In diesem Dokument werden die Asset-Typen und Richtlinien beschrieben, die in der IaC-Validierungsfunktion (Infrastructure as Code) im Security Command Center unterstützt werden.
Unterstützte Asset-Typen
Die folgende Liste enthält die unterstützten Google Cloud-Assettypen:
artifactregistry.googleapis.com/Repositorybigquery.googleapis.com/Datasetbigquery.googleapis.com/Tablecloudfunctions.googleapis.com/CloudFunctioncloudkms.googleapis.com/ImportJobcloudkms.googleapis.com/KeyRingcloudresourcemanager.googleapis.com/Foldercloudresourcemanager.googleapis.com/Projectcomposer.googleapis.com/Environmentcompute.googleapis.com/Autoscalercompute.googleapis.com/BackendServicecompute.googleapis.com/Diskcompute.googleapis.com/Firewallcompute.googleapis.com/ForwardingRulecompute.googleapis.com/GlobalForwardingRulecompute.googleapis.com/HealthCheckcompute.googleapis.com/Instancecompute.googleapis.com/InstanceGroupcompute.googleapis.com/Networkcompute.googleapis.com/NodeGroupcompute.googleapis.com/NodeTemplatecompute.googleapis.com/ResourcePolicycompute.googleapis.com/Routecompute.googleapis.com/Routercompute.googleapis.com/Snapshotcompute.googleapis.com/SslCertificatecompute.googleapis.com/SslPolicycompute.googleapis.com/Subnetworkcompute.googleapis.com/TargetHttpProxycompute.googleapis.com/TargetHttpsProxycompute.googleapis.com/TargetPoolcompute.googleapis.com/TargetSslProxycompute.googleapis.com/UrlMapcompute.googleapis.com/VpnTunnelcontainer.googleapis.com/Clustercontainer.googleapis.com/NodePooldataflow.googleapis.com/Jobdatastream.googleapis.com/ConnectionProfiledatastream.googleapis.com/PrivateConnectiondatastream.googleapis.com/Streamdns.googleapis.com/ManagedZonedns.googleapis.com/Policyfile.googleapis.com/Instancegkehub.googleapis.com/Membershippubsub.googleapis.com/Subscriptionpubsub.googleapis.com/Topicrun.googleapis.com/DomainMappingrun.googleapis.com/Jobrun.googleapis.com/Serviceserviceusage.googleapis.com/Servicespanner.googleapis.com/Databasespanner.googleapis.com/Instancesqladmin.googleapis.com/Instancestorage.googleapis.com/Bucketvpcaccess.googleapis.com/Connector
Validierungen für das Feld disks[].initializeParams.sourceImage von compute.googleapis.com/Instance werden nicht unterstützt.
Unterstützte Richtlinien
In diesem Abschnitt werden die Richtlinien beschrieben, die von der IaC-Validierung unterstützt werden.
Organisationsrichtlinien
Die folgende Liste enthält die unterstützten Organisationsrichtlinien:
Allowed VPC egress settings(constraints/run.allowedVPCEgress)Disable Guest Attributes of Compute Engine metadata(constraints/compute.disableGuestAttributesAccess)Disable VM serial port access(constraints/compute.disableSerialPortAccess)Disable VM serial port logging to Stackdriver(constraints/compute.disableSerialPortLogging)Disable VPC External IPv6 usage(constraints/compute.disableVpcExternalIpv6)Require OS Login(constraints/compute.requireOsLogin)Restrict Authorized Networks on Cloud SQL instances(constraints/sql.restrictAuthorizedNetworks)Require VPC Connector (Cloud Functions)(constraints/cloudfunctions.requireVPCConnector)Disable VPC Internal IPv6 usage(constraints/compute.disableVpcInternalIpv6)Allowed ingress settings (Cloud Run)(constraints/run.allowedIngress)Enforce uniform bucket-level access(constraints/storage.uniformBucketLevelAccess)Skip creation of default Compute Network(constraints/compute.skipDefaultNetworkCreation)
Benutzerdefinierte Einschränkung der Organisationsrichtlinie
Alle benutzerdefinierten Einschränkungen von Organisationsrichtlinien werden unterstützt. Sie können jedoch keine Organisationsrichtlinien validieren, die Tags enthalten.
Benutzerdefinierte Module für Security Health Analytics
Alle benutzerdefinierten Security Health Analytics-Module werden unterstützt.
