This guide will walk through migrating the Python scanner rule files listed below to functionally equivalent Rego constraints found in the policy-library repository that can be used in Config Validator.
Note: Config Validator currently ingests Cloud Asset Inventory (CAI) data only. GSuite data is not included in CAI exports. Users looking for GSuite specific constraints should continue to utilize the Forseti Python scanners.
For documentation on Config Validator and policy-library, refer here.
Description: You can configure Cloud Audit Logging to save Admin Activity and Data Access for Google Cloud Platform (GCP) services. The audit log configurations for a project, folder, or organization specify which logs should be saved, along with members who are exempted from having their accesses logged. The audit logging scanner detects if any projects are missing a required audit log, or have extra exempted members.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
audit_logging_rules.yaml | gcp_iam_audit_log.yaml | iam_audit_log.yaml |
This Rego constraint scans IAM policies for the following CAI asset types:
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
resource.resource_ids | metadata.spec.match.target |
service | metadata.spec.parameters.services |
log_types | metadata.spec.parameters.log_types |
allowed_exemptions | metadata.spec.parameters.allowed_exemptions |
The following Python scanner rule utilizes the Audit Logging scanner to require
all logging (log_types) for the Compute service (compute.googleapis.com) in
two projects (proj-1
, proj-2
), with two exempted members
(user:user1@org.com
, user:user12@org.com
).
audit_logging_rules.yaml
:
- name: 'Require all logging for compute, with exemptions.'
resource:
- type: project
resource_ids:
- 'proj-1'
- 'proj-2'
service: 'compute.googleapis.com'
log_types:
- 'ADMIN_READ'
- 'DATA_READ'
- 'DATA_WRITE'
allowed_exemptions:
- 'user:user1@org.com'
- 'user:user2@org.com'
Add the Rego constraint template
gcp_iam_audit_log.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
iam_audit_log_data_read_write_exemptions.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAuditLogConstraintV1
metadata:
name: audit_log_data_read_write_exemptions
spec:
match:
target: [“**/projects/proj-1”, “**/projects/proj-2”]
parameters:
services: [“compute.googleapis.com”]
log_types: [“ADMIN_READ”, “DATA_READ”, “DATA_WRITE”]
exemptions: [“user:user1@org.com”, “user:user2@org.com”]
Description: BigQuery datasets have access properties that can publicly expose your datasets. The BigQuery scanner supports denylist and allowlist modes to ensure unauthorized users don’t gain access to your datasets, and only authorized users can gain access.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
bigquery_rules.yaml | gcp_iam_allowed_bindings.yaml | iam_deny_public.yaml |
This Rego constraint can scan IAM policies for any CAI asset type with bindings. You can define the asset type(s) to look for in the constraint itself.
E.g.
This Rego constraint utilizes the following properties:
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
mode | metadata.spec.parameters.mode |
resource.resource_ids | metadata.spec.match.target |
dataset_ids | metadata.spec.parameters.assetNames |
bindings.role | metadata.spec.parameters.role |
bindings.members | metadata.spec.parameters.members |
The following Python scanner rule utilizes the BigQuery Dataset ACL scanner to
search for any datasets in an organization with ID 123456
that are accessible
by groups with googlegroups.com
addresses.
bigquery_rules.yaml
:
- name: BigQuery rule to search for datasets accessible by groups with googlegroups.com addresses
mode: blacklist
resource:
- type: organization
resource_ids:
- 123456
dataset_ids: ['*']
bindings:
- role: '*'
members:
- group_email: '*@googlegroups.com'
Add the Rego constraint template
gcp_iam_allowed_bindings.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
bigquery_rules_iam_denylist_googlegroups.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
name: bigquery_rules_iam_denylist_googlegroups
spec:
match:
target: [“organizations/123456”]
parameters:
mode: denylist
assetType: bigquery.googleapis.com/Dataset
role: roles/*
members:
- "group:*@googlegroups.com"
Description: Cloud Storage buckets have ACLs that can grant public access to your Cloud Storage bucket and objects. The bucket scanner supports a denylist mode, to ensure unauthorized users don’t gain access to your Cloud Storage bucket.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
bucket_rules.yaml | gcp_storage_bucket_world_readable_v1.yaml | storage_denylist_public.yaml |
This Rego constraint scans IAM policies for the following CAI asset types:
This Rego constraint can check for allUsers
and allAuthenticatedUsers
without defining specific properties in the constraint.
