Types d'éléments et règles compatibles pour la validation IaC

Ce document décrit les types d'éléments et les règles compatibles avec la fonctionnalité de validation de l'infrastructure en tant que code (IaC) de Security Command Center.

Types d'éléments compatibles

Voici la liste des types d'éléments Google Cloud acceptés:

  • artifactregistry.googleapis.com/Repository
  • bigquery.googleapis.com/Dataset
  • bigquery.googleapis.com/Table
  • cloudfunctions.googleapis.com/CloudFunction
  • cloudkms.googleapis.com/ImportJob
  • cloudkms.googleapis.com/KeyRing
  • cloudresourcemanager.googleapis.com/Folder
  • cloudresourcemanager.googleapis.com/Project
  • composer.googleapis.com/Environment
  • compute.googleapis.com/Autoscaler
  • compute.googleapis.com/BackendService
  • compute.googleapis.com/Disk
  • compute.googleapis.com/Firewall
  • compute.googleapis.com/ForwardingRule
  • compute.googleapis.com/GlobalForwardingRule
  • compute.googleapis.com/HealthCheck
  • compute.googleapis.com/Instance
  • compute.googleapis.com/InstanceGroup
  • compute.googleapis.com/Network
  • compute.googleapis.com/NodeGroup
  • compute.googleapis.com/NodeTemplate
  • compute.googleapis.com/ResourcePolicy
  • compute.googleapis.com/Route
  • compute.googleapis.com/Router
  • compute.googleapis.com/Snapshot
  • compute.googleapis.com/SslCertificate
  • compute.googleapis.com/SslPolicy
  • compute.googleapis.com/Subnetwork
  • compute.googleapis.com/TargetHttpProxy
  • compute.googleapis.com/TargetHttpsProxy
  • compute.googleapis.com/TargetPool
  • compute.googleapis.com/TargetSslProxy
  • compute.googleapis.com/UrlMap
  • compute.googleapis.com/VpnTunnel
  • container.googleapis.com/Cluster
  • container.googleapis.com/NodePool
  • dataflow.googleapis.com/Job
  • datastream.googleapis.com/ConnectionProfile
  • datastream.googleapis.com/PrivateConnection
  • datastream.googleapis.com/Stream
  • dns.googleapis.com/ManagedZone
  • dns.googleapis.com/Policy
  • file.googleapis.com/Instance
  • gkehub.googleapis.com/Membership
  • pubsub.googleapis.com/Subscription
  • pubsub.googleapis.com/Topic
  • run.googleapis.com/DomainMapping
  • run.googleapis.com/Job
  • run.googleapis.com/Service
  • serviceusage.googleapis.com/Service
  • spanner.googleapis.com/Database
  • spanner.googleapis.com/Instance
  • sqladmin.googleapis.com/Instance
  • storage.googleapis.com/Bucket
  • vpcaccess.googleapis.com/Connector

Les validations sur le champ disks[].initializeParams.sourceImage de compute.googleapis.com/Instance ne sont pas acceptées.

Règles prises en charge

Cette section décrit les règles compatibles avec la validation IaC.

Règles d'administration

Voici la liste des règles d'administration acceptées:

  • Allowed VPC egress settings (constraints/run.allowedVPCEgress)
  • Disable Guest Attributes of Compute Engine metadata (constraints/compute.disableGuestAttributesAccess)
  • Disable VM serial port access (constraints/compute.disableSerialPortAccess)
  • Disable VM serial port logging to Stackdriver (constraints/compute.disableSerialPortLogging)
  • Disable VPC External IPv6 usage (constraints/compute.disableVpcExternalIpv6)
  • Require OS Login (constraints/compute.requireOsLogin)
  • Restrict Authorized Networks on Cloud SQL instances (constraints/sql.restrictAuthorizedNetworks)
  • Require VPC Connector (Cloud Functions) (constraints/cloudfunctions.requireVPCConnector)
  • Disable VPC Internal IPv6 usage (constraints/compute.disableVpcInternalIpv6)
  • Allowed ingress settings (Cloud Run) (constraints/run.allowedIngress)
  • Enforce uniform bucket-level access (constraints/storage.uniformBucketLevelAccess)
  • Skip creation of default Compute Network (constraints/compute.skipDefaultNetworkCreation)

Contrainte personnalisée liée aux règles d'administration

Toutes les contraintes personnalisées des règles d'administration sont acceptées. Toutefois, vous ne pouvez pas valider les règles d'administration de l'organisation qui incluent des tags.

Modules personnalisés pour Security Health Analytics

Tous les modules personnalisés de Security Health Analytics sont compatibles.

