Migrating Forseti Scanners to Rego Constraints

This guide will walk through migrating the Python scanner rule files listed below to functionally equivalent Rego constraints found in the policy-library repository that can be used in Config Validator.

Note: Config Validator currently ingests Cloud Asset Inventory (CAI) data only. GSuite data is not included in CAI exports. Users looking for GSuite specific constraints should continue to utilize the Forseti Python scanners.

For documentation on Config Validator and policy-library, refer here.

  • Audit Logging
  • Bigquery Dataset ACL
  • Bucket ACL
  • Cloud SQL
  • Enabled APIs
  • Firewall Rules
  • Load Balancer Forwarding Rules
  • IAM Policy
  • Instance Network Interface
  • Kubernetes Engine Version
  • Kubernetes Engine
  • KMS
  • Location
  • Retention Policy
  • Role
  • Service Account Key

Audit Logging

Description: You can configure Cloud Audit Logging to save Admin Activity and Data Access for Google Cloud Platform (GCP) services. The audit log configurations for a project, folder, or organization specify which logs should be saved, along with members who are exempted from having their accesses logged. The audit logging scanner detects if any projects are missing a required audit log, or have extra exempted members.

Python Scanner Rego Constraint Template Constraint Sample
audit_logging_rules.yaml gcp_iam_audit_log.yaml iam_audit_log.yaml

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

  • cloudresourcemanager.googleapis.com/Organization
  • cloudresourcemanager.googleapis.com/Folder
  • cloudresourcemanager.googleapis.com/Project

Rego constraint properties

Python Scanner field Rego Constraint field
name metadata.name
resource.resource_ids metadata.spec.match.target
service metadata.spec.parameters.services
log_types metadata.spec.parameters.log_types
allowed_exemptions metadata.spec.parameters.allowed_exemptions

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Audit Logging scanner to require all logging (log_types) for the Compute service (compute.googleapis.com) in two projects (proj-1, proj-2), with two exempted members (user:user1@org.com, user:user12@org.com).

audit_logging_rules.yaml:

  - name: 'Require all logging for compute, with exemptions.'
     resource:
       - type: project
         resource_ids:
           - 'proj-1'
           - 'proj-2'
     service: 'compute.googleapis.com'
     log_types:
       - 'ADMIN_READ'
       - 'DATA_READ'
       - 'DATA_WRITE'
     allowed_exemptions:
       - 'user:user1@org.com'
       - 'user:user2@org.com'

Add the Rego constraint template gcp_iam_audit_log.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

iam_audit_log_data_read_write_exemptions.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAuditLogConstraintV1
metadata:
  name: audit_log_data_read_write_exemptions
spec:
  match:
    target: [“**/projects/proj-1”, “**/projects/proj-2”]
  parameters:
    services: [“compute.googleapis.com”]
    log_types: [“ADMIN_READ”, “DATA_READ”, “DATA_WRITE”]
    exemptions: [“user:user1@org.com”, “user:user2@org.com”]

BigQuery Dataset ACL

Description: BigQuery datasets have access properties that can publicly expose your datasets. The BigQuery scanner supports blacklist and whitelist modes to ensure unauthorized users don’t gain access to your datasets, and only authorized users can gain access.

Python Scanner Rego Constraint Template Constraint Sample
bigquery_rules.yaml gcp_iam_allowed_bindings_v1.yaml iam_blacklist_public.yaml

Rego constraint asset type

This Rego constraint can scan IAM policies for any CAI asset type with bindings. You can define the asset type(s) to look for in the constraint itself.

E.g.

  • bigquery.googleapis.com/Dataset
  • storage.googleapis.com/Bucket

Rego constraint properties

This Rego constraint utilizes the following properties:

Python Scanner field Rego Constraint field
name metadata.name
mode metadata.spec.parameters.mode
resource.resource_ids metadata.spec.match.target
dataset_ids metadata.spec.parameters.assetNames
bindings.role metadata.spec.parameters.role
bindings.members metadata.spec.parameters.members

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the BigQuery Dataset ACL scanner to search for any datasets in an organization with ID 123456 that are accessible by groups with googlegroups.com addresses.

bigquery_rules.yaml:

 - name: BigQuery rule to search for datasets accessible by groups with googlegroups.com addresses
    mode: blacklist
    resource:
      - type: organization
        resource_ids:
          - 123456
    dataset_ids: ['*']
    bindings:
      - role: '*'
        members:
        - group_email: '*@googlegroups.com'

