En este documento, se describen los tipos de recursos y las políticas que se admiten en la función de validación de infraestructura como código (IaC) en Security Command Center.
Tipos de elementos admitidos
La siguiente es la lista de los tipos de recursos de Google Cloud admitidos:
artifactregistry.googleapis.com/Repository
bigquery.googleapis.com/Dataset
bigquery.googleapis.com/Table
cloudfunctions.googleapis.com/CloudFunction
cloudkms.googleapis.com/ImportJob
cloudkms.googleapis.com/KeyRing
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project
composer.googleapis.com/Environment
compute.googleapis.com/Autoscaler
compute.googleapis.com/BackendService
compute.googleapis.com/Disk
compute.googleapis.com/Firewall
compute.googleapis.com/ForwardingRule
compute.googleapis.com/GlobalForwardingRule
compute.googleapis.com/HealthCheck
compute.googleapis.com/Instance
compute.googleapis.com/InstanceGroup
compute.googleapis.com/Network
compute.googleapis.com/NodeGroup
compute.googleapis.com/NodeTemplate
compute.googleapis.com/ResourcePolicy
compute.googleapis.com/Route
compute.googleapis.com/Router
compute.googleapis.com/Snapshot
compute.googleapis.com/SslCertificate
compute.googleapis.com/SslPolicy
compute.googleapis.com/Subnetwork
compute.googleapis.com/TargetHttpProxy
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetPool
compute.googleapis.com/TargetSslProxy
compute.googleapis.com/UrlMap
compute.googleapis.com/VpnTunnel
container.googleapis.com/Cluster
container.googleapis.com/NodePool
dataflow.googleapis.com/Job
datastream.googleapis.com/ConnectionProfile
datastream.googleapis.com/PrivateConnection
datastream.googleapis.com/Stream
dns.googleapis.com/ManagedZone
dns.googleapis.com/Policy
file.googleapis.com/Instance
gkehub.googleapis.com/Membership
pubsub.googleapis.com/Subscription
pubsub.googleapis.com/Topic
run.googleapis.com/DomainMapping
run.googleapis.com/Job
run.googleapis.com/Service
serviceusage.googleapis.com/Service
spanner.googleapis.com/Database
spanner.googleapis.com/Instance
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
vpcaccess.googleapis.com/Connector
No se admiten validaciones en el campo disks[].initializeParams.sourceImage
de compute.googleapis.com/Instance
.
Políticas admitidas
En esta sección, se describen las políticas que admite la validación de IaC.
Políticas de la organización
La siguiente es la lista de las políticas de la organización admitidas:
Allowed VPC egress settings
(constraints/run.allowedVPCEgress
)Disable Guest Attributes of Compute Engine metadata
(constraints/compute.disableGuestAttributesAccess
)Disable VM serial port access
(constraints/compute.disableSerialPortAccess
)Disable VM serial port logging to Stackdriver
(constraints/compute.disableSerialPortLogging
)Disable VPC External IPv6 usage
(constraints/compute.disableVpcExternalIpv6
)Require OS Login
(constraints/compute.requireOsLogin
)Restrict Authorized Networks on Cloud SQL instances
(constraints/sql.restrictAuthorizedNetworks
)Require VPC Connector (Cloud Functions)
(constraints/cloudfunctions.requireVPCConnector
)Disable VPC Internal IPv6 usage
(constraints/compute.disableVpcInternalIpv6
)Allowed ingress settings (Cloud Run)
(constraints/run.allowedIngress
)Enforce uniform bucket-level access
(constraints/storage.uniformBucketLevelAccess
)Skip creation of default Compute Network
(constraints/compute.skipDefaultNetworkCreation
)
Restricción personalizada de la política de la organización
Se admiten todas las restricciones personalizadas de la política de la organización. Sin embargo, no puedes validar las políticas de la organización que incluyen etiquetas.
Módulos personalizados de Security Health Analytics
Se admiten todos los módulos personalizados de Security Health Analytics.
