Real-Time Enforcer

This is a beta release. This product might be changed in backward-incompatible ways and is not subject to any SLA or deprecation policy.

Overview

Developed in partnership with ClearDATA, Real-Time Enforcer automatically remediates non-compliant configurations in targeted Google Cloud Platform (GCP) resources.

Real-Time Enforcer uses a Stackdriver log export that filters for Audit Log entries that create or update resources, and sends those log entries to a Pub/Sub topic. The forseti-enforcer-gcp service account is subscribed to that topic and evaluates each incoming log message and attempts to map it to a recognized resource. If it is recognized, Real-Time Enforcer will evaluate the resource against an Open Policy Agent (OPA) instance and remediate based on defined policies stored in a Cloud storage bucket.

Logs are written to Stackdriver in the same project that Real-Time Enforcer is running on, and can be found using the Global resource filter.

The cloud-foundation-forseti Service Account

The cloud-foundation-forseti service account is used to set up the Real-Time Enforcer Terraform module.

Permissions

For Real-Time Enforcer to work properly, the cloud-foundation-forseti service account requires the following permissions:

Granted at the organization level

  • roles/iam.organizationRoleAdmin
  • roles/logging.configWriter

Granted at the project level

  • roles/pubsub.admin

The forseti-enforcer-gcp Service Account

The forseti-enforcer-gcp service account gives Real-Time Enforcer application access to subscribe to the Pub/Sub subscription for messages, and access to modify resources for policy enforcement.

Permissions

The forseti-enforcer-gcp service account requires the following permissions:

Granted at the organization level

  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy
  • storage.buckets.update
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.setIamPolicy
  • bigquery.datasets.update
  • cloudsql.instances.get
  • cloudsql.instances.update
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
  • serviceusage.services.use

Granted at the project level

  • roles/storage.objectViewer
  • roles/cloudtrace.agent
  • roles/logging.logWriter