IaC 검증에 지원되는 애셋 유형 및 정책

이 문서에서는 Security Command Center의 코드형 인프라(IaC) 검증 기능에서 지원되는 애셋 유형 및 정책에 대해 설명합니다.

지원되는 애셋 유형

다음은 지원되는 Google Cloud 애셋 유형의 목록입니다.

artifactregistry.googleapis.com/Repository
bigquery.googleapis.com/Dataset
bigquery.googleapis.com/Table
cloudfunctions.googleapis.com/CloudFunction
cloudkms.googleapis.com/ImportJob
cloudkms.googleapis.com/KeyRing
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project
composer.googleapis.com/Environment
compute.googleapis.com/Autoscaler
compute.googleapis.com/BackendService
compute.googleapis.com/Disk
compute.googleapis.com/Firewall
compute.googleapis.com/ForwardingRule
compute.googleapis.com/GlobalForwardingRule
compute.googleapis.com/HealthCheck
compute.googleapis.com/Instance
compute.googleapis.com/InstanceGroup
compute.googleapis.com/Network
compute.googleapis.com/NodeGroup
compute.googleapis.com/NodeTemplate
compute.googleapis.com/ResourcePolicy
compute.googleapis.com/Route
compute.googleapis.com/Router
compute.googleapis.com/Snapshot
compute.googleapis.com/SslCertificate
compute.googleapis.com/SslPolicy
compute.googleapis.com/Subnetwork
compute.googleapis.com/TargetHttpProxy
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetPool
compute.googleapis.com/TargetSslProxy
compute.googleapis.com/UrlMap
compute.googleapis.com/VpnTunnel
container.googleapis.com/Cluster
container.googleapis.com/NodePool
dataflow.googleapis.com/Job
datastream.googleapis.com/ConnectionProfile
datastream.googleapis.com/PrivateConnection
datastream.googleapis.com/Stream
dns.googleapis.com/ManagedZone
dns.googleapis.com/Policy
file.googleapis.com/Instance
gkehub.googleapis.com/Membership
pubsub.googleapis.com/Subscription
pubsub.googleapis.com/Topic
run.googleapis.com/DomainMapping
run.googleapis.com/Job
run.googleapis.com/Service
serviceusage.googleapis.com/Service
spanner.googleapis.com/Database
spanner.googleapis.com/Instance
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
vpcaccess.googleapis.com/Connector

compute.googleapis.com/Instance의 disks[].initializeParams.sourceImage 필드에서는 검증이 지원되지 않습니다.

지원되는 정책

이 섹션에서는 IaC 검증으로 지원되는 정책에 대해 설명합니다.

조직 정책

다음은 지원되는 조직 정책 목록입니다.

Allowed VPC egress settings(constraints/run.allowedVPCEgress)
Disable Guest Attributes of Compute Engine metadata(constraints/compute.disableGuestAttributesAccess)
Disable VM serial port access(constraints/compute.disableSerialPortAccess)
Disable VM serial port logging to Stackdriver(constraints/compute.disableSerialPortLogging)
Disable VPC External IPv6 usage(constraints/compute.disableVpcExternalIpv6)
Require OS Login(constraints/compute.requireOsLogin)
Restrict Authorized Networks on Cloud SQL instances(constraints/sql.restrictAuthorizedNetworks)
Require VPC Connector (Cloud Functions)(constraints/cloudfunctions.requireVPCConnector)
Disable VPC Internal IPv6 usage(constraints/compute.disableVpcInternalIpv6)
Allowed ingress settings (Cloud Run)(constraints/run.allowedIngress)
Enforce uniform bucket-level access(constraints/storage.uniformBucketLevelAccess)
Skip creation of default Compute Network(constraints/compute.skipDefaultNetworkCreation)

조직 정책 커스텀 제약조건

모든 조직 정책 커스텀 제약조건이 지원됩니다. 그러나 태그를 포함하는 조직 정책은 검증할 수 없습니다.

Security Health Analytics 커스텀 모듈

모든 Security Health Analytics 커스텀 모듈이 지원됩니다.

Security Health Analytics 기본 제공 감지기

다음은 지원되는 기본 제공 감지기 목록입니다.