Add the Rego constraint template gcp_iam_allowed_bindings_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

bigquery_rules_iam_blacklist_googlegroups.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV1
metadata:
  name: bigquery_rules_iam_blacklist_googlegroups
spec:
  match:
    target: [“organizations/123456”]
  parameters:
    mode: “blacklist”
    assetType: “bigquery.googleapis.com/Dataset”
    role: "roles/*"
    members:
    - "group:*@googlegroups.com"

Bucket ACL

Description: Cloud Storage buckets have ACLs that can grant public access to your Cloud Storage bucket and objects. The bucket scanner supports a blacklist mode, to ensure unauthorized users don’t gain access to your Cloud Storage bucket.

Python Scanner Rego Constraint Template Constraint Sample
bucket_rules.yaml gcp_storage_bucket_world_readable_v1.yaml storage_blacklist_public.yaml

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

  • storage.googleapis.com/Bucket

Rego constraint properties

This Rego constraint can check for allUsers and allAuthenticatedUsers without defining specific properties in the constraint.

Python scanner to Rego constraint sample

The following Python scanner rules utilize the Bucket ACL scanner to search for any public buckets in an organization with ID 123456.

bucket_rules.yaml:

rules:
 - name: Bucket acls rule to search for public buckets
    bucket: '*'
    entity: allUsers
    email: '*'
    domain: '*'
    role: '*'
    resource:
        - resource_ids:
          - organizations/123456
  - name: Bucket acls rule to search for exposed buckets
    bucket: '*'
    entity: allAuthenticatedUsers
    email: '*'
    domain: '*'
    role: '*'
    resource:
        - resource_ids:
          - organizations/123456

Add the Rego constraint template gcp_storage_bucket_world_readable_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

storage_blacklist_public.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPStorageBucketWorldReadableConstraintV1
metadata:
  name: blacklist_public_users
spec:
  match:
    target: [“organizations/123456”]
  parameters: {}

Cloud SQL

Description: Cloud SQL instances can be configured to grant external networks access. The Cloud SQL scanner supports a blacklist mode, to ensure unauthorized users don’t gain access to your Cloud SQL instances.

Python Scanner Rego Constraint Template Constraint Sample
cloudsql_rules.yaml gcp_sql_ssl_v1.yaml

gcp_sql_allowed_authorized_networks_v1.yaml

gcp_sql_public_ip_v1.yaml
sql_ssl.yaml

sql_allowed_authorized_networks.yaml

sql_public_ip.yaml

Rego constraint asset type

The Rego constraints scan IAM policies for the following CAI asset types:

  • sqladmin.googleapis.com/Instance

Rego constraint properties

gcp_sql_ssl_v1.yaml constraint checks that all SQL instances have required SSL without defining specific properties to the constraint.

gcp_sql_public_ip_v1.yaml constraint checks that all SQL instances do not have public IPs.

gcp_sql_allowed_authorized_networks_v1.yaml

Python Scanner field Rego Constraint field
name metadata.name
resource.resource_ids metadata.spec.match.target
authorized_networks metadata.spec.parameters.authorized_networks

Python scanner to Rego constraint sample

The following Python scanner rules utilize the Cloud SQL scanner to search for publicly exposed Cloud SQL instances where SSL is enabled in organization with ID 123456.

cloudsql_rules.yaml:

name: Cloud SQL rule to search for publicly exposed instances (SSL enabled)
    instance_name: '*'
    authorized_networks: '0.0.0.0/0'
    ssl_enabled: 'True'
    resource:
      - type: organization
        resource_ids:
          - ${org_id}

Add the Rego constraint template gcp_sql_allowed_authorized_networks_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

require_sql_ssl.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPSQLSSLConstraintV1
metadata:
  name: require_sql_ssl
spec:
  match:
    target: [“organizations/123456”]
  severity: high
  parameters: {}

Add the Rego constraint template gcp_sql_public_ip_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

prevent_public_ip_sql.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPSQLPublicIpConstraintV1
metadata:
  name: prevent_public_ip_sql
spec:
  match:
    target: [“organizations/123456”]
  severity: high
  parameters: {}

Enabled APIs

Description: The Enabled APIs scanner detects if a project has appropriate APIs enabled. It supports whitelisting supported APIs, blacklisting unsupported APIs, and specifying required APIs that must be enabled.