Detectores integrados de Security Health Analytics
La siguiente es la lista de los detectores integrados compatibles:
ALPHA_CLUSTER_ENABLED
AUTO_BACKUP_DISABLED
AUTO_REPAIR_DISABLED
AUTO_UPGRADE_DISABLED
BIGQUERY_TABLE_CMEK_DISABLED
BUCKET_CMEK_DISABLED
BUCKET_LOGGING_DISABLED
BUCKET_POLICY_ONLY_DISABLED
CLUSTER_LOGGING_DISABLED
CLUSTER_MONITORING_DISABLED
CLUSTER_SECRETS_ENCRYPTION_DISABLED
CLUSTER_SHIELDED_NODES_DISABLED
COMPUTE_SECURE_BOOT_DISABLED
COMPUTE_SERIAL_PORTS_ENABLED
CONFIDENTIAL_COMPUTING_DISABLED
COS_NOT_USED
DATAPROC_CMEK_DISABLED
DATAPROC_IMAGE_OUTDATED
DEFAULT_SERVICE_ACCOUNT_USED
DISK_CMEK_DISABLED
DISK_CSEK_DISABLED
FIREWALL_RULE_LOGGING_DISABLED
FLOW_LOGS_DISABLED
FULL_API_ACCESS
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
INTEGRITY_MONITORING_DISABLED
INTRANODE_VISIBILITY_DISABLED
IP_ALIAS_DISABLED
IP_FORWARDING_ENABLED
KMS_KEY_NOT_ROTATED
KMS_PUBLIC_KEY
LEGACY_AUTHORIZATION_ENABLED
LEGACY_METADATA_ENABLED
LOAD_BALANCER_LOGGING_DISABLED
MASTER_AUTHORIZED_NETWORKS_DISABLED
NETWORK_POLICY_DISABLED
NODEPOOL_BOOT_CMEK_DISABLED
NODEPOOL_SECURE_BOOT_DISABLED
OPEN_CASSANDRA_PORT
OPEN_CISCOSECURE_WEBSM_PORT
OPEN_DIRECTORY_SERVICES_PORT
OPEN_DNS_PORT
OPEN_ELASTICSEARCH_PORT
OPEN_FIREWALL
OPEN_FTP_PORT
OPEN_HTTP_PORT
OPEN_LDAP_PORT
OPEN_MEMCACHED_PORT
OPEN_MONGODB_PORT
OPEN_MYSQL_PORT
OPEN_NETBIOS_PORT
OPEN_ORACLEDB_PORT
OPEN_POP3_PORT
OPEN_POSTGRESQL_PORT
OPEN_RDP_PORT
OPEN_REDIS_PORT
OPEN_SMTP_PORT
OPEN_SSH_PORT
OPEN_TELNET_PORT
OVER_PRIVILEGED_ACCOUNT
OVER_PRIVILEGED_SCOPES
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
PRIMITIVE_ROLES_USED
PRIVATE_CLUSTER_DISABLED
PRIVATE_GOOGLE_ACCESS_DISABLED
PUBLIC_BUCKET_ACL
PUBLIC_COMPUTE_IMAGE
PUBLIC_DATASET
PUBLIC_IP_ADDRESS
PUBLIC_SQL_INSTANCE
PUBSUB_CMEK_DISABLED
REDIS_ROLE_USED_ON_ORG
RELEASE_CHANNEL_DISABLED
RSASHA1_FOR_SIGNING
SERVICE_ACCOUNT_KEY_NOT_ROTATED
SHIELDED_VM_DISABLED
SSL_NOT_ENFORCED
SQL_CMEK_DISABLED
SQL_CONTAINED_DATABASE_AUTHENTICATION
SQL_CROSS_DB_OWNERSHIP_CHAINING
SQL_EXTERNAL_SCRIPTS_ENABLED
SQL_LOCAL_INFILE
SQL_LOG_CHECKPOINTS_DISABLED
SQL_LOG_CONNECTIONS_DISABLED
SQL_LOG_DISCONNECTIONS_DISABLED
SQL_LOG_DURATION_DISABLED
SQL_LOG_ERROR_VERBOSITY
SQL_LOG_EXECUTOR_STATS_ENABLED
SQL_LOG_HOSTNAME_ENABLED
SQL_LOG_LOCK_WAITS_DISABLED
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
SQL_LOG_MIN_ERROR_STATEMENT
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
SQL_LOG_MIN_MESSAGES
SQL_LOG_PARSER_STATS_ENABLED
SQL_LOG_PLANNER_STATS_ENABLED
SQL_LOG_STATEMENT
SQL_LOG_STATEMENT_STATS_ENABLED
SQL_LOG_TEMP_FILES
SQL_PUBLIC_IP
SQL_REMOTE_ACCESS_ENABLED
SQL_SKIP_SHOW_DATABASE_DISABLED
SQL_TRACE_FLAG_3625
SQL_USER_CONNECTIONS_CONFIGURED
SQL_USER_OPTIONS_CONFIGURED
USER_MANAGED_SERVICE_ACCOUNT_KEY
WEB_UI_ENABLED
WORKLOAD_IDENTITY_DISABLED