Integrierte Security Health Analytics-Detektoren
Im Folgenden finden Sie eine Liste der unterstützten integrierten Erkennungsmechanismen:
ALPHA_CLUSTER_ENABLEDAUTO_BACKUP_DISABLEDAUTO_REPAIR_DISABLEDAUTO_UPGRADE_DISABLEDBIGQUERY_TABLE_CMEK_DISABLEDBUCKET_CMEK_DISABLEDBUCKET_LOGGING_DISABLEDBUCKET_POLICY_ONLY_DISABLEDCLUSTER_LOGGING_DISABLEDCLUSTER_MONITORING_DISABLEDCLUSTER_SECRETS_ENCRYPTION_DISABLEDCLUSTER_SHIELDED_NODES_DISABLEDCOMPUTE_SECURE_BOOT_DISABLEDCOMPUTE_SERIAL_PORTS_ENABLEDCONFIDENTIAL_COMPUTING_DISABLEDCOS_NOT_USEDDATAPROC_CMEK_DISABLEDDATAPROC_IMAGE_OUTDATEDDEFAULT_SERVICE_ACCOUNT_USEDDISK_CMEK_DISABLEDDISK_CSEK_DISABLEDFIREWALL_RULE_LOGGING_DISABLEDFLOW_LOGS_DISABLEDFULL_API_ACCESSVPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDEDINTEGRITY_MONITORING_DISABLEDINTRANODE_VISIBILITY_DISABLEDIP_ALIAS_DISABLEDIP_FORWARDING_ENABLEDKMS_KEY_NOT_ROTATEDKMS_PUBLIC_KEYLEGACY_AUTHORIZATION_ENABLEDLEGACY_METADATA_ENABLEDLOAD_BALANCER_LOGGING_DISABLEDMASTER_AUTHORIZED_NETWORKS_DISABLEDNETWORK_POLICY_DISABLEDNODEPOOL_BOOT_CMEK_DISABLEDNODEPOOL_SECURE_BOOT_DISABLEDOPEN_CASSANDRA_PORTOPEN_CISCOSECURE_WEBSM_PORTOPEN_DIRECTORY_SERVICES_PORTOPEN_DNS_PORTOPEN_ELASTICSEARCH_PORTOPEN_FIREWALLOPEN_FTP_PORTOPEN_HTTP_PORTOPEN_LDAP_PORTOPEN_MEMCACHED_PORTOPEN_MONGODB_PORTOPEN_MYSQL_PORTOPEN_NETBIOS_PORTOPEN_ORACLEDB_PORTOPEN_POP3_PORTOPEN_POSTGRESQL_PORTOPEN_RDP_PORTOPEN_REDIS_PORTOPEN_SMTP_PORTOPEN_SSH_PORTOPEN_TELNET_PORTOVER_PRIVILEGED_ACCOUNTOVER_PRIVILEGED_SCOPESOVER_PRIVILEGED_SERVICE_ACCOUNT_USERPRIMITIVE_ROLES_USEDPRIVATE_CLUSTER_DISABLEDPRIVATE_GOOGLE_ACCESS_DISABLEDPUBLIC_BUCKET_ACLPUBLIC_COMPUTE_IMAGEPUBLIC_DATASETPUBLIC_IP_ADDRESSPUBLIC_SQL_INSTANCEPUBSUB_CMEK_DISABLEDREDIS_ROLE_USED_ON_ORGRELEASE_CHANNEL_DISABLEDRSASHA1_FOR_SIGNINGSERVICE_ACCOUNT_KEY_NOT_ROTATEDSHIELDED_VM_DISABLEDSSL_NOT_ENFORCEDSQL_CMEK_DISABLEDSQL_CONTAINED_DATABASE_AUTHENTICATIONSQL_CROSS_DB_OWNERSHIP_CHAININGSQL_EXTERNAL_SCRIPTS_ENABLEDSQL_LOCAL_INFILESQL_LOG_CHECKPOINTS_DISABLEDSQL_LOG_CONNECTIONS_DISABLEDSQL_LOG_DISCONNECTIONS_DISABLEDSQL_LOG_DURATION_DISABLEDSQL_LOG_ERROR_VERBOSITYSQL_LOG_EXECUTOR_STATS_ENABLEDSQL_LOG_HOSTNAME_ENABLEDSQL_LOG_LOCK_WAITS_DISABLEDSQL_LOG_MIN_DURATION_STATEMENT_ENABLEDSQL_LOG_MIN_ERROR_STATEMENTSQL_LOG_MIN_ERROR_STATEMENT_SEVERITYSQL_LOG_MIN_MESSAGESSQL_LOG_PARSER_STATS_ENABLEDSQL_LOG_PLANNER_STATS_ENABLEDSQL_LOG_STATEMENTSQL_LOG_STATEMENT_STATS_ENABLEDSQL_LOG_TEMP_FILESSQL_PUBLIC_IPSQL_REMOTE_ACCESS_ENABLEDSQL_SKIP_SHOW_DATABASE_DISABLEDSQL_TRACE_FLAG_3625SQL_USER_CONNECTIONS_CONFIGUREDSQL_USER_OPTIONS_CONFIGUREDUSER_MANAGED_SERVICE_ACCOUNT_KEYWEB_UI_ENABLEDWORKLOAD_IDENTITY_DISABLED