本文档介绍了 Security Command Center 中基础架构即代码 (IaC) 验证功能支持的资产类型和政策。
支持的资产类型
以下是支持的 Google Cloud 资产类型的列表:
artifactregistry.googleapis.com/Repository
bigquery.googleapis.com/Dataset
bigquery.googleapis.com/Table
cloudfunctions.googleapis.com/CloudFunction
cloudkms.googleapis.com/ImportJob
cloudkms.googleapis.com/KeyRing
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project
composer.googleapis.com/Environment
compute.googleapis.com/Autoscaler
compute.googleapis.com/BackendService
compute.googleapis.com/Disk
compute.googleapis.com/Firewall
compute.googleapis.com/ForwardingRule
compute.googleapis.com/GlobalForwardingRule
compute.googleapis.com/HealthCheck
compute.googleapis.com/Instance
compute.googleapis.com/InstanceGroup
compute.googleapis.com/Network
compute.googleapis.com/NodeGroup
compute.googleapis.com/NodeTemplate
compute.googleapis.com/ResourcePolicy
compute.googleapis.com/Route
compute.googleapis.com/Router
compute.googleapis.com/Snapshot
compute.googleapis.com/SslCertificate
compute.googleapis.com/SslPolicy
compute.googleapis.com/Subnetwork
compute.googleapis.com/TargetHttpProxy
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetPool
compute.googleapis.com/TargetSslProxy
compute.googleapis.com/UrlMap
compute.googleapis.com/VpnTunnel
container.googleapis.com/Cluster
container.googleapis.com/NodePool
dataflow.googleapis.com/Job
datastream.googleapis.com/ConnectionProfile
datastream.googleapis.com/PrivateConnection
datastream.googleapis.com/Stream
dns.googleapis.com/ManagedZone
dns.googleapis.com/Policy
file.googleapis.com/Instance
gkehub.googleapis.com/Membership
pubsub.googleapis.com/Subscription
pubsub.googleapis.com/Topic
run.googleapis.com/DomainMapping
run.googleapis.com/Job
run.googleapis.com/Service
serviceusage.googleapis.com/Service
spanner.googleapis.com/Database
spanner.googleapis.com/Instance
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
vpcaccess.googleapis.com/Connector
不支持对 compute.googleapis.com/Instance
的 disks[].initializeParams.sourceImage
字段进行验证。
受支持的策略
本部分介绍 IaC 验证支持的政策。
组织政策
以下是支持的组织政策列表:
Allowed VPC egress settings
(constraints/run.allowedVPCEgress
)Disable Guest Attributes of Compute Engine metadata
(constraints/compute.disableGuestAttributesAccess
)Disable VM serial port access
(constraints/compute.disableSerialPortAccess
)Disable VM serial port logging to Stackdriver
(constraints/compute.disableSerialPortLogging
)Disable VPC External IPv6 usage
(constraints/compute.disableVpcExternalIpv6
)Require OS Login
(constraints/compute.requireOsLogin
)Restrict Authorized Networks on Cloud SQL instances
(constraints/sql.restrictAuthorizedNetworks
)Require VPC Connector (Cloud Functions)
(constraints/cloudfunctions.requireVPCConnector
)Disable VPC Internal IPv6 usage
(constraints/compute.disableVpcInternalIpv6
)Allowed ingress settings (Cloud Run)
(constraints/run.allowedIngress
)Enforce uniform bucket-level access
(constraints/storage.uniformBucketLevelAccess