The following Python scanner rules utilize the Bucket ACL scanner to search
for any public buckets in an organization with ID 123456
.
bucket_rules.yaml
:
rules:
- name: Bucket acls rule to search for public buckets
bucket: '*'
entity: allUsers
email: '*'
domain: '*'
role: '*'
resource:
- resource_ids:
- organizations/123456
- name: Bucket acls rule to search for exposed buckets
bucket: '*'
entity: allAuthenticatedUsers
email: '*'
domain: '*'
role: '*'
resource:
- resource_ids:
- organizations/123456
Add the Rego constraint template
gcp_storage_bucket_world_readable_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
storage_denylist_public.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPStorageBucketWorldReadableConstraintV1
metadata:
name: denylist_public_users
spec:
match:
target: [“organizations/123456”]
parameters: {}
Description: Cloud SQL instances can be configured to grant external networks access. The Cloud SQL scanner supports a denylist mode, to ensure unauthorized users don’t gain access to your Cloud SQL instances.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
cloudsql_rules.yaml | gcp_sql_ssl_v1.yaml gcp_sql_allowed_authorized_networks_v1.yaml gcp_sql_public_ip_v1.yaml |
sql_ssl.yaml sql_allowed_authorized_networks.yaml sql_public_ip.yaml |
The Rego constraints scan IAM policies for the following CAI asset types:
gcp_sql_ssl_v1.yaml constraint checks that all SQL instances have required SSL without defining specific properties to the constraint.
gcp_sql_public_ip_v1.yaml constraint checks that all SQL instances do not have public IPs.
gcp_sql_allowed_authorized_networks_v1.yaml
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
resource.resource_ids | metadata.spec.match.target |
authorized_networks | metadata.spec.parameters.authorized_networks |
The following Python scanner rules utilize the Cloud SQL scanner to search for
publicly exposed Cloud SQL instances where SSL is enabled in organization with
ID 123456
.
cloudsql_rules.yaml
:
name: Cloud SQL rule to search for publicly exposed instances (SSL enabled)
instance_name: '*'
authorized_networks: '0.0.0.0/0'
ssl_enabled: 'True'
resource:
- type: organization
resource_ids:
- ${org_id}
Add the Rego constraint template gcp_sql_allowed_authorized_networks_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
require_sql_ssl.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPSQLSSLConstraintV1
metadata:
name: require_sql_ssl
spec:
match:
target: [“organizations/123456”]
severity: high
parameters: {}
Add the Rego constraint template gcp_sql_public_ip_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
prevent_public_ip_sql.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPSQLPublicIpConstraintV1
metadata:
name: prevent_public_ip_sql
spec:
match:
target: [“organizations/123456”]
severity: high
parameters: {}
Description: The Enabled APIs scanner detects if a project has appropriate APIs enabled. It supports allowlisting supported APIs, denylisting unsupported APIs, and specifying required APIs that must be enabled.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
enabled_apis_rules.yaml | gcp_serviceusage_allowed_services_v1.yaml | serviceusage_allow_basic_apis.yaml serviceusage_deny_apis.yaml |
This Rego constraint scans for the following CAI asset types:
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
mode | metadata.spec.parameters.mode |
resource.resource_ids | metadata.spec.match.target |
services | metadata.spec.parameters.services |
The following Python scanner rule utilizes the Enabled APIs scanner to search for any APIs that are not listed in the allowed services defined.
