Migrating Forseti Scanners to Rego Constraints

This guide will walk through migrating the Python scanner rule files listed below to functionally equivalent Rego constraints found in the policy-library repository that can be used in Config Validator.

Note: Config Validator currently ingests Cloud Asset Inventory (CAI) data only. GSuite data is not included in CAI exports. Users looking for GSuite specific constraints should continue to utilize the Forseti Python scanners.

For documentation on Config Validator and policy-library, refer here.

• Audit Logging
• Bigquery Dataset ACL
• Bucket ACL
• Cloud SQL
• Enabled APIs
• Firewall Rules
• Load Balancer Forwarding Rules
• IAM Policy
• Instance Network Interface
• Kubernetes Engine Version
• Kubernetes Engine
• KMS
• Location
• Retention Policy
• Role
• Service Account Key

Audit Logging

Description: You can configure Cloud Audit Logging to save Admin Activity and Data Access for Google Cloud Platform (GCP) services. The audit log configurations for a project, folder, or organization specify which logs should be saved, along with members who are exempted from having their accesses logged. The audit logging scanner detects if any projects are missing a required audit log, or have extra exempted members.

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

• cloudresourcemanager.googleapis.com/Organization
• cloudresourcemanager.googleapis.com/Folder
• cloudresourcemanager.googleapis.com/Project

Rego constraint properties

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Audit Logging scanner to require all logging (log_types) for the Compute service (compute.googleapis.com) in two projects (proj-1, proj-2), with two exempted members (user:user1@org.com, user:user12@org.com).

audit_logging_rules.yaml:

  - name: 'Require all logging for compute, with exemptions.'
     resource:
       - type: project
         resource_ids:
           - 'proj-1'
           - 'proj-2'
     service: 'compute.googleapis.com'
     log_types:
       - 'ADMIN_READ'
       - 'DATA_READ'
       - 'DATA_WRITE'
     allowed_exemptions:
       - 'user:user1@org.com'
       - 'user:user2@org.com'

Add the Rego constraint template gcp_iam_audit_log.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

iam_audit_log_data_read_write_exemptions.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAuditLogConstraintV1
metadata:
  name: audit_log_data_read_write_exemptions
spec:
  match:
    target: [“**/projects/proj-1”, “**/projects/proj-2”]
  parameters:
    services: [“compute.googleapis.com”]
    log_types: [“ADMIN_READ”, “DATA_READ”, “DATA_WRITE”]
    exemptions: [“user:user1@org.com”, “user:user2@org.com”]

BigQuery Dataset ACL

Description: BigQuery datasets have access properties that can publicly expose your datasets. The BigQuery scanner supports denylist and allowlist modes to ensure unauthorized users don’t gain access to your datasets, and only authorized users can gain access.

Rego constraint asset type

This Rego constraint can scan IAM policies for any CAI asset type with bindings. You can define the asset type(s) to look for in the constraint itself.

E.g.

• bigquery.googleapis.com/Dataset
• storage.googleapis.com/Bucket

Rego constraint properties

This Rego constraint utilizes the following properties:

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the BigQuery Dataset ACL scanner to search for any datasets in an organization with ID 123456 that are accessible by groups with googlegroups.com addresses.

bigquery_rules.yaml:

 - name: BigQuery rule to search for datasets accessible by groups with googlegroups.com addresses
    mode: blacklist
    resource:
      - type: organization
        resource_ids:
          - 123456
    dataset_ids: ['*']
    bindings:
      - role: '*'
        members:
        - group_email: '*@googlegroups.com'

Add the Rego constraint template gcp_iam_allowed_bindings.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

bigquery_rules_iam_denylist_googlegroups.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
  name: bigquery_rules_iam_denylist_googlegroups
spec:
  match:
    target: [“organizations/123456”]
  parameters:
    mode: denylist
    assetType: bigquery.googleapis.com/Dataset
    role: roles/*
    members:
    - "group:*@googlegroups.com"

Bucket ACL

Description: Cloud Storage buckets have ACLs that can grant public access to your Cloud Storage bucket and objects. The bucket scanner supports a denylist mode, to ensure unauthorized users don’t gain access to your Cloud Storage bucket.

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

• storage.googleapis.com/Bucket

Rego constraint properties

This Rego constraint can check for allUsers and allAuthenticatedUsers without defining specific properties in the constraint.