ALPHA_CLUSTER_ENABLED
AUTO_BACKUP_DISABLED
AUTO_REPAIR_DISABLED
AUTO_UPGRADE_DISABLED
BIGQUERY_TABLE_CMEK_DISABLED
BUCKET_CMEK_DISABLED
BUCKET_LOGGING_DISABLED
BUCKET_POLICY_ONLY_DISABLED
CLUSTER_LOGGING_DISABLED
CLUSTER_MONITORING_DISABLED
CLUSTER_SECRETS_ENCRYPTION_DISABLED
CLUSTER_SHIELDED_NODES_DISABLED
COMPUTE_SECURE_BOOT_DISABLED
COMPUTE_SERIAL_PORTS_ENABLED
CONFIDENTIAL_COMPUTING_DISABLED
COS_NOT_USED
DATAPROC_CMEK_DISABLED
DATAPROC_IMAGE_OUTDATED
DEFAULT_SERVICE_ACCOUNT_USED
DISK_CMEK_DISABLED
DISK_CSEK_DISABLED
FIREWALL_RULE_LOGGING_DISABLED
FLOW_LOGS_DISABLED
FULL_API_ACCESS
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
INTEGRITY_MONITORING_DISABLED
INTRANODE_VISIBILITY_DISABLED
IP_ALIAS_DISABLED
IP_FORWARDING_ENABLED
KMS_KEY_NOT_ROTATED
KMS_PUBLIC_KEY
LEGACY_AUTHORIZATION_ENABLED
LEGACY_METADATA_ENABLED
LOAD_BALANCER_LOGGING_DISABLED
MASTER_AUTHORIZED_NETWORKS_DISABLED
NETWORK_POLICY_DISABLED
NODEPOOL_BOOT_CMEK_DISABLED
NODEPOOL_SECURE_BOOT_DISABLED
OPEN_CASSANDRA_PORT
OPEN_CISCOSECURE_WEBSM_PORT
OPEN_DIRECTORY_SERVICES_PORT
OPEN_DNS_PORT
OPEN_ELASTICSEARCH_PORT
OPEN_FIREWALL
OPEN_FTP_PORT
OPEN_HTTP_PORT
OPEN_LDAP_PORT
OPEN_MEMCACHED_PORT
OPEN_MONGODB_PORT
OPEN_MYSQL_PORT
OPEN_NETBIOS_PORT
OPEN_ORACLEDB_PORT
OPEN_POP3_PORT
OPEN_POSTGRESQL_PORT
OPEN_RDP_PORT
OPEN_REDIS_PORT
OPEN_SMTP_PORT
OPEN_SSH_PORT
OPEN_TELNET_PORT
OVER_PRIVILEGED_ACCOUNT
OVER_PRIVILEGED_SCOPES
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
PRIMITIVE_ROLES_USED
PRIVATE_CLUSTER_DISABLED
PRIVATE_GOOGLE_ACCESS_DISABLED
PUBLIC_BUCKET_ACL
PUBLIC_COMPUTE_IMAGE
PUBLIC_DATASET
PUBLIC_IP_ADDRESS
PUBLIC_SQL_INSTANCE
PUBSUB_CMEK_DISABLED
REDIS_ROLE_USED_ON_ORG
RELEASE_CHANNEL_DISABLED
RSASHA1_FOR_SIGNING
SERVICE_ACCOUNT_KEY_NOT_ROTATED
SHIELDED_VM_DISABLED
SSL_NOT_ENFORCED
SQL_CMEK_DISABLED
SQL_CONTAINED_DATABASE_AUTHENTICATION
SQL_CROSS_DB_OWNERSHIP_CHAINING
SQL_EXTERNAL_SCRIPTS_ENABLED
SQL_LOCAL_INFILE
SQL_LOG_CHECKPOINTS_DISABLED
SQL_LOG_CONNECTIONS_DISABLED
SQL_LOG_DISCONNECTIONS_DISABLED
SQL_LOG_DURATION_DISABLED
SQL_LOG_ERROR_VERBOSITY
SQL_LOG_EXECUTOR_STATS_ENABLED
SQL_LOG_HOSTNAME_ENABLED
SQL_LOG_LOCK_WAITS_DISABLED
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
SQL_LOG_MIN_ERROR_STATEMENT
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
SQL_LOG_MIN_MESSAGES
SQL_LOG_PARSER_STATS_ENABLED
SQL_LOG_PLANNER_STATS_ENABLED
SQL_LOG_STATEMENT
SQL_LOG_STATEMENT_STATS_ENABLED
SQL_LOG_TEMP_FILES
SQL_PUBLIC_IP
SQL_REMOTE_ACCESS_ENABLED
SQL_SKIP_SHOW_DATABASE_DISABLED
SQL_TRACE_FLAG_3625
SQL_USER_CONNECTIONS_CONFIGURED
SQL_USER_OPTIONS_CONFIGURED
USER_MANAGED_SERVICE_ACCOUNT_KEY
WEB_UI_ENABLED
WORKLOAD_IDENTITY_DISABLED

다음 단계

보안 상황에 따라 IaC 검증