Ce document décrit les types d'éléments et les règles compatibles avec la fonction de validation de l'infrastructure en tant que code (IaC) dans Security Command Center.
Types d'éléments compatibles
Voici la liste des types de composants Google Cloud acceptés :
artifactregistry.googleapis.com/Repositorybigquery.googleapis.com/Datasetbigquery.googleapis.com/Tablecloudfunctions.googleapis.com/CloudFunctioncloudkms.googleapis.com/ImportJobcloudkms.googleapis.com/KeyRingcloudresourcemanager.googleapis.com/Foldercloudresourcemanager.googleapis.com/Projectcomposer.googleapis.com/Environmentcompute.googleapis.com/Autoscalercompute.googleapis.com/BackendServicecompute.googleapis.com/Diskcompute.googleapis.com/Firewallcompute.googleapis.com/ForwardingRulecompute.googleapis.com/GlobalForwardingRulecompute.googleapis.com/HealthCheckcompute.googleapis.com/Instancecompute.googleapis.com/InstanceGroupcompute.googleapis.com/Networkcompute.googleapis.com/NodeGroupcompute.googleapis.com/NodeTemplatecompute.googleapis.com/ResourcePolicycompute.googleapis.com/Routecompute.googleapis.com/Routercompute.googleapis.com/Snapshotcompute.googleapis.com/SslCertificatecompute.googleapis.com/SslPolicycompute.googleapis.com/Subnetworkcompute.googleapis.com/TargetHttpProxycompute.googleapis.com/TargetHttpsProxycompute.googleapis.com/TargetPoolcompute.googleapis.com/TargetSslProxycompute.googleapis.com/UrlMapcompute.googleapis.com/VpnTunnelcontainer.googleapis.com/Clustercontainer.googleapis.com/NodePooldataflow.googleapis.com/Jobdatastream.googleapis.com/ConnectionProfiledatastream.googleapis.com/PrivateConnectiondatastream.googleapis.com/Streamdns.googleapis.com/ManagedZonedns.googleapis.com/Policyfile.googleapis.com/Instancegkehub.googleapis.com/Membershippubsub.googleapis.com/Subscriptionpubsub.googleapis.com/Topicrun.googleapis.com/DomainMappingrun.googleapis.com/Jobrun.googleapis.com/Serviceserviceusage.googleapis.com/Servicespanner.googleapis.com/Databasespanner.googleapis.com/Instancesqladmin.googleapis.com/Instancestorage.googleapis.com/Bucketvpcaccess.googleapis.com/Connector
Les validations sur le champ disks[].initializeParams.sourceImage de compute.googleapis.com/Instance ne sont pas acceptées.
Règles prises en charge
Cette section décrit les règles compatibles avec la validation IaC.
Règles d'administration
Voici la liste des règles d'administration acceptées :
Allowed VPC egress settings(constraints/run.allowedVPCEgress)Disable Guest Attributes of Compute Engine metadata(constraints/compute.disableGuestAttributesAccess)Disable VM serial port access(constraints/compute.disableSerialPortAccess)Disable VM serial port logging to Stackdriver(constraints/compute.disableSerialPortLogging)Disable VPC External IPv6 usage(constraints/compute.disableVpcExternalIpv6)Require OS Login(constraints/compute.requireOsLogin)Restrict Authorized Networks on Cloud SQL instances(constraints/sql.restrictAuthorizedNetworks)Require VPC Connector (Cloud Functions)(constraints/cloudfunctions.requireVPCConnector)Disable VPC Internal IPv6 usage(constraints/compute.disableVpcInternalIpv6)Allowed ingress settings (Cloud Run)(constraints/run.allowedIngress)Enforce uniform bucket-level access(constraints/storage.uniformBucketLevelAccess)Skip creation of default Compute Network(constraints/compute.skipDefaultNetworkCreation)
Contrainte personnalisée liée aux règles d'administration
Toutes les contraintes personnalisées liées aux règles d'organisation sont acceptées. Toutefois, vous ne pouvez pas valider les règles d'administration qui incluent des tags.
Modules personnalisés Security Health Analytics
Tous les modules personnalisés Security Health Analytics sont compatibles.