Détecteurs intégrés de Security Health Analytics

Voici la liste des détecteurs intégrés compatibles:

  • ALPHA_CLUSTER_ENABLED
  • AUTO_BACKUP_DISABLED
  • AUTO_REPAIR_DISABLED
  • AUTO_UPGRADE_DISABLED
  • BIGQUERY_TABLE_CMEK_DISABLED
  • BUCKET_CMEK_DISABLED
  • BUCKET_LOGGING_DISABLED
  • BUCKET_POLICY_ONLY_DISABLED
  • CLUSTER_LOGGING_DISABLED
  • CLUSTER_MONITORING_DISABLED
  • CLUSTER_SECRETS_ENCRYPTION_DISABLED
  • CLUSTER_SHIELDED_NODES_DISABLED
  • COMPUTE_SECURE_BOOT_DISABLED
  • COMPUTE_SERIAL_PORTS_ENABLED
  • CONFIDENTIAL_COMPUTING_DISABLED
  • COS_NOT_USED
  • DATAPROC_CMEK_DISABLED
  • DATAPROC_IMAGE_OUTDATED
  • DEFAULT_SERVICE_ACCOUNT_USED
  • DISK_CMEK_DISABLED
  • DISK_CSEK_DISABLED
  • FIREWALL_RULE_LOGGING_DISABLED
  • FLOW_LOGS_DISABLED
  • FULL_API_ACCESS
  • VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
  • INTEGRITY_MONITORING_DISABLED
  • INTRANODE_VISIBILITY_DISABLED
  • IP_ALIAS_DISABLED
  • IP_FORWARDING_ENABLED
  • KMS_KEY_NOT_ROTATED
  • KMS_PUBLIC_KEY
  • LEGACY_AUTHORIZATION_ENABLED
  • LEGACY_METADATA_ENABLED
  • LOAD_BALANCER_LOGGING_DISABLED
  • MASTER_AUTHORIZED_NETWORKS_DISABLED
  • NETWORK_POLICY_DISABLED
  • NODEPOOL_BOOT_CMEK_DISABLED
  • NODEPOOL_SECURE_BOOT_DISABLED
  • OPEN_CASSANDRA_PORT
  • OPEN_CISCOSECURE_WEBSM_PORT
  • OPEN_DIRECTORY_SERVICES_PORT
  • OPEN_DNS_PORT
  • OPEN_ELASTICSEARCH_PORT
  • OPEN_FIREWALL
  • OPEN_FTP_PORT
  • OPEN_HTTP_PORT
  • OPEN_LDAP_PORT
  • OPEN_MEMCACHED_PORT
  • OPEN_MONGODB_PORT
  • OPEN_MYSQL_PORT
  • OPEN_NETBIOS_PORT
  • OPEN_ORACLEDB_PORT
  • OPEN_POP3_PORT
  • OPEN_POSTGRESQL_PORT
  • OPEN_RDP_PORT
  • OPEN_REDIS_PORT
  • OPEN_SMTP_PORT
  • OPEN_SSH_PORT
  • OPEN_TELNET_PORT
  • OVER_PRIVILEGED_ACCOUNT
  • OVER_PRIVILEGED_SCOPES
  • OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
  • PRIMITIVE_ROLES_USED
  • PRIVATE_CLUSTER_DISABLED
  • PRIVATE_GOOGLE_ACCESS_DISABLED
  • PUBLIC_BUCKET_ACL
  • PUBLIC_COMPUTE_IMAGE
  • PUBLIC_DATASET
  • PUBLIC_IP_ADDRESS
  • PUBLIC_SQL_INSTANCE
  • PUBSUB_CMEK_DISABLED
  • REDIS_ROLE_USED_ON_ORG
  • RELEASE_CHANNEL_DISABLED
  • RSASHA1_FOR_SIGNING
  • SERVICE_ACCOUNT_KEY_NOT_ROTATED
  • SHIELDED_VM_DISABLED
  • SSL_NOT_ENFORCED
  • SQL_CMEK_DISABLED
  • SQL_CONTAINED_DATABASE_AUTHENTICATION
  • SQL_CROSS_DB_OWNERSHIP_CHAINING
  • SQL_EXTERNAL_SCRIPTS_ENABLED
  • SQL_LOCAL_INFILE
  • SQL_LOG_CHECKPOINTS_DISABLED
  • SQL_LOG_CONNECTIONS_DISABLED
  • SQL_LOG_DISCONNECTIONS_DISABLED
  • SQL_LOG_DURATION_DISABLED
  • SQL_LOG_ERROR_VERBOSITY
  • SQL_LOG_EXECUTOR_STATS_ENABLED
  • SQL_LOG_HOSTNAME_ENABLED
  • SQL_LOG_LOCK_WAITS_DISABLED
  • SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
  • SQL_LOG_MIN_ERROR_STATEMENT
  • SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
  • SQL_LOG_MIN_MESSAGES
  • SQL_LOG_PARSER_STATS_ENABLED
  • SQL_LOG_PLANNER_STATS_ENABLED
  • SQL_LOG_STATEMENT
  • SQL_LOG_STATEMENT_STATS_ENABLED
  • SQL_LOG_TEMP_FILES
  • SQL_PUBLIC_IP
  • SQL_REMOTE_ACCESS_ENABLED
  • SQL_SKIP_SHOW_DATABASE_DISABLED
  • SQL_TRACE_FLAG_3625
  • SQL_USER_CONNECTIONS_CONFIGURED
  • SQL_USER_OPTIONS_CONFIGURED
  • USER_MANAGED_SERVICE_ACCOUNT_KEY
  • WEB_UI_ENABLED
  • WORKLOAD_IDENTITY_DISABLED

Étape suivante