Python Scanner Rego Constraint Template Constraint Sample
enabled_apis_rules.yaml gcp_serviceusage_allowed_services_v1.yaml serviceusage_allow_basic_apis.yaml

serviceusage_deny_apis.yaml

Rego constraint asset type

This Rego constraint scans for the following CAI asset types:

  • serviceusage.googleapis.com/Service

Rego constraint properties

Python Scanner field Rego Constraint field
name metadata.name
mode metadata.spec.parameters.mode
resource.resource_ids metadata.spec.match.target
services metadata.spec.parameters.services

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Enabled APIs scanner to search for any APIs that are not listed in the allowed services defined.

enabled_apis_rules.yaml:

   - name: Example Enabled APIs whitelist
     mode: whitelist
     resource:
       - type: project
         resource_ids:
           - '*'
     services:
       - 'bigquery.googleapis.com'
       - 'clouddebugger.googleapis.com'
       - 'cloudtrace.googleapis.com'
       - 'compute.googleapis.com'
       - 'container.googleapis.com'
       - 'containerregistry.googleapis.com'
       - 'deploymentmanager.googleapis.com'
       - 'language.googleapis.com'
       - 'logging.googleapis.com'
       - 'monitoring.googleapis.com'
       - 'pubsub.googleapis.com'
       - 'replicapool.googleapis.com'
       - 'replicapoolupdater.googleapis.com'
       - 'resourceviews.googleapis.com'
       - 'servicemanagement.googleapis.com'
       - 'serviceusage.googleapis.com'
       - 'sql-component.googleapis.com'
       - 'storage-api.googleapis.com'
       - 'storage-component.googleapis.com'
       - 'translate.googleapis.com'

Add the Rego constraint template gcp_serviceusage_allowed_services_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

serviceusage_allow_apis.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPServiceUsageConstraintV1
metadata:
  name: allow_apis
spec:
  severity: high
  match:
    target: ["organization/123456"]
  parameters:
    mode: allow
    services:
     - 'bigquery.googleapis.com'
     - 'clouddebugger.googleapis.com'
     - 'cloudtrace.googleapis.com'
     - 'compute.googleapis.com'
     - 'container.googleapis.com'
     - 'containerregistry.googleapis.com'
     - 'deploymentmanager.googleapis.com'
     - 'language.googleapis.com'
     - 'logging.googleapis.com'
     - 'monitoring.googleapis.com'
     - 'pubsub.googleapis.com'
     - 'replicapool.googleapis.com'
     - 'replicapoolupdater.googleapis.com'
     - 'resourceviews.googleapis.com'
     - 'servicemanagement.googleapis.com'
     - 'serviceusage.googleapis.com'
     - 'sql-component.googleapis.com'
     - 'storage-api.googleapis.com'
     - 'storage-component.googleapis.com'
     - 'translate.googleapis.com'

Firewall Rules

Description: Network firewall rules protect your network & organization by only allowing desired traffic into and out of your network. The firewall rules scanner can ensure that all your network’s firewalls are properly configured.

Python Scanner Rego Constraint Template Constraint Sample
firewall_rules.yaml gcp_restricted_firewall_rules_v1.yaml restrict_fw_rules_generic.yaml

restrict_fw_rules_world_open.yaml

Rego constraint asset type

This Rego constraint scans for the following CAI asset types:

  • compute.googleapis.com/Firewall

Rego constraint properties

Python Scanner field Rego Constraint field
rule_id metadata.name
mode metadata.spec.parameters.mode
direction metadata.spec.parameters.rules.direction
allowed metadata.spec.parameters.rules.rule_type
denied metadata.spec.parameters.rules.rule_type
allowed.IPProtocol metadata.spec.parameters.rules.protocol
allowed.ports metadata.spec.parameters.rules.port
denied.IPProtocol metadata.spec.parameters.rules.protocol
denied.ports metadata.spec.parameters.rules.ports
sourceRanges metadata.spec.parameters.rules.source_ranges
sourceServiceAccounts metadata.spec.parameters.rules.source_service_accounts
sourceTags metadata.spec.parameters.rules.source_tags
destinationRanges metadata.spec.parameters.rules.target_ranges
targetServiceAccounts metadata.spec.parameters.rules.target_service_accounts
targetTags metadata.spec.parameters.rules.target_tags

Python scanner to Rego constraint sample

The following Python scanner rules utilize the Firewall Rules scanner to search for policies that allow ingress and expose every port.

firewall_rules.yaml:

 - rule_id: 'prevent_allow_all_ingress'
    description: Detect allow ingress to all policies
    mode: blacklist
    match_policies:
      - direction: ingress
        allowed: ['*']
    verify_policies:
      - allowed:
        - IPProtocol: 'all'

  - rule_id: 'disallow_all_ports'
    description: Don't allow policies that expose every port
    mode: blacklist
    match_policies:
      - direction: ingress
        allowed: ['*']
    verify_policies:
      - allowed:
        - IPProtocol: 'tcp'
          ports:
            - 'all'
      - allowed:
        - IPProtocol: 'udp'
          ports:
            - 'all'

Add the Rego constraint template gcp_restricted_firewall_rules_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

restrict_firewall_rules.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPRestrictedFirewallRulesConstraintV1
metadata:
  name: restrict-firewall-rule-deny-ingress
spec:
  severity: high
  match:
    target: ["organizations/123456"]
  parameters:
    mode: “denylist”
    rules:
      - direction: "INGRESS"
        rule_type: "allowed"
        protocol: "all"
     - direction: “INGRESS”
       rule_type: "allowed"
       protocol: “tcp”
       port: “all”
     - direction: “INGRESS”
       rule_type: "allowed"
       protocol: “udp”
       port: “all”

IAM Policy

Description: Cloud IAM policies directly grant access on GCP. To ensure only authorized members and permissions are granted in Cloud IAM policies, IAM policy scanner supports the following:

  • Whitelist, blacklist, and required modes.
Python Scanner Rego Constraint Template Constraint Sample
iam_rules.yaml gcp_iam_allowed_bindings_v1.yaml

gcp_iam_required_bindings_v1.yaml
iam_allowed_roles.yaml

iam_restrict_gmail.yaml

iam_blacklist_role.yaml

iam_blacklist_service_account_creator_role.yaml

iam_blacklist_public.yaml

iam_restrict_role.yaml

iam_required_roles.yaml

Rego constraint asset type

This Rego constraint can scan IAM policies for any CAI asset type with bindings. You can define the asset type(s) to look for in the constraint itself.

E.g.

  • cloudresourcemanager.googleapis.com/Project

Rego constraint properties

gcp_iam_allowed_bindings_v1.yaml

Python Scanner field Rego Constraint field
name metadata.name
mode metadata.spec.parameters.mode
resource.resource_ids metadata.spec.match.target
bindings.role metadata.spec.parameters.role
bindings.members metadata.spec.parameters.members

gcp_iam_required_bindings_v1.yaml

Python Scanner field Rego Constraint field
name metadata.name
mode metadata.spec.parameters.mode
resource.resource_ids metadata.spec.match.target
bindings.role metadata.spec.parameters.role
bindings.members metadata.spec.parameters.members

Python scanner to Rego constraint sample

The following Python scanner rules utilizes the IAM Policy scanner to:

  • Allow only IAM members in my-cool-domai.comn to be an OrgAdmin in organization with ID 123456.
  • Prevent public users from having access to buckets via IAM in organization with ID 123456.

iam_policy_rules.yaml:

 rules:
  - name: Allow only IAM members in my domain to be an OrgAdmin
    mode: whitelist
    resource:
      - type: organization
        applies_to: self
        resource_ids:
          - '*'
    inherit_from_parents: true
    bindings:
      - role: roles/resourcemanager.organizationAdmin
        members:
          - user:*@my-cool-domain.com
          - group:*@my-cool-domain.com

  - name: Prevent public users from having access to buckets via IAM
    mode: blacklist
    resource:
      - type: bucket
        applies_to: self
        resource_ids:
          - '*'
    inherit_from_parents: true
    bindings:
      - role: '*'
        members:
          - allUsers

Add the Rego constraint template gcp_iam_allowed_bindings_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

iam_whitelist_domain.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV1
metadata:
  name: whitelist_domain
spec:
  severity: high
  match:
    target: ["organizations/123456"]
  parameters:
    mode: whitelist
    role: “roles/resourcemanager.organizationAdmin”
    members:
    - "user:*@my-cool-domain.com"
    - “group:*@my-cool-domain.com”

iam_blacklist_public.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV1
metadata:
  name: blacklist_all_users
spec:
  severity: high
  match:
    target: ["organizations/123456"]
  parameters:
    mode: blacklist
    assetType: “storage.googleapis.com/Bucket”
    role: "roles/*"
    members:
    - "allUsers"
    - "allAuthenticatedUsers"

Instance Network Interface

Description: VM instances with external IP addresses expose your environment to an additional attack surface area. The instance network interface scanner audits all of your VM instances in your environment, and determines if any VMs with external IP addresses are outside of the trusted networks.