enabled_apis_rules.yaml
:
- name: Example Enabled APIs allowlist
mode: whitelist
resource:
- type: project
resource_ids:
- '*'
services:
- 'bigquery.googleapis.com'
- 'clouddebugger.googleapis.com'
- 'cloudtrace.googleapis.com'
- 'compute.googleapis.com'
- 'container.googleapis.com'
- 'containerregistry.googleapis.com'
- 'deploymentmanager.googleapis.com'
- 'language.googleapis.com'
- 'logging.googleapis.com'
- 'monitoring.googleapis.com'
- 'pubsub.googleapis.com'
- 'replicapool.googleapis.com'
- 'replicapoolupdater.googleapis.com'
- 'resourceviews.googleapis.com'
- 'servicemanagement.googleapis.com'
- 'serviceusage.googleapis.com'
- 'sql-component.googleapis.com'
- 'storage-api.googleapis.com'
- 'storage-component.googleapis.com'
- 'translate.googleapis.com'
Add the Rego constraint template
gcp_serviceusage_allowed_services_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
serviceusage_allow_apis.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPServiceUsageConstraintV1
metadata:
name: allow_apis
spec:
severity: high
match:
target: ["organization/123456"]
parameters:
mode: allow
services:
- 'bigquery.googleapis.com'
- 'clouddebugger.googleapis.com'
- 'cloudtrace.googleapis.com'
- 'compute.googleapis.com'
- 'container.googleapis.com'
- 'containerregistry.googleapis.com'
- 'deploymentmanager.googleapis.com'
- 'language.googleapis.com'
- 'logging.googleapis.com'
- 'monitoring.googleapis.com'
- 'pubsub.googleapis.com'
- 'replicapool.googleapis.com'
- 'replicapoolupdater.googleapis.com'
- 'resourceviews.googleapis.com'
- 'servicemanagement.googleapis.com'
- 'serviceusage.googleapis.com'
- 'sql-component.googleapis.com'
- 'storage-api.googleapis.com'
- 'storage-component.googleapis.com'
- 'translate.googleapis.com'
Description: Network firewall rules protect your network & organization by only allowing desired traffic into and out of your network. The firewall rules scanner can ensure that all your network’s firewalls are properly configured.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
firewall_rules.yaml | gcp_restricted_firewall_rules_v1.yaml | restrict_fw_rules_generic.yaml restrict_fw_rules_world_open.yaml |
This Rego constraint scans for the following CAI asset types:
Python Scanner field | Rego Constraint field |
---|---|
rule_id | metadata.name |
mode | metadata.spec.parameters.mode |
direction | metadata.spec.parameters.rules.direction |
allowed | metadata.spec.parameters.rules.rule_type |
denied | metadata.spec.parameters.rules.rule_type |
allowed.IPProtocol | metadata.spec.parameters.rules.protocol |
allowed.ports | metadata.spec.parameters.rules.port |
denied.IPProtocol | metadata.spec.parameters.rules.protocol |
denied.ports | metadata.spec.parameters.rules.ports |
sourceRanges | metadata.spec.parameters.rules.source_ranges |
sourceServiceAccounts | metadata.spec.parameters.rules.source_service_accounts |
sourceTags | metadata.spec.parameters.rules.source_tags |
destinationRanges | metadata.spec.parameters.rules.target_ranges |
targetServiceAccounts | metadata.spec.parameters.rules.target_service_accounts |
targetTags | metadata.spec.parameters.rules.target_tags |
The following Python scanner rules utilize the Firewall Rules scanner to search for policies that allow ingress and expose every port.
firewall_rules.yaml
:
- rule_id: 'prevent_allow_all_ingress'
description: Detect allow ingress to all policies
mode: blacklist
match_policies:
- direction: ingress
allowed: ['*']
verify_policies:
- allowed:
- IPProtocol: 'all'
- rule_id: 'disallow_all_ports'
description: Don't allow policies that expose every port
mode: blacklist
match_policies:
- direction: ingress
allowed: ['*']
verify_policies:
- allowed:
- IPProtocol: 'tcp'
ports:
- 'all'
- allowed:
- IPProtocol: 'udp'
ports:
- 'all'
Add the Rego constraint template
gcp_restricted_firewall_rules_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
restrict_firewall_rules.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPRestrictedFirewallRulesConstraintV1
metadata:
name: restrict-firewall-rule-deny-ingress
spec:
severity: high
match:
target: ["organizations/123456"]
parameters:
mode: “denylist”
rules:
- direction: "INGRESS"
rule_type: "allowed"
protocol: "all"
- direction: “INGRESS”
rule_type: "allowed"
protocol: “tcp”
port: “all”
- direction: “INGRESS”
rule_type: "allowed"
protocol: “udp”
port: “all”
Description: Cloud IAM policies directly grant access on GCP. To ensure only authorized members and permissions are granted in Cloud IAM policies, IAM policy scanner supports the following:
This Rego constraint can scan IAM policies for any CAI asset type with bindings. You can define the asset type(s) to look for in the constraint itself.
