이 문서에서는 Security Command Center의 코드형 인프라(IaC) 검증 기능에서 지원되는 애셋 유형 및 정책에 대해 설명합니다.
지원되는 애셋 유형
다음은 지원되는 Google Cloud 애셋 유형의 목록입니다.
bigquery.googleapis.com/Datasetbigquery.googleapis.com/Tablecloudkms.googleapis.com/KeyRingcloudresourcemanager.googleapis.com/Foldercloudresourcemanager.googleapis.com/Projectcompute.googleapis.com/BackendServicecompute.googleapis.com/Diskcompute.googleapis.com/Firewallcompute.googleapis.com/ForwardingRulecompute.googleapis.com/GlobalForwardingRulecompute.googleapis.com/Instancecompute.googleapis.com/Networkcompute.googleapis.com/Snapshotcompute.googleapis.com/SslPolicycompute.googleapis.com/Subnetworkcompute.googleapis.com/TargetHttpsProxycompute.googleapis.com/TargetSslProxycontainer.googleapis.com/Clustercontainer.googleapis.com/NodePooldns.googleapis.com/ManagedZonedns.googleapis.com/Policyfile.googleapis.com/Instancepubsub.googleapis.com/Subscriptionpubsub.googleapis.com/Topicrun.googleapis.com/DomainMappingrun.googleapis.com/Serviceserviceusage.googleapis.com/Servicespanner.googleapis.com/Databasespanner.googleapis.com/Instancesqladmin.googleapis.com/Instancestorage.googleapis.com/Bucketvpcaccess.googleapis.com/Connector
compute.googleapis.com/Instance의 disks[].initializeParams.sourceImage 필드에서는 검증이 지원되지 않습니다.
지원되는 정책
이 섹션에서는 IaC 검증으로 지원되는 정책에 대해 설명합니다.
조직 정책
다음은 지원되는 조직 정책 목록입니다.
Allowed VPC egress settings(constraints/run.allowedVPCEgress)Disable Guest Attributes of Compute Engine metadata(constraints/compute.disableGuestAttributesAccess)Disable VM serial port access(constraints/compute.disableSerialPortAccess)Disable VM serial port logging to Stackdriver(constraints/compute.disableSerialPortLogging)Disable VPC External IPv6 usage(constraints/compute.disableVpcExternalIpv6)Require OS Login(constraints/compute.requireOsLogin)Require VPC Connector(constraints/cloudfunctions.requireVPCConnector)Shielded VMs(constraints/compute.requireShieldedVm)Restrict VM IP Forwarding(constraints/compute.vmCanIpForward)Restrict Authorized Networks on Cloud SQL instances(constraints/sql.restrictAuthorizedNetworks)
조직 정책 커스텀 제약조건
모든 조직 정책 커스텀 제약조건이 지원됩니다. 그러나 태그를 포함하는 조직 정책은 검증할 수 없습니다.
Security Health Analytics 커스텀 모듈
모든 Security Health Analytics 커스텀 모듈이 지원됩니다.
Security Health Analytics 기본 제공 감지기
다음은 지원되는 기본 제공 감지기 목록입니다.
AUTO_BACKUP_DISABLEDAUTO_REPAIR_DISABLEDAUTO_UPGRADE_DISABLEDBIGQUERY_TABLE_CMEK_DISABLEDBUCKET_CMEK_DISABLEDBUCKET_LOGGING_DISABLEDBUCKET_POLICY_ONLY_DISABLEDCLUSTER_LOGGING_DISABLEDCLUSTER_MONITORING_DISABLEDCLUSTER_SECRETS_ENCRYPTION_DISABLEDCLUSTER_SHIELDED_NODES_DISABLEDCOS_NOT_USEDFIREWALL_RULE_LOGGING_DISABLEDFLOW_LOGS_DISABLEDVPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDEDINTEGRITY_MONITORING_DISABLEDINTRANODE_VISIBILITY_DISABLEDKMS_KEY_NOT_ROTATEDKMS_PUBLIC_KEYLEGACY_AUTHORIZATION_ENABLEDLEGACY_METADATA_ENABLEDMASTER_AUTHORIZED_NETWORKS_DISABLEDNETWORK_POLICY_DISABLEDNODEPOOL_BOOT_CMEK_DISABLEDNODEPOOL_SECURE_BOOT_DISABLEDOVER_PRIVILEGED_ACCOUNTOVER_PRIVILEGED_SCOPESPRIVATE_GOOGLE_ACCESS_DISABLEDPUBLIC_BUCKET_ACLPUBLIC_DATASETPUBLIC_SQL_INSTANCERELEASE_CHANNEL_DISABLEDRSASHA1_FOR_SIGNINGSQL_CMEK_DISABLEDSQL_CONTAINED_DATABASE_AUTHENTICATIONSQL_CROSS_DB_OWNERSHIP_CHAININGSQL_EXTERNAL_SCRIPTS_ENABLEDSQL_LOCAL_INFILESQL_LOG_CHECKPOINTS_DISABLEDSQL_LOG_CONNECTIONS_DISABLEDSQL_LOG_DISCONNECTIONS_DISABLEDSQL_LOG_DURATION_DISABLEDSQL_LOG_ERROR_VERBOSITYSQL_LOG_EXECUTOR_STATS_ENABLEDSQL_LOG_HOSTNAME_ENABLEDSQL_LOG_LOCK_WAITS_DISABLEDSQL_LOG_MIN_DURATION_STATEMENT_ENABLEDSQL_LOG_MIN_ERROR_STATEMENTSQL_LOG_MIN_ERROR_STATEMENT_SEVERITYSQL_LOG_MIN_MESSAGESSQL_LOG_PARSER_STATS_ENABLEDSQL_LOG_PLANNER_STATS_ENABLEDSQL_LOG_STATEMENTSQL_LOG_STATEMENT_STATS_ENABLEDSQL_LOG_TEMP_FILESSQL_PUBLIC_IPSQL_REMOTE_ACCESS_ENABLEDSQL_SKIP_SHOW_DATABASE_DISABLEDSQL_TRACE_FLAG_3625SQL_USER_CONNECTIONS_CONFIGUREDSQL_USER_OPTIONS_CONFIGUREDWEB_UI_ENABLEDWORKLOAD_IDENTITY_DISABLED