Python Scanner Rego Constraint Template Constraint Sample
instance_network_interface_
rules.yaml
gcp_compute_network_interface_
whitelist_v1.yaml
compute_network_interface_
whitelist.yaml

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

  • compute.googleapis.com/Instance

Rego constraint properties

Python Scanner field Rego Constraint field
name metadata.name
project metadata.spec.match.target
whitelist metadata.spec.parameters.whitelist

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Instance Network Interface scanner to ensure instances with external IPs are only running on whitelisted networks and instances are only running on networks created in allowed projects (using XPN)

instance_network_interface_rules.yaml:

- name: all networks covered in whitelist
  project: '*'
  network: '*'
  is_external_network: True
  whitelist:
    project-1:
     - network-1
    project-2:
     - network-2
     - network-2-2
    project-3:
     - network-3

Add the Rego constraint template gcp_compute_network_interface_whitelist_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

compute_network_interface_whitelist.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPComputeNetworkInterfaceWhitelistConstraintV1
metadata:
  name: whitelist_compute_network_interface
spec:
  severity: high
  match:
    gcp:
      target: ["organizations/123456"]
  parameters:
      whitelist:
          - https://www.googleapis.com/compute/v1/projects/project-1/global/networks/network-1
         - https://www.googleapis.com/compute/v1/projects/project-2/global/networks/network-2
         - https://www.googleapis.com/compute/v1/projects/project-2/global/networks/network-2-2
         - https://www.googleapis.com/compute/v1/projects/project-3/global/networks/network-3

KMS

Description: You can configure the KMS scanner to alert if the enabled cryptographic keys in the organization are not rotated within the time specified. You can also check if the algorithm, protection level and purpose of the cryptographic key is correctly configured.

Python Scanner Rego Constraint Template Constraint Sample
kms_rules.yaml gcp_cmek_settings_v1.yaml cmek_settings.yaml

cmek_rotation_100_days.yaml

cmek_rotation.yaml

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

  • cloudkms.googleapis.com/CryptoKey

Rego constraint properties

Python Scanner field Rego Constraint field
name metadata.name
resource.resource_ids metadata.spec.match.target
key.rotation_period metadata.spec.parameters.rotation_period
key.algorithms metadata.spec.parameters.algorithms
key.protection_level metadata.spec.parameters.protection_level
key.purpose metadata.spec.parameters.purpose

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the KMS scanner to require the cryptographic keys in the organization to be rotated within the time specified (rotation_period), and to ensure that algorithm, protection level (protection_level) and purpose are correctly configured.

kms_rules.yaml:

rules:
  - name: All crypto keys with following config should be rotated in 100 days
    mode: whitelist
    resource:
      - type: organization
        resource_ids:
          - '*'
    key:
       -  rotation_period: 100 #days
         algorithms:
         - GOOGLE_SYMMETRIC_ENCRYPTION
         protection_level: SOFTWARE
         purpose:
         - ENCRYPT_DECRYPT

Add the Rego constraint template gcp_cmek_settings_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

cmek_settings.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPCMEKRotationConstraintV1
metadata:
  name: cmek_rotation_one_hundred_days
spec:
  severity: high
  match:
    target: ["organization/*"]
  parameters:
    period: 2400h
    algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
    purpose: ENCRYPT_DECRYPT
    protection_level: SOFTWARE

Kubernetes Engine

Description: Kubernetes Engine clusters have a wide-variety of options. You might want to have standards so your clusters are deployed in a uniform fashion. Some of the options can introduce unnecessary security risks. The KE scanner allows you to write rules that check arbitrary cluster properties for violations. It supports the following features:

  • Any cluster property can be checked in a rule by providing a JMESPath expression that extracts the right fields. See http://jmespath.org/ for a tutorial and detailed specifications.
  • Rules can be whitelists or blacklists.
Python Scanner Rego Constraint Template Constraint Sample
ke_scanner_rules.yaml gcp_resource_value_pattern_v1.yaml gke_enable_logging.yaml

Rego constraint asset type

This Rego constraint can scan for any CAI asset type. You can define the asset type(s) to look for in the constraint itself.

E.g.