Détecteurs intégrés de Security Health Analytics
Voici la liste des détecteurs intégrés compatibles :
ALPHA_CLUSTER_ENABLEDAUTO_BACKUP_DISABLEDAUTO_REPAIR_DISABLEDAUTO_UPGRADE_DISABLEDBIGQUERY_TABLE_CMEK_DISABLEDBUCKET_CMEK_DISABLEDBUCKET_LOGGING_DISABLEDBUCKET_POLICY_ONLY_DISABLEDCLUSTER_LOGGING_DISABLEDCLUSTER_MONITORING_DISABLEDCLUSTER_SECRETS_ENCRYPTION_DISABLEDCLUSTER_SHIELDED_NODES_DISABLEDCOMPUTE_SECURE_BOOT_DISABLEDCOMPUTE_SERIAL_PORTS_ENABLEDCONFIDENTIAL_COMPUTING_DISABLEDCOS_NOT_USEDDATAPROC_CMEK_DISABLEDDATAPROC_IMAGE_OUTDATEDDEFAULT_SERVICE_ACCOUNT_USEDDISK_CMEK_DISABLEDDISK_CSEK_DISABLEDFIREWALL_RULE_LOGGING_DISABLEDFLOW_LOGS_DISABLEDFULL_API_ACCESSVPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDEDINTEGRITY_MONITORING_DISABLEDINTRANODE_VISIBILITY_DISABLEDIP_ALIAS_DISABLEDIP_FORWARDING_ENABLEDKMS_KEY_NOT_ROTATEDKMS_PUBLIC_KEYLEGACY_AUTHORIZATION_ENABLEDLEGACY_METADATA_ENABLEDLOAD_BALANCER_LOGGING_DISABLEDMASTER_AUTHORIZED_NETWORKS_DISABLEDNETWORK_POLICY_DISABLEDNODEPOOL_BOOT_CMEK_DISABLEDNODEPOOL_SECURE_BOOT_DISABLEDOPEN_CASSANDRA_PORTOPEN_CISCOSECURE_WEBSM_PORTOPEN_DIRECTORY_SERVICES_PORTOPEN_DNS_PORTOPEN_ELASTICSEARCH_PORTOPEN_FIREWALLOPEN_FTP_PORTOPEN_HTTP_PORTOPEN_LDAP_PORTOPEN_MEMCACHED_PORTOPEN_MONGODB_PORTOPEN_MYSQL_PORTOPEN_NETBIOS_PORTOPEN_ORACLEDB_PORTOPEN_POP3_PORTOPEN_POSTGRESQL_PORTOPEN_RDP_PORTOPEN_REDIS_PORTOPEN_SMTP_PORTOPEN_SSH_PORTOPEN_TELNET_PORTOVER_PRIVILEGED_ACCOUNTOVER_PRIVILEGED_SCOPESOVER_PRIVILEGED_SERVICE_ACCOUNT_USERPRIMITIVE_ROLES_USEDPRIVATE_CLUSTER_DISABLEDPRIVATE_GOOGLE_ACCESS_DISABLEDPUBLIC_BUCKET_ACLPUBLIC_COMPUTE_IMAGEPUBLIC_DATASETPUBLIC_IP_ADDRESSPUBLIC_SQL_INSTANCEPUBSUB_CMEK_DISABLEDREDIS_ROLE_USED_ON_ORGRELEASE_CHANNEL_DISABLEDRSASHA1_FOR_SIGNINGSERVICE_ACCOUNT_KEY_NOT_ROTATEDSHIELDED_VM_DISABLEDSSL_NOT_ENFORCEDSQL_CMEK_DISABLEDSQL_CONTAINED_DATABASE_AUTHENTICATIONSQL_CROSS_DB_OWNERSHIP_CHAININGSQL_EXTERNAL_SCRIPTS_ENABLEDSQL_LOCAL_INFILESQL_LOG_CHECKPOINTS_DISABLEDSQL_LOG_CONNECTIONS_DISABLEDSQL_LOG_DISCONNECTIONS_DISABLEDSQL_LOG_DURATION_DISABLEDSQL_LOG_ERROR_VERBOSITYSQL_LOG_EXECUTOR_STATS_ENABLEDSQL_LOG_HOSTNAME_ENABLEDSQL_LOG_LOCK_WAITS_DISABLEDSQL_LOG_MIN_DURATION_STATEMENT_ENABLEDSQL_LOG_MIN_ERROR_STATEMENTSQL_LOG_MIN_ERROR_STATEMENT_SEVERITYSQL_LOG_MIN_MESSAGESSQL_LOG_PARSER_STATS_ENABLEDSQL_LOG_PLANNER_STATS_ENABLEDSQL_LOG_STATEMENTSQL_LOG_STATEMENT_STATS_ENABLEDSQL_LOG_TEMP_FILESSQL_PUBLIC_IPSQL_REMOTE_ACCESS_ENABLEDSQL_SKIP_SHOW_DATABASE_DISABLEDSQL_TRACE_FLAG_3625SQL_USER_CONNECTIONS_CONFIGUREDSQL_USER_OPTIONS_CONFIGUREDUSER_MANAGED_SERVICE_ACCOUNT_KEYWEB_UI_ENABLEDWORKLOAD_IDENTITY_DISABLED