)Skip creation of default Compute Network
(constraints/compute.skipDefaultNetworkCreation
)
组织政策自定义限制条件
支持所有组织政策自定义约束条件。不过,您无法验证包含标记的组织政策。
Security Health Analytics 自定义模块
支持所有 Security Health Analytics 自定义模块。
Security Health Analytics 内置检测器
以下是支持的内置检测器列表:
ALPHA_CLUSTER_ENABLED
AUTO_BACKUP_DISABLED
AUTO_REPAIR_DISABLED
AUTO_UPGRADE_DISABLED
BIGQUERY_TABLE_CMEK_DISABLED
BUCKET_CMEK_DISABLED
BUCKET_LOGGING_DISABLED
BUCKET_POLICY_ONLY_DISABLED
CLUSTER_LOGGING_DISABLED
CLUSTER_MONITORING_DISABLED
CLUSTER_SECRETS_ENCRYPTION_DISABLED
CLUSTER_SHIELDED_NODES_DISABLED
COMPUTE_SECURE_BOOT_DISABLED
COMPUTE_SERIAL_PORTS_ENABLED
CONFIDENTIAL_COMPUTING_DISABLED
COS_NOT_USED
DATAPROC_CMEK_DISABLED
DATAPROC_IMAGE_OUTDATED
DEFAULT_SERVICE_ACCOUNT_USED
DISK_CMEK_DISABLED
DISK_CSEK_DISABLED
FIREWALL_RULE_LOGGING_DISABLED
FLOW_LOGS_DISABLED
FULL_API_ACCESS
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
INTEGRITY_MONITORING_DISABLED
INTRANODE_VISIBILITY_DISABLED
IP_ALIAS_DISABLED
IP_FORWARDING_ENABLED
KMS_KEY_NOT_ROTATED
KMS_PUBLIC_KEY
LEGACY_AUTHORIZATION_ENABLED
LEGACY_METADATA_ENABLED
LOAD_BALANCER_LOGGING_DISABLED
MASTER_AUTHORIZED_NETWORKS_DISABLED
NETWORK_POLICY_DISABLED
NODEPOOL_BOOT_CMEK_DISABLED
NODEPOOL_SECURE_BOOT_DISABLED
OPEN_CASSANDRA_PORT
OPEN_CISCOSECURE_WEBSM_PORT
OPEN_DIRECTORY_SERVICES_PORT
OPEN_DNS_PORT
OPEN_ELASTICSEARCH_PORT
OPEN_FIREWALL
OPEN_FTP_PORT
OPEN_HTTP_PORT
OPEN_LDAP_PORT
OPEN_MEMCACHED_PORT
OPEN_MONGODB_PORT
OPEN_MYSQL_PORT
OPEN_NETBIOS_PORT
OPEN_ORACLEDB_PORT
OPEN_POP3_PORT
OPEN_POSTGRESQL_PORT
OPEN_RDP_PORT
OPEN_REDIS_PORT
OPEN_SMTP_PORT
OPEN_SSH_PORT
OPEN_TELNET_PORT
OVER_PRIVILEGED_ACCOUNT
OVER_PRIVILEGED_SCOPES
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
PRIMITIVE_ROLES_USED
PRIVATE_CLUSTER_DISABLED
PRIVATE_GOOGLE_ACCESS_DISABLED
PUBLIC_BUCKET_ACL
PUBLIC_COMPUTE_IMAGE
PUBLIC_DATASET
PUBLIC_IP_ADDRESS
PUBLIC_SQL_INSTANCE
PUBSUB_CMEK_DISABLED
REDIS_ROLE_USED_ON_ORG
RELEASE_CHANNEL_DISABLED
RSASHA1_FOR_SIGNING
SERVICE_ACCOUNT_KEY_NOT_ROTATED
SHIELDED_VM_DISABLED
SSL_NOT_ENFORCED
SQL_CMEK_DISABLED
SQL_CONTAINED_DATABASE_AUTHENTICATION
SQL_CROSS_DB_OWNERSHIP_CHAINING
SQL_EXTERNAL_SCRIPTS_ENABLED
SQL_LOCAL_INFILE
SQL_LOG_CHECKPOINTS_DISABLED
SQL_LOG_CONNECTIONS_DISABLED
SQL_LOG_DISCONNECTIONS_DISABLED
SQL_LOG_DURATION_DISABLED
SQL_LOG_ERROR_VERBOSITY
SQL_LOG_EXECUTOR_STATS_ENABLED
SQL_LOG_HOSTNAME_ENABLED
SQL_LOG_LOCK_WAITS_DISABLED
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
SQL_LOG_MIN_ERROR_STATEMENT
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
SQL_LOG_MIN_MESSAGES
SQL_LOG_PARSER_STATS_ENABLED
SQL_LOG_PLANNER_STATS_ENABLED
SQL_LOG_STATEMENT
SQL_LOG_STATEMENT_STATS_ENABLED
SQL_LOG_TEMP_FILES
SQL_PUBLIC_IP
SQL_REMOTE_ACCESS_ENABLED
SQL_SKIP_SHOW_DATABASE_DISABLED
SQL_TRACE_FLAG_3625
SQL_USER_CONNECTIONS_CONFIGURED
SQL_USER_OPTIONS_CONFIGURED
USER_MANAGED_SERVICE_ACCOUNT_KEY
WEB_UI_ENABLED
WORKLOAD_IDENTITY_DISABLED