  • container.googleapis.com/Cluster
  • bigquery.googleapis.com/Dataset
  • storage.googleapis.com/Bucket

Rego constraint properties

Python Scanner field Rego Constraint field
name metadata.name
resource.type metadata.spec.parameters.asset_types
resource.resource_ids metadata.spec.match.target
key metadata.spec.parameters.field_name
mode metadata.spec.parameters.mode
values metadata.spec.parameters.pattern

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Kubernetes Engine scanner to require that all logging is enabled in Kubernetes clusters.

ke_scanner.yaml:

 - name: logging should be enabled
    resource:
      - type: project
        resource_ids:
          - '*'
    key: loggingService
    mode: whitelist
    values:
      - logging.googleapis.com

Add the Rego constraint template gcp_resource_value_pattern_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

gke_enable_logging.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPResourceValuePatternConstraintV1
metadata:
  name: gke-cluster-enable-logging
spec:
  severity: high
  match:
    target: ["organizations/123456"]
  parameters:
    mode: allowlist
    asset_types:
        - "container.googleapis.com/Cluster"
    field_name: "loggingService"
    pattern: "logging.googleapis.com"

Kubernetes Engine Version

Description: Kubernetes Engine clusters running on older versions can be exposed to security vulnerabilities, or lack of support. The KE version scanner can ensure your Kubernetes Engine clusters are running safe and supported versions.

Python Scanner Rego Constraint Template Constraint Sample
ke_rules.yaml gcp_gke_cluster_version_v1.yaml gke_cluster_version.yaml

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

  • container.googleapis.com/Cluster

Rego constraint properties

Python Scanner field Rego Constraint field
name metadata.name
resource.resource_ids metadata.spec.match.target
allowed_nodepool_versions metadata.spec.parameters.versions

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Kubernetes Engine Version scanner to allow only specific nodepool versions.

ke_rules.yaml:

 - name: Nodepool version not patched for critical security vulnerabilities
    resource:
      - type: organization
        resource_ids:
          - '*'
    check_serverconfig_valid_node_versions: false
    check_serverconfig_valid_master_versions: false
    allowed_nodepool_versions:
        # Note: We must use = here because using >= will also allow earlier
        # versions of 11-gke.* and 12-gke.* (e.g. 11-gke.1) which might have
        # the vulnerabilities.
      - major: '1.8'
        minor: '10-gke.2'
        operator: '='
      - major: '1.9'
        minor: '6-gke.2'
        operator: '='

Add the Rego constraint template gcp_gke_cluster_version_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

gke_allowlist_nodepool_versions.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GKEClusterVersionConstraintV1
metadata:
  name: gke-cluster-version
spec:
  severity: high
  match:
    target: ["organization/*"]
  parameters:
    mode: "allowlist"
    version_type: "master"
    versions:
      - 1.8.10-gke.2
      - 1.9.6-gke.2
    exemptions: []

Load Balancer Forwarding Rules

Description: You can configure load balancer forwarding rules to direct unauthorized external traffic to your target instances. The forwarding rule scanner supports a whitelist mode, to ensure each forwarding rule only directs to the intended target instances.

Python Scanner Rego Constraint Template Constraint Sample
forwarding_rules.yaml gcp_lb_forwarding_rules_whitelist.yaml

gcp_glb_external_ip_access_constraint_v1.yaml
gcp_lb_forwarding_rules_whitelist.yaml

gcp_glb_external_ip.yaml

Rego constraint asset type

The Rego constraints scan for the following CAI asset types:

  • compute.googleapis.com/ForwardingRule
  • compute.googleapis.com/GlobalForwardingRule

Rego constraint properties

gcp_lb_forwarding_rules_whitelist.yaml

Python Scanner field Rego Constraint field
name metadata.name
target metadata.spec.parameters.target
mode metadata.spec.parameters.whitelist
load_balancing_scheme metadata.spec.parameters.load_balancing_scheme
ip_protocol metadata.spec.parameters.ip_protocol
ip_address metadata.spec.parameters.ip_address

Python scanner to Rego constraint sample

The following Python scanner rules utilize the Load Balancer Forwarding Rules scanner to only allow UDP load balancers for external VPN. forwarding_rules.yaml:

  - name: UDP LB for External VPN
    target: https://www.googleapis.com/compute/v1/projects/THEPROJECT/regions/us-central1/THELB/FWD_RULE_NAME
    mode: whitelist
    load_balancing_scheme: EXTERNAL
    port_range: 4500-4500
    ip_protocol: UDP
    ip_address: "198.51.100.99"