E.g.
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
mode | metadata.spec.parameters.mode |
resource.resource_ids | metadata.spec.match.target |
bindings.role | metadata.spec.parameters.role |
bindings.members | metadata.spec.parameters.members |
gcp_iam_required_bindings_v1.yaml
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
mode | metadata.spec.parameters.mode |
resource.resource_ids | metadata.spec.match.target |
bindings.role | metadata.spec.parameters.role |
bindings.members | metadata.spec.parameters.members |
The following Python scanner rules utilizes the IAM Policy scanner to:
my-cool-domai.comn
to be an OrgAdmin in organization with ID 123456.iam_policy_rules.yaml
:
rules:
- name: Allow only IAM members in my domain to be an OrgAdmin
mode: whitelist
resource:
- type: organization
applies_to: self
resource_ids:
- '*'
inherit_from_parents: true
bindings:
- role: roles/resourcemanager.organizationAdmin
members:
- user:*@my-cool-domain.com
- group:*@my-cool-domain.com
- name: Prevent public users from having access to buckets via IAM
mode: blacklist
resource:
- type: bucket
applies_to: self
resource_ids:
- '*'
inherit_from_parents: true
bindings:
- role: '*'
members:
- allUsers
Add the Rego constraint template
gcp_iam_allowed_bindings.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
iam_allowlist_domain.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
name: allowlist_domain
spec:
severity: high
match:
target: ["organizations/123456"]
parameters:
mode: allowlist
role: roles/resourcemanager.organizationAdmin
members:
- "user:*@my-cool-domain.com"
- “group:*@my-cool-domain.com”
iam_deny_public.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
name: deny_allusers
spec:
severity: high
match:
target: ["organizations/123456"]
parameters:
mode: denylist
assetType: storage.googleapis.com/Bucket
role: roles/*
members:
- "allUsers"
- "allAuthenticatedUsers"
Description: VM instances with external IP addresses expose your environment to an additional attack surface area. The instance network interface scanner audits all of your VM instances in your environment, and determines if any VMs with external IP addresses are outside of the trusted networks.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
instance_network_interface_ rules.yaml |
gcp_compute_allowed_networks.yaml | compute_allowed_networks.yaml |
This Rego constraint scans IAM policies for the following CAI asset types:
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
project | metadata.spec.match.target |
whitelist | metadata.spec.parameters.allowed |
The following Python scanner rule utilizes the Instance Network Interface scanner to ensure instances with external IPs are only running on allowlisted networks and instances are only running on networks created in allowed projects (using XPN)
instance_network_interface_rules.yaml
:
- name: all networks covered in allowlist
project: '*'
network: '*'
is_external_network: True
whitelist:
project-1:
- network-1
project-2:
- network-2
- network-2-2
project-3:
- network-3
Add the Rego constraint template
gcp_compute_allowed_networks.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
gcp_compute_allowed_networks.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPComputeAllowedNetworksConstraintV2
metadata:
name: allowed-networks
spec:
severity: high
match:
gcp:
target: ["organizations/123456"]
parameters:
allowed:
- https://www.googleapis.com/compute/v1/projects/project-1/global/networks/network-1
- https://www.googleapis.com/compute/v1/projects/project-2/global/networks/network-2
- https://www.googleapis.com/compute/v1/projects/project-2/global/networks/network-2-2
- https://www.googleapis.com/compute/v1/projects/project-3/global/networks/network-3
Description: You can configure the KMS scanner to alert if the enabled cryptographic keys in the organization are not rotated within the time specified. You can also check if the algorithm, protection level and purpose of the cryptographic key is correctly configured.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
kms_rules.yaml | gcp_cmek_settings_v1.yaml | cmek_settings.yaml cmek_rotation_100_days.yaml cmek_rotation.yaml |
This Rego constraint scans IAM policies for the following CAI asset types:
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
resource.resource_ids | metadata.spec.match.target |
key.rotation_period | metadata.spec.parameters.rotation_period |
key.algorithms | metadata.spec.parameters.algorithms |
key.protection_level | metadata.spec.parameters.protection_level |
key.purpose | metadata.spec.parameters.purpose |
The following Python scanner rule utilizes the KMS scanner to require the cryptographic keys in the organization to be rotated within the time specified (rotation_period), and to ensure that algorithm, protection level (protection_level) and purpose are correctly configured.
