En este documento, se describen los tipos de recursos y las políticas que se admiten en la función de validación de infraestructura como código (IaC) en Security Command Center.
Tipos de elementos admitidos
La siguiente es la lista de los tipos de recursos de Google Cloud admitidos:
artifactregistry.googleapis.com/Repositorybigquery.googleapis.com/Datasetbigquery.googleapis.com/Tablecloudfunctions.googleapis.com/CloudFunctioncloudkms.googleapis.com/ImportJobcloudkms.googleapis.com/KeyRingcloudresourcemanager.googleapis.com/Foldercloudresourcemanager.googleapis.com/Projectcomposer.googleapis.com/Environmentcompute.googleapis.com/Autoscalercompute.googleapis.com/BackendServicecompute.googleapis.com/Diskcompute.googleapis.com/Firewallcompute.googleapis.com/ForwardingRulecompute.googleapis.com/GlobalForwardingRulecompute.googleapis.com/HealthCheckcompute.googleapis.com/Instancecompute.googleapis.com/InstanceGroupcompute.googleapis.com/Networkcompute.googleapis.com/NodeGroupcompute.googleapis.com/NodeTemplatecompute.googleapis.com/ResourcePolicycompute.googleapis.com/Routecompute.googleapis.com/Routercompute.googleapis.com/Snapshotcompute.googleapis.com/SslCertificatecompute.googleapis.com/SslPolicycompute.googleapis.com/Subnetworkcompute.googleapis.com/TargetHttpProxycompute.googleapis.com/TargetHttpsProxycompute.googleapis.com/TargetPoolcompute.googleapis.com/TargetSslProxycompute.googleapis.com/UrlMapcompute.googleapis.com/VpnTunnelcontainer.googleapis.com/Clustercontainer.googleapis.com/NodePooldataflow.googleapis.com/Jobdatastream.googleapis.com/ConnectionProfiledatastream.googleapis.com/PrivateConnectiondatastream.googleapis.com/Streamdns.googleapis.com/ManagedZonedns.googleapis.com/Policyfile.googleapis.com/Instancegkehub.googleapis.com/Membershippubsub.googleapis.com/Subscriptionpubsub.googleapis.com/Topicrun.googleapis.com/DomainMappingrun.googleapis.com/Jobrun.googleapis.com/Serviceserviceusage.googleapis.com/Servicespanner.googleapis.com/Databasespanner.googleapis.com/Instancesqladmin.googleapis.com/Instancestorage.googleapis.com/Bucketvpcaccess.googleapis.com/Connector
Validaciones en el campo disks[].initializeParams.sourceImage de
No se admiten compute.googleapis.com/Instance.
Políticas admitidas
En esta sección, se describen las políticas compatibles con la validación de la IaC.
Políticas de la organización
La siguiente es la lista de políticas de la organización admitidas:
Allowed VPC egress settings(constraints/run.allowedVPCEgress)Disable Guest Attributes of Compute Engine metadata(constraints/compute.disableGuestAttributesAccess)Disable VM serial port access(constraints/compute.disableSerialPortAccess)Disable VM serial port logging to Stackdriver(constraints/compute.disableSerialPortLogging)Disable VPC External IPv6 usage(constraints/compute.disableVpcExternalIpv6)Require OS Login(constraints/compute.requireOsLogin)Restrict Authorized Networks on Cloud SQL instances(constraints/sql.restrictAuthorizedNetworks)Require VPC Connector (Cloud Functions)(constraints/cloudfunctions.requireVPCConnector)Disable VPC Internal IPv6 usage(constraints/compute.disableVpcInternalIpv6)Allowed ingress settings (Cloud Run)(constraints/run.allowedIngress)Enforce uniform bucket-level access(constraints/storage.uniformBucketLevelAccess)Skip creation of default Compute Network(constraints/compute.skipDefaultNetworkCreation)
Restricción personalizada de la política de la organización
Se admiten todas las restricciones personalizadas de las políticas de la organización. Sin embargo, no puedes validar las políticas de la organización que incluyen etiquetas.
Módulos personalizados de Security Health Analytics
Se admiten todos los módulos personalizados de Security Health Analytics.