Add the Rego constraint template gcp_lb_forwarding_rules_whitelist.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

gcp_lb_forwarding_rule_whitelist:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPLBForwardingRuleWhitelistConstraintV1
metadata:
  name: gcp_lb_forwarding_rule_whitelist
spec:
  severity: high
  parameters:
    whitelist:
     - target: https://www.googleapis.com/compute/v1/projects/THEPROJECT/regions/us-central1/THELB/FWD_RULE_NAME
       load_balancing_scheme: EXTERNAL
       port_range: 4500-4500
       ip_protocol: UDP
       ip_address: "198.51.100.99"

Location

Description: Allow customers to ensure their resources are located only in the intended locations. Set guards around locations as part of automated project deployment.

Python Scanner Rego Constraint Template Constraint Sample
location_rules.yaml gcp_storage_location_v1.yaml

gcp_sql_location_v1.yaml

gcp_bq_dataset_location_v1.yaml

gcp_gke_cluster_location_v2.yaml

gcp_compute_zone_v1.yaml
storage_location.yaml

sql_location.yaml

bq_dataset_location.yaml

gke_cluster_location.yaml

compute_zone.yaml

Rego constraint asset type

gcp_storage_location_v1.yaml scans for the following CAI asset types:

  • storage.googleapis.com/Bucket

gcp_sql_location_v1.yaml scans for the following CAI asset types:

  • sqladmin.googleapis.com/Instance

gcp_bq_dataset_location_v1.yaml scans for the following CAI asset types:

  • bigquery.googleapis.com/Dataset

gcp_gke_cluster_location_v2.yaml scans for the following CAI asset types:

  • container.googleapis.com/Cluster

gcp_compute_zone_v1.yaml scans for the following CAI asset types:

  • compute.googleapis.com/Instance
  • compute.googleapis.com/Disk

Rego constraint properties

gcp_storage_location_v1.yaml

Python Scanner field Rego Constraint field
name metadata.name
mode metadata.spec.parameters.mode
resource.resource_ids metadata.spec.match.target
locations metadata.spec.parameters.locations

gcp_sql_location_v1.yaml

Python Scanner field Rego Constraint field
name  
metadata.name  
mode  
metadata.spec.parameters.mode  
resource.resource_ids  
metadata.spec.match.target  
locations  
metadata.spec.parameters.locations  

gcp_bq_dataset_location_v1.yaml

Python Scanner field Rego Constraint field
name metadata.name
mode metadata.spec.parameters.mode
resource.resource_ids metadata.spec.match.target
locations metadata.spec.parameters.locations

gcp_gke_cluster_location_v2.yaml

Python Scanner field Rego Constraint field
name metadata.name
mode metadata.spec.parameters.mode
resource.resource_ids metadata.spec.match.target
locations metadata.spec.parameters.locations

gcp_compute_zone_v1.yaml

Python Scanner field Rego Constraint field
name metadata.name
mode metadata.spec.parameters.mode
resource.resource_ids metadata.spec.match.target
locations metadata.spec.parameters.zones

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Location scanner to ensure that all buckets in organization with ID 123456 are NOT be in EU.

location_rules.yaml:

- name: All buckets in organization must not be in EU.
  mode: blacklist
  resource:
   - type: organization
     resource_ids:
       - ${org_id}
  applies_to:
   - type: 'bucket'
     resource_ids:
       - '*'
  locations:
   - 'eu*'

Add the Rego constraint template gcp_storage_location_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

storage_location_eu_denylist.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPStorageLocationConstraintV1
metadata:
  name: denylist_bucket_eu_location
spec:
  severity: high
  match:
    target: ["organizations/123456*"]
  parameters:
    mode: "denylist"
    locations:
    - europe-north1
    - europe-west1
    - europe-west2
    - europe-west3
    - europe-west4
    - europe-west6
    exemptions: []

Retention Policy

Description: Allow customers to ensure the retention policies on their resources are set as intended.