Python scanner to Rego constraint sample

The following Python scanner rules utilize the Bucket ACL scanner to search for any public buckets in an organization with ID 123456.

bucket_rules.yaml:

rules:
 - name: Bucket acls rule to search for public buckets
    bucket: '*'
    entity: allUsers
    email: '*'
    domain: '*'
    role: '*'
    resource:
        - resource_ids:
          - organizations/123456
  - name: Bucket acls rule to search for exposed buckets
    bucket: '*'
    entity: allAuthenticatedUsers
    email: '*'
    domain: '*'
    role: '*'
    resource:
        - resource_ids:
          - organizations/123456

Add the Rego constraint template gcp_storage_bucket_world_readable_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

storage_denylist_public.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPStorageBucketWorldReadableConstraintV1
metadata:
  name: denylist_public_users
spec:
  match:
    target: [“organizations/123456”]
  parameters: {}

Cloud SQL

Description: Cloud SQL instances can be configured to grant external networks access. The Cloud SQL scanner supports a denylist mode, to ensure unauthorized users don’t gain access to your Cloud SQL instances.

Rego constraint asset type

The Rego constraints scan IAM policies for the following CAI asset types:

• sqladmin.googleapis.com/Instance

Rego constraint properties

gcp_sql_ssl_v1.yaml constraint checks that all SQL instances have required SSL without defining specific properties to the constraint.

gcp_sql_public_ip_v1.yaml constraint checks that all SQL instances do not have public IPs.

gcp_sql_allowed_authorized_networks_v1.yaml

Python scanner to Rego constraint sample

The following Python scanner rules utilize the Cloud SQL scanner to search for publicly exposed Cloud SQL instances where SSL is enabled in organization with ID 123456.

cloudsql_rules.yaml:

name: Cloud SQL rule to search for publicly exposed instances (SSL enabled)
    instance_name: '*'
    authorized_networks: '0.0.0.0/0'
    ssl_enabled: 'True'
    resource:
      - type: organization
        resource_ids:
          - ${org_id}

Add the Rego constraint template gcp_sql_allowed_authorized_networks_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

require_sql_ssl.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPSQLSSLConstraintV1
metadata:
  name: require_sql_ssl
spec:
  match:
    target: [“organizations/123456”]
  severity: high
  parameters: {}

Add the Rego constraint template gcp_sql_public_ip_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

prevent_public_ip_sql.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPSQLPublicIpConstraintV1
metadata:
  name: prevent_public_ip_sql
spec:
  match:
    target: [“organizations/123456”]
  severity: high
  parameters: {}

Enabled APIs

Description: The Enabled APIs scanner detects if a project has appropriate APIs enabled. It supports allowlisting supported APIs, denylisting unsupported APIs, and specifying required APIs that must be enabled.

Rego constraint asset type

This Rego constraint scans for the following CAI asset types:

• serviceusage.googleapis.com/Service

Rego constraint properties

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Enabled APIs scanner to search for any APIs that are not listed in the allowed services defined.

enabled_apis_rules.yaml:

   - name: Example Enabled APIs allowlist
     mode: whitelist
     resource:
       - type: project
         resource_ids:
           - '*'
     services:
       - 'bigquery.googleapis.com'
       - 'clouddebugger.googleapis.com'
       - 'cloudtrace.googleapis.com'
       - 'compute.googleapis.com'
       - 'container.googleapis.com'
       - 'containerregistry.googleapis.com'
       - 'deploymentmanager.googleapis.com'
       - 'language.googleapis.com'
       - 'logging.googleapis.com'
       - 'monitoring.googleapis.com'
       - 'pubsub.googleapis.com'
       - 'replicapool.googleapis.com'
       - 'replicapoolupdater.googleapis.com'
       - 'resourceviews.googleapis.com'
       - 'servicemanagement.googleapis.com'
       - 'serviceusage.googleapis.com'
       - 'sql-component.googleapis.com'
       - 'storage-api.googleapis.com'
       - 'storage-component.googleapis.com'
       - 'translate.googleapis.com'

Add the Rego constraint template gcp_serviceusage_allowed_services_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

serviceusage_allow_apis.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPServiceUsageConstraintV1
metadata:
  name: allow_apis
spec:
  severity: high
  match:
    target: ["organization/123456"]
  parameters:
    mode: allow
    services:
     - 'bigquery.googleapis.com'
     - 'clouddebugger.googleapis.com'
     - 'cloudtrace.googleapis.com'
     - 'compute.googleapis.com'
     - 'container.googleapis.com'
     - 'containerregistry.googleapis.com'
     - 'deploymentmanager.googleapis.com'
     - 'language.googleapis.com'
     - 'logging.googleapis.com'
     - 'monitoring.googleapis.com'
     - 'pubsub.googleapis.com'
     - 'replicapool.googleapis.com'
     - 'replicapoolupdater.googleapis.com'
     - 'resourceviews.googleapis.com'
     - 'servicemanagement.googleapis.com'
     - 'serviceusage.googleapis.com'
     - 'sql-component.googleapis.com'
     - 'storage-api.googleapis.com'
     - 'storage-component.googleapis.com'
     - 'translate.googleapis.com'

Firewall Rules

Description: Network firewall rules protect your network & organization by only allowing desired traffic into and out of your network. The firewall rules scanner can ensure that all your network’s firewalls are properly configured.