kms_rules.yaml
:
rules:
- name: All crypto keys with following config should be rotated in 100 days
mode: whitelist
resource:
- type: organization
resource_ids:
- '*'
key:
- rotation_period: 100 #days
algorithms:
- GOOGLE_SYMMETRIC_ENCRYPTION
protection_level: SOFTWARE
purpose:
- ENCRYPT_DECRYPT
Add the Rego constraint template
gcp_cmek_settings_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
cmek_settings.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPCMEKRotationConstraintV1
metadata:
name: cmek_rotation_one_hundred_days
spec:
severity: high
match:
target: ["organization/*"]
parameters:
period: 2400h
algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
purpose: ENCRYPT_DECRYPT
protection_level: SOFTWARE
Description: Kubernetes Engine clusters have a wide-variety of options. You might want to have standards so your clusters are deployed in a uniform fashion. Some of the options can introduce unnecessary security risks. The KE scanner allows you to write rules that check arbitrary cluster properties for violations. It supports the following features:
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
ke_scanner_rules.yaml | gcp_resource_value_pattern_v1.yaml | gke_enable_logging.yaml |
This Rego constraint can scan for any CAI asset type. You can define the asset type(s) to look for in the constraint itself.
E.g.
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
resource.type | metadata.spec.parameters.asset_types |
resource.resource_ids | metadata.spec.match.target |
key | metadata.spec.parameters.field_name |
mode | metadata.spec.parameters.mode |
values | metadata.spec.parameters.pattern |
The following Python scanner rule utilizes the Kubernetes Engine scanner to require that all logging is enabled in Kubernetes clusters.
ke_scanner.yaml
:
- name: logging should be enabled
resource:
- type: project
resource_ids:
- '*'
key: loggingService
mode: whitelist
values:
- logging.googleapis.com
Add the Rego constraint template
gcp_resource_value_pattern_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
gke_enable_logging.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPResourceValuePatternConstraintV1
metadata:
name: gke-cluster-enable-logging
spec:
severity: high
match:
target: ["organizations/123456"]
parameters:
mode: allowlist
asset_types:
- "container.googleapis.com/Cluster"
field_name: "loggingService"
pattern: "logging.googleapis.com"
Description: Kubernetes Engine clusters running on older versions can be exposed to security vulnerabilities, or lack of support. The KE version scanner can ensure your Kubernetes Engine clusters are running safe and supported versions.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
ke_rules.yaml | gcp_gke_cluster_version_v1.yaml | gke_cluster_version.yaml |
This Rego constraint scans IAM policies for the following CAI asset types:
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
resource.resource_ids | metadata.spec.match.target |
allowed_nodepool_versions | metadata.spec.parameters.versions |
The following Python scanner rule utilizes the Kubernetes Engine Version scanner to allow only specific nodepool versions.
ke_rules.yaml
:
- name: Nodepool version not patched for critical security vulnerabilities
resource:
- type: organization
resource_ids:
- '*'
check_serverconfig_valid_node_versions: false
check_serverconfig_valid_master_versions: false
allowed_nodepool_versions:
# Note: We must use = here because using >= will also allow earlier
# versions of 11-gke.* and 12-gke.* (e.g. 11-gke.1) which might have
# the vulnerabilities.
- major: '1.8'
minor: '10-gke.2'
operator: '='
- major: '1.9'
minor: '6-gke.2'
operator: '='
Add the Rego constraint template
gcp_gke_cluster_version_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
gke_allowlist_nodepool_versions.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GKEClusterVersionConstraintV1
metadata:
name: gke-cluster-version
spec:
severity: high
match:
target: ["organization/*"]
parameters:
mode: "allowlist"
version_type: "master"
versions:
- 1.8.10-gke.2
- 1.9.6-gke.2
exemptions: []
Description: You can configure load balancer forwarding rules to direct unauthorized external traffic to your target instances. The forwarding rule scanner supports an allowlist mode, to ensure each forwarding rule only directs to the intended target instances.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
forwarding_rules.yaml | gcp_lb_forwarding_rules.yaml gcp_glb_external_ip_access_constraint_v1.yaml |
gcp_lb_forwarding.yaml gcp_glb_external_ip.yaml |
The Rego constraints scan for the following CAI asset types:
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
target | metadata.spec.parameters.target |
mode | metadata.spec.parameters.allowlist |
load_balancing_scheme | metadata.spec.parameters.load_balancing_scheme |
ip_protocol | metadata.spec.parameters.ip_protocol |
ip_address | metadata.spec.parameters.ip_address |
The following Python scanner rules utilize the Load Balancer Forwarding Rules
scanner to only allow UDP load balancers for external VPN.
forwarding_rules.yaml
:
- name: UDP LB for External VPN
target: https://www.googleapis.com/compute/v1/projects/THEPROJECT/regions/us-central1/THELB/FWD_RULE_NAME
mode: whitelist
load_balancing_scheme: EXTERNAL
port_range: 4500-4500
ip_protocol: UDP
ip_address: "198.51.100.99"
Add the Rego constraint template
gcp_lb_forwarding_rules.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
gcp_lb_forwarding_rules.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPLBAllowedForwardingRulesConstraintV2
metadata:
name: gcp_lb_forwarding_rule_allowlist
spec:
severity: high
parameters:
allowlist:
- target: https://www.googleapis.com/compute/v1/projects/THEPROJECT/regions/us-central1/THELB/FWD_RULE_NAME
load_balancing_scheme: EXTERNAL
port_range: 4500-4500
ip_protocol: UDP
ip_address: "198.51.100.99"
Description: Allow customers to ensure their resources are located only in the intended locations. Set guards around locations as part of automated project deployment.
gcp_storage_location_v1.yaml scans for the following CAI asset types:
gcp_sql_location_v1.yaml scans for the following CAI asset types:
gcp_bq_dataset_location_v1.yaml scans for the following CAI asset types:
gcp_gke_cluster_location.yaml scans for the following CAI asset types:
gcp_compute_zone_v1.yaml scans for the following CAI asset types:
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
mode | metadata.spec.parameters.mode |
resource.resource_ids | metadata.spec.match.target |
locations | metadata.spec.parameters.locations |
Python Scanner field | Rego Constraint field |
---|---|
name | |
metadata.name | |
mode | |
metadata.spec.parameters.mode | |
resource.resource_ids | |
metadata.spec.match.target | |
locations | |
metadata.spec.parameters.locations |
gcp_bq_dataset_location_v1.yaml
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
mode | metadata.spec.parameters.mode |
resource.resource_ids | metadata.spec.match.target |
locations | metadata.spec.parameters.locations |
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
mode | metadata.spec.parameters.mode |
resource.resource_ids | metadata.spec.match.target |
locations | metadata.spec.parameters.locations |
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
mode | metadata.spec.parameters.mode |
resource.resource_ids | metadata.spec.match.target |
locations | metadata.spec.parameters.zones |
The following Python scanner rule utilizes the Location scanner to ensure that all buckets in organization with ID 123456 are NOT be in EU.
location_rules.yaml
:
- name: All buckets in organization must not be in EU.
mode: blacklist
resource:
- type: organization
resource_ids:
- ${org_id}
applies_to:
- type: 'bucket'
resource_ids:
- '*'
locations:
- 'eu*'
Add the Rego constraint template
gcp_storage_location_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
storage_location_eu_denylist.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPStorageLocationConstraintV1
metadata:
name: denylist_bucket_eu_location
spec:
severity: high
match:
target: ["organizations/123456*"]
parameters:
mode: "denylist"
locations:
- europe-north1
- europe-west1
- europe-west2
- europe-west3
- europe-west4
- europe-west6
exemptions: []
Description: Allow customers to ensure the retention policies on their resources are set as intended.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
retention_rules.yaml | gcp_storage_bucket_retention_v1.yaml gcp_bigquery_table_retention_v1.yaml |
storage_bucket_retention.yaml bigquery_table_retention.yaml |
gcp_storage_bucket_retention_v1.yaml scans for the following CAI asset types:
gcp_bigquery_table_retention_v1.yaml scans for the following CAI asset types:
gcp_storage_bucket_retention_v1.yaml
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
resource.resource_ids | metadata.spec.match.target |
minimum_retention | metadata.spec.parameters.minimum_retention_days |
maximmum_retention | metadata.spec.parameters.maximum_retention_days |
gcp_bigquery_table_retention_v1.yaml
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
resource.resource_ids | metadata.spec.match.target |
minimum_retention | metadata.spec.parameters.minimum_retention_days |
maximum_retention | metadata.spec.parameters.maximum_retention_days |
The following Python scanner rule utilizes the Retention Policy scanner to require all buckets in organization with ID 123456 to have a retention shorter than 730 days.