Python Scanner Rego Constraint Template Constraint Sample
retention_rules.yaml gcp_storage_bucket_retention_v1.yaml

gcp_bigquery_table_retention_v1.yaml
storage_bucket_retention.yaml

bigquery_table_retention.yaml

Rego constraint asset type

gcp_storage_bucket_retention_v1.yaml scans for the following CAI asset types:

  • storage.googleapis.com/Bucket

gcp_bigquery_table_retention_v1.yaml scans for the following CAI asset types:

  • bigquery.googleapis.com/Table

Rego constraint properties

gcp_storage_bucket_retention_v1.yaml

Python Scanner field Rego Constraint field
name metadata.name
resource.resource_ids metadata.spec.match.target
minimum_retention metadata.spec.parameters.minimum_retention_days
maximmum_retention metadata.spec.parameters.maximum_retention_days

gcp_bigquery_table_retention_v1.yaml

Python Scanner field Rego Constraint field
name metadata.name
resource.resource_ids metadata.spec.match.target
minimum_retention metadata.spec.parameters.minimum_retention_days
maximum_retention metadata.spec.parameters.maximum_retention_days

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Retention Policy scanner to require all buckets in organization with ID 123456 to have a retention shorter than 730 days.

retention_rules.yaml:

  - name: Buckets in Organization must have a retention shorter than 730 days.
     applies_to:
       - bucket
     resource:
       - type: organization
         resource_ids:
           - "1234556"
     maximum_retention: 730

Add the Rego constraint template gcp_storage_bucket_retention_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

storage_bucket_retention.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPStorageBucketRetentionConstraintV1
metadata:
  name: storage_bucket_maximum_retention
spec:
  severity: high
  match:
    target: ["organizations/123456"]
  parameters:
    maximum_retention_days: 730
    exemptions: []

Role

Description: Control permissions that are actually in IAM roles - ensure that custom IAM roles do not have more permissions than they should to prevent access.

Python Scanner Rego Constraint Template Constraint Sample
role_rules.yaml gcp_iam_custom_role_permissions_v1.yaml iam_allowed_roles.yaml

Rego constraint asset type

This Rego constraint can scan the following CAI asset type:

  • iam.googleapis.com/Role

Rego constraint properties

Python Scanner field Rego Constraint field
name metadata.name
role_name metadata.spec.parameters.title
permissions metadata.spec.parameters.permissions
resource.resource_ids metadata.spec.match.target

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Role scanner to search for the ‘BigqueryViewer’ role to ensure that there are only the permissions defined.

role_rules.yaml:

  - name: "The role BigqueryViewer contains exactly the following 3 permissions"
     role_name: "BigqueryViewer"
     permissions:
     - "bigquery.datasets.get"
     - "bigquery.tables.get"
     - "bigquery.tables.list"
     resource:
     - type: project
       resource_ids: ['*']

Add the Rego constraint template gcp_iam_custom_role_permissions_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

iam_custom_role_permissions.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMCustomRolePermissionsConstraintV1
metadata:
  name: allowlist-role-permissions
  annotations:
    description: Bigquery Viewer role must only have specific permissions
spec:
  severity: high
  parameters:
    mode: allowlist
    title: "Bigquery Viewer"
    permissions:
     - "bigquery.datasets.get"
     - "bigquery.tables.get"
     - "bigquery.tables.list"

Service Account Key

Description: It’s best to periodically rotate your user-managed service account keys, in case the keys get compromised without your knowledge. With the service account key scanner, you can define the max age at which your service account keys should be rotated. The scanner will then find any key that is older than the max age.

Python Scanner Rego Constraint Template Constraint Sample
service_account_key_rules.yaml gcp_iam_restrict_service_account_key_
age_v1.yaml
gcp_iam_restrict_service_account_key_
age.yaml

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

  • iam.googleapis.com/ServiceAccountKey

Rego constraint properties

Python Scanner field Rego Constraint field
name metadata.name
resource.resource_ids metadata.spec.match.target
max_age metadata.spec.parameters.max_age

Python scanner to Rego constraint sample

The following Python scanner rules utilize the Service Account Key scanner to define the max age at which the Service Account Keys should be rotated.

service_account_key_rules.yaml:


rules:
  # The max allowed age of user managed service account keys (in days)
  - name: Service account keys not rotated
    resource:
      - type: organization
        resource_ids:
          - '*'
    max_age: 100 # days

Add the Rego constraint template gcp_iam_restrict_service_account_key_age_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

gcp_iam_restrict_service_account_key_age.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMRestrictServiceAccountKeyAgeConstraintV1
metadata:
  name: iam-restrict-service-account-key-age-ninety-days
  annotations:
    # This constraint is not certified by CIS.
    bundles.validator.forsetisecurity.org/cis-v1.1: 1.06
spec:
  severity: high
  parameters:
      max_age: 2160h