Detectores integrados de Security Health Analytics
La siguiente es la lista de los detectores integrados compatibles:
ALPHA_CLUSTER_ENABLEDAUTO_BACKUP_DISABLEDAUTO_REPAIR_DISABLEDAUTO_UPGRADE_DISABLEDBIGQUERY_TABLE_CMEK_DISABLEDBUCKET_CMEK_DISABLEDBUCKET_LOGGING_DISABLEDBUCKET_POLICY_ONLY_DISABLEDCLUSTER_LOGGING_DISABLEDCLUSTER_MONITORING_DISABLEDCLUSTER_SECRETS_ENCRYPTION_DISABLEDCLUSTER_SHIELDED_NODES_DISABLEDCOMPUTE_SECURE_BOOT_DISABLEDCOMPUTE_SERIAL_PORTS_ENABLEDCONFIDENTIAL_COMPUTING_DISABLEDCOS_NOT_USEDDATAPROC_CMEK_DISABLEDDATAPROC_IMAGE_OUTDATEDDEFAULT_SERVICE_ACCOUNT_USEDDISK_CMEK_DISABLEDDISK_CSEK_DISABLEDFIREWALL_RULE_LOGGING_DISABLEDFLOW_LOGS_DISABLEDFULL_API_ACCESSVPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDEDINTEGRITY_MONITORING_DISABLEDINTRANODE_VISIBILITY_DISABLEDIP_ALIAS_DISABLEDIP_FORWARDING_ENABLEDKMS_KEY_NOT_ROTATEDKMS_PUBLIC_KEYLEGACY_AUTHORIZATION_ENABLEDLEGACY_METADATA_ENABLEDLOAD_BALANCER_LOGGING_DISABLEDMASTER_AUTHORIZED_NETWORKS_DISABLEDNETWORK_POLICY_DISABLEDNODEPOOL_BOOT_CMEK_DISABLEDNODEPOOL_SECURE_BOOT_DISABLEDOPEN_CASSANDRA_PORTOPEN_CISCOSECURE_WEBSM_PORTOPEN_DIRECTORY_SERVICES_PORTOPEN_DNS_PORTOPEN_ELASTICSEARCH_PORTOPEN_FIREWALLOPEN_FTP_PORTOPEN_HTTP_PORTOPEN_LDAP_PORTOPEN_MEMCACHED_PORTOPEN_MONGODB_PORTOPEN_MYSQL_PORTOPEN_NETBIOS_PORTOPEN_ORACLEDB_PORTOPEN_POP3_PORTOPEN_POSTGRESQL_PORTOPEN_RDP_PORTOPEN_REDIS_PORTOPEN_SMTP_PORTOPEN_SSH_PORTOPEN_TELNET_PORTOVER_PRIVILEGED_ACCOUNTOVER_PRIVILEGED_SCOPESOVER_PRIVILEGED_SERVICE_ACCOUNT_USERPRIMITIVE_ROLES_USEDPRIVATE_CLUSTER_DISABLEDPRIVATE_GOOGLE_ACCESS_DISABLEDPUBLIC_BUCKET_ACLPUBLIC_COMPUTE_IMAGEPUBLIC_DATASETPUBLIC_IP_ADDRESSPUBLIC_SQL_INSTANCEPUBSUB_CMEK_DISABLEDREDIS_ROLE_USED_ON_ORGRELEASE_CHANNEL_DISABLEDRSASHA1_FOR_SIGNINGSERVICE_ACCOUNT_KEY_NOT_ROTATEDSHIELDED_VM_DISABLEDSSL_NOT_ENFORCEDSQL_CMEK_DISABLEDSQL_CONTAINED_DATABASE_AUTHENTICATIONSQL_CROSS_DB_OWNERSHIP_CHAININGSQL_EXTERNAL_SCRIPTS_ENABLEDSQL_LOCAL_INFILESQL_LOG_CHECKPOINTS_DISABLEDSQL_LOG_CONNECTIONS_DISABLEDSQL_LOG_DISCONNECTIONS_DISABLEDSQL_LOG_DURATION_DISABLEDSQL_LOG_ERROR_VERBOSITYSQL_LOG_EXECUTOR_STATS_ENABLEDSQL_LOG_HOSTNAME_ENABLEDSQL_LOG_LOCK_WAITS_DISABLEDSQL_LOG_MIN_DURATION_STATEMENT_ENABLEDSQL_LOG_MIN_ERROR_STATEMENTSQL_LOG_MIN_ERROR_STATEMENT_SEVERITYSQL_LOG_MIN_MESSAGESSQL_LOG_PARSER_STATS_ENABLEDSQL_LOG_PLANNER_STATS_ENABLEDSQL_LOG_STATEMENTSQL_LOG_STATEMENT_STATS_ENABLEDSQL_LOG_TEMP_FILESSQL_PUBLIC_IPSQL_REMOTE_ACCESS_ENABLEDSQL_SKIP_SHOW_DATABASE_DISABLEDSQL_TRACE_FLAG_3625SQL_USER_CONNECTIONS_CONFIGUREDSQL_USER_OPTIONS_CONFIGUREDUSER_MANAGED_SERVICE_ACCOUNT_KEYWEB_UI_ENABLEDWORKLOAD_IDENTITY_DISABLED