retention_rules.yaml
:
- name: Buckets in Organization must have a retention shorter than 730 days.
applies_to:
- bucket
resource:
- type: organization
resource_ids:
- "1234556"
maximum_retention: 730
Add the Rego constraint template
gcp_storage_bucket_retention_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
storage_bucket_retention.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPStorageBucketRetentionConstraintV1
metadata:
name: storage_bucket_maximum_retention
spec:
severity: high
match:
target: ["organizations/123456"]
parameters:
maximum_retention_days: 730
exemptions: []
Description: Control permissions that are actually in IAM roles - ensure that custom IAM roles do not have more permissions than they should to prevent access.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
role_rules.yaml | gcp_iam_custom_role_permissions_v1.yaml | iam_allowed_roles.yaml |
This Rego constraint can scan the following CAI asset type:
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
role_name | metadata.spec.parameters.title |
permissions | metadata.spec.parameters.permissions |
resource.resource_ids | metadata.spec.match.target |
The following Python scanner rule utilizes the Role scanner to search for the ‘BigqueryViewer’ role to ensure that there are only the permissions defined.
role_rules.yaml
:
- name: "The role BigqueryViewer contains exactly the following 3 permissions"
role_name: "BigqueryViewer"
permissions:
- "bigquery.datasets.get"
- "bigquery.tables.get"
- "bigquery.tables.list"
resource:
- type: project
resource_ids: ['*']
Add the Rego constraint template
gcp_iam_custom_role_permissions_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
iam_custom_role_permissions.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMCustomRolePermissionsConstraintV1
metadata:
name: allowlist-role-permissions
annotations:
description: Bigquery Viewer role must only have specific permissions
spec:
severity: high
parameters:
mode: allowlist
title: "Bigquery Viewer"
permissions:
- "bigquery.datasets.get"
- "bigquery.tables.get"
- "bigquery.tables.list"
Description: It’s best to periodically rotate your user-managed service account keys, in case the keys get compromised without your knowledge. With the service account key scanner, you can define the max age at which your service account keys should be rotated. The scanner will then find any key that is older than the max age.
Python Scanner | Rego Constraint Template | Constraint Sample |
---|---|---|
service_account_key_rules.yaml | gcp_iam_restrict_service_account_key_ age_v1.yaml |
gcp_iam_restrict_service_account_key_ age.yaml |
This Rego constraint scans IAM policies for the following CAI asset types:
Python Scanner field | Rego Constraint field |
---|---|
name | metadata.name |
resource.resource_ids | metadata.spec.match.target |
max_age | metadata.spec.parameters.max_age |
The following Python scanner rules utilize the Service Account Key scanner to define the max age at which the Service Account Keys should be rotated.
service_account_key_rules.yaml
:
rules:
# The max allowed age of user managed service account keys (in days)
- name: Service account keys not rotated
resource:
- type: organization
resource_ids:
- '*'
max_age: 100 # days
Add the Rego constraint template
gcp_iam_restrict_service_account_key_age_v1.yaml
in your policies/templates/
directory.
Create a new yaml file in your policies/constraints/
directory with the following:
gcp_iam_restrict_service_account_key_age.yaml
:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMRestrictServiceAccountKeyAgeConstraintV1
metadata:
name: iam-restrict-service-account-key-age-ninety-days
annotations:
# This constraint is not certified by CIS.
bundles.validator.forsetisecurity.org/cis-v1.1: 1.06
spec:
severity: high
parameters:
max_age: 2160h