Ce document décrit les types d'éléments et les règles compatibles avec la fonctionnalité de validation IaC (Infrastructure as Code) de Security Command Center.
Types d'éléments compatibles
Voici la liste des types d'éléments Google Cloud compatibles:
bigquery.googleapis.com/Dataset
bigquery.googleapis.com/Table
cloudkms.googleapis.com/KeyRing
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project
compute.googleapis.com/BackendService
compute.googleapis.com/Disk
compute.googleapis.com/Firewall
compute.googleapis.com/ForwardingRule
compute.googleapis.com/GlobalForwardingRule
compute.googleapis.com/Instance
compute.googleapis.com/Network
compute.googleapis.com/Snapshot
compute.googleapis.com/SslPolicy
compute.googleapis.com/Subnetwork
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetSslProxy
container.googleapis.com/Cluster
container.googleapis.com/NodePool
dns.googleapis.com/ManagedZone
dns.googleapis.com/Policy
file.googleapis.com/Instance
pubsub.googleapis.com/Subscription
pubsub.googleapis.com/Topic
run.googleapis.com/DomainMapping
run.googleapis.com/Service
serviceusage.googleapis.com/Service
spanner.googleapis.com/Database
spanner.googleapis.com/Instance
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
vpcaccess.googleapis.com/Connector
Les validations sur le champ disks[].initializeParams.sourceImage
de compute.googleapis.com/Instance
ne sont pas acceptées.
Règles prises en charge
Cette section décrit les règles compatibles avec la validation de l'IaC.
Règles d'administration
Voici la liste des règles d'administration compatibles:
Allowed VPC egress settings
(constraints/run.allowedVPCEgress
)Disable Guest Attributes of Compute Engine metadata
(constraints/compute.disableGuestAttributesAccess
)Disable VM serial port access
(constraints/compute.disableSerialPortAccess
)Disable VM serial port logging to Stackdriver
(constraints/compute.disableSerialPortLogging
)Disable VPC External IPv6 usage
(constraints/compute.disableVpcExternalIpv6
)Require OS Login
(constraints/compute.requireOsLogin
)Require VPC Connector
(constraints/cloudfunctions.requireVPCConnector
)Shielded VMs
(constraints/compute.requireShieldedVm
)Restrict VM IP Forwarding
(constraints/compute.vmCanIpForward
)Restrict Authorized Networks on Cloud SQL instances
(constraints/sql.restrictAuthorizedNetworks
)
Contrainte personnalisée de règle d'administration
Toutes les contraintes personnalisées des règles d'administration sont compatibles. Toutefois, vous ne pouvez pas valider les règles d'administration qui incluent des tags.
Modules personnalisés de Security Health Analytics
Tous les modules personnalisés de Security Health Analytics sont compatibles.
Détecteurs intégrés à Security Health Analytics
Voici la liste des détecteurs intégrés compatibles:
AUTO_BACKUP_DISABLED
AUTO_REPAIR_DISABLED
AUTO_UPGRADE_DISABLED
BIGQUERY_TABLE_CMEK_DISABLED
BUCKET_CMEK_DISABLED
BUCKET_LOGGING_DISABLED
BUCKET_POLICY_ONLY_DISABLED
CLUSTER_LOGGING_DISABLED
CLUSTER_MONITORING_DISABLED
CLUSTER_SECRETS_ENCRYPTION_DISABLED
CLUSTER_SHIELDED_NODES_DISABLED
COS_NOT_USED
FIREWALL_RULE_LOGGING_DISABLED
FLOW_LOGS_DISABLED
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
INTEGRITY_MONITORING_DISABLED
INTRANODE_VISIBILITY_DISABLED
KMS_KEY_NOT_ROTATED
KMS_PUBLIC_KEY
LEGACY_AUTHORIZATION_ENABLED
LEGACY_METADATA_ENABLED
MASTER_AUTHORIZED_NETWORKS_DISABLED
NETWORK_POLICY_DISABLED
NODEPOOL_BOOT_CMEK_DISABLED
NODEPOOL_SECURE_BOOT_DISABLED
OVER_PRIVILEGED_ACCOUNT
OVER_PRIVILEGED_SCOPES
PRIVATE_GOOGLE_ACCESS_DISABLED
PUBLIC_BUCKET_ACL
PUBLIC_DATASET
PUBLIC_SQL_INSTANCE
RELEASE_CHANNEL_DISABLED
RSASHA1_FOR_SIGNING
SQL_CMEK_DISABLED
SQL_CONTAINED_DATABASE_AUTHENTICATION
SQL_CROSS_DB_OWNERSHIP_CHAINING
SQL_EXTERNAL_SCRIPTS_ENABLED
SQL_LOCAL_INFILE
SQL_LOG_CHECKPOINTS_DISABLED
SQL_LOG_CONNECTIONS_DISABLED
SQL_LOG_DISCONNECTIONS_DISABLED
SQL_LOG_DURATION_DISABLED
SQL_LOG_ERROR_VERBOSITY
SQL_LOG_EXECUTOR_STATS_ENABLED
SQL_LOG_HOSTNAME_ENABLED
SQL_LOG_LOCK_WAITS_DISABLED
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
SQL_LOG_MIN_ERROR_STATEMENT
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
SQL_LOG_MIN_MESSAGES
SQL_LOG_PARSER_STATS_ENABLED
SQL_LOG_PLANNER_STATS_ENABLED
SQL_LOG_STATEMENT
SQL_LOG_STATEMENT_STATS_ENABLED
SQL_LOG_TEMP_FILES
SQL_PUBLIC_IP
SQL_REMOTE_ACCESS_ENABLED
SQL_SKIP_SHOW_DATABASE_DISABLED
SQL_TRACE_FLAG_3625
SQL_USER_CONNECTIONS_CONFIGURED
SQL_USER_OPTIONS_CONFIGURED
WEB_UI_ENABLED
WORKLOAD_IDENTITY_DISABLED