)
Disable VM serial port logging to Stackdriver (constraints/compute.disableSerialPortLogging)
Disable VPC External IPv6 usage (constraints/compute.disableVpcExternalIpv6)
Require OS Login (constraints/compute.requireOsLogin)
Restrict Authorized Networks on Cloud SQL instances (constraints/sql.restrictAuthorizedNetworks)
Require VPC Connector (Cloud Functions) (constraints/cloudfunctions.requireVPCConnector)
Disable VPC External IPv6 usage (constraints/compute.disableVpcExternalIpv6)
Allowed ingress settings (Cloud Run) (constraints/run.allowedIngress)
Enforce uniform bucket-level access (constraints/storage.uniformBucketLevelAccess)

Restricción personalizada de la política de la organización

Se admiten todas las restricciones personalizadas de las políticas de la organización. Sin embargo, no puedes y validar políticas de la organización que incluyan etiquetas.

Módulos personalizados de Security Health Analytics

Se admiten todos los módulos personalizados de Security Health Analytics.

Detectores integrados de Security Health Analytics

La siguiente es la lista de detectores integrados compatibles:

AUTO_BACKUP_DISABLED
AUTO_REPAIR_DISABLED
AUTO_UPGRADE_DISABLED
BIGQUERY_TABLE_CMEK_DISABLED
BUCKET_CMEK_DISABLED
BUCKET_LOGGING_DISABLED
BUCKET_POLICY_ONLY_DISABLED
CLUSTER_LOGGING_DISABLED
CLUSTER_MONITORING_DISABLED
CLUSTER_SECRETS_ENCRYPTION_DISABLED
CLUSTER_SHIELDED_NODES_DISABLED
COS_NOT_USED
FIREWALL_RULE_LOGGING_DISABLED
FLOW_LOGS_DISABLED
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
INTEGRITY_MONITORING_DISABLED
INTRANODE_VISIBILITY_DISABLED
KMS_KEY_NOT_ROTATED
KMS_PUBLIC_KEY
LEGACY_AUTHORIZATION_ENABLED
LEGACY_METADATA_ENABLED
MASTER_AUTHORIZED_NETWORKS_DISABLED
NETWORK_POLICY_DISABLED
NODEPOOL_BOOT_CMEK_DISABLED
NODEPOOL_SECURE_BOOT_DISABLED
OPEN_CASSANDRA_PORT
OPEN_CISCOSECURE_WEBSM_PORT
OPEN_DIRECTORY_SERVICES_PORT
OPEN_DNS_PORT
OPEN_ELASTICSEARCH_PORT
OPEN_FIREWALL
OPEN_FTP_PORT
OPEN_HTTP_PORT
OPEN_LDAP_PORT
OPEN_MEMCACHED_PORT
OPEN_MONGODB_PORT
OPEN_MYSQL_PORT
OPEN_NETBIOS_PORT
OPEN_ORACLEDB_PORT
OPEN_POP3_PORT
OPEN_POSTGRESQL_PORT
OPEN_RDP_PORT
OPEN_REDIS_PORT
OPEN_SMTP_PORT
OPEN_SSH_PORT
OPEN_TELNET_PORT
OVER_PRIVILEGED_ACCOUNT
OVER_PRIVILEGED_SCOPES
PRIVATE_GOOGLE_ACCESS_DISABLED
PUBLIC_BUCKET_ACL
PUBLIC_DATASET
PUBLIC_SQL_INSTANCE
RELEASE_CHANNEL_DISABLED
RSASHA1_FOR_SIGNING
SQL_CMEK_DISABLED
SQL_CONTAINED_DATABASE_AUTHENTICATION
SQL_CROSS_DB_OWNERSHIP_CHAINING
SQL_EXTERNAL_SCRIPTS_ENABLED
SQL_LOCAL_INFILE
SQL_LOG_CHECKPOINTS_DISABLED
SQL_LOG_CONNECTIONS_DISABLED
SQL_LOG_DISCONNECTIONS_DISABLED
SQL_LOG_DURATION_DISABLED
SQL_LOG_ERROR_VERBOSITY
SQL_LOG_EXECUTOR_STATS_ENABLED
SQL_LOG_HOSTNAME_ENABLED
SQL_LOG_LOCK_WAITS_DISABLED
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
SQL_LOG_MIN_ERROR_STATEMENT
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
SQL_LOG_MIN_MESSAGES
SQL_LOG_PARSER_STATS_ENABLED
SQL_LOG_PLANNER_STATS_ENABLED
SQL_LOG_STATEMENT
SQL_LOG_STATEMENT_STATS_ENABLED
SQL_LOG_TEMP_FILES
SQL_PUBLIC_IP
SQL_REMOTE_ACCESS_ENABLED
SQL_SKIP_SHOW_DATABASE_DISABLED
SQL_TRACE_FLAG_3625
SQL_USER_CONNECTIONS_CONFIGURED
SQL_USER_OPTIONS_CONFIGURED
WEB_UI_ENABLED
WORKLOAD_IDENTITY_DISABLED

¿Qué sigue?

Valida la IaC en función de tu postura de seguridad.