Rego constraint asset type

This Rego constraint scans for the following CAI asset types:

• compute.googleapis.com/Firewall

Rego constraint properties

Python scanner to Rego constraint sample

The following Python scanner rules utilize the Firewall Rules scanner to search for policies that allow ingress and expose every port.

firewall_rules.yaml:

 - rule_id: 'prevent_allow_all_ingress'
    description: Detect allow ingress to all policies
    mode: blacklist
    match_policies:
      - direction: ingress
        allowed: ['*']
    verify_policies:
      - allowed:
        - IPProtocol: 'all'

  - rule_id: 'disallow_all_ports'
    description: Don't allow policies that expose every port
    mode: blacklist
    match_policies:
      - direction: ingress
        allowed: ['*']
    verify_policies:
      - allowed:
        - IPProtocol: 'tcp'
          ports:
            - 'all'
      - allowed:
        - IPProtocol: 'udp'
          ports:
            - 'all'

Add the Rego constraint template gcp_restricted_firewall_rules_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

restrict_firewall_rules.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPRestrictedFirewallRulesConstraintV1
metadata:
  name: restrict-firewall-rule-deny-ingress
spec:
  severity: high
  match:
    target: ["organizations/123456"]
  parameters:
    mode: “denylist”
    rules:
      - direction: "INGRESS"
        rule_type: "allowed"
        protocol: "all"
     - direction: “INGRESS”
       rule_type: "allowed"
       protocol: “tcp”
       port: “all”
     - direction: “INGRESS”
       rule_type: "allowed"
       protocol: “udp”
       port: “all”

IAM Policy

Description: Cloud IAM policies directly grant access on GCP. To ensure only authorized members and permissions are granted in Cloud IAM policies, IAM policy scanner supports the following:

• Allowlist, denylist, and required modes.

Rego constraint asset type

This Rego constraint can scan IAM policies for any CAI asset type with bindings. You can define the asset type(s) to look for in the constraint itself.

E.g.

• cloudresourcemanager.googleapis.com/Project

Rego constraint properties

gcp_iam_allowed_bindings.yaml

gcp_iam_required_bindings_v1.yaml

Python scanner to Rego constraint sample

The following Python scanner rules utilizes the IAM Policy scanner to:

• Allow only IAM members in my-cool-domai.comn to be an OrgAdmin in organization with ID 123456.
• Prevent public users from having access to buckets via IAM in organization with ID 123456.

iam_policy_rules.yaml:

 rules:
  - name: Allow only IAM members in my domain to be an OrgAdmin
    mode: whitelist
    resource:
      - type: organization
        applies_to: self
        resource_ids:
          - '*'
    inherit_from_parents: true
    bindings:
      - role: roles/resourcemanager.organizationAdmin
        members:
          - user:*@my-cool-domain.com
          - group:*@my-cool-domain.com

  - name: Prevent public users from having access to buckets via IAM
    mode: blacklist
    resource:
      - type: bucket
        applies_to: self
        resource_ids:
          - '*'
    inherit_from_parents: true
    bindings:
      - role: '*'
        members:
          - allUsers

Add the Rego constraint template gcp_iam_allowed_bindings.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

iam_allowlist_domain.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
  name: allowlist_domain
spec:
  severity: high
  match:
    target: ["organizations/123456"]
  parameters:
    mode: allowlist
    role: roles/resourcemanager.organizationAdmin
    members:
    - "user:*@my-cool-domain.com"
    - “group:*@my-cool-domain.com”

iam_deny_public.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
  name: deny_allusers
spec:
  severity: high
  match:
    target: ["organizations/123456"]
  parameters:
    mode: denylist
    assetType: storage.googleapis.com/Bucket
    role: roles/*
    members:
    - "allUsers"
    - "allAuthenticatedUsers"

Instance Network Interface

Description: VM instances with external IP addresses expose your environment to an additional attack surface area. The instance network interface scanner audits all of your VM instances in your environment, and determines if any VMs with external IP addresses are outside of the trusted networks.

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

• compute.googleapis.com/Instance

Rego constraint properties

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Instance Network Interface scanner to ensure instances with external IPs are only running on allowlisted networks and instances are only running on networks created in allowed projects (using XPN)

instance_network_interface_rules.yaml:

- name: all networks covered in allowlist
  project: '*'
  network: '*'
  is_external_network: True
  whitelist:
    project-1:
     - network-1
    project-2:
     - network-2
     - network-2-2
    project-3:
     - network-3

Add the Rego constraint template gcp_compute_allowed_networks.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

gcp_compute_allowed_networks.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPComputeAllowedNetworksConstraintV2
metadata:
  name: allowed-networks
spec:
  severity: high
  match:
    gcp:
      target: ["organizations/123456"]
  parameters:
      allowed:
         - https://www.googleapis.com/compute/v1/projects/project-1/global/networks/network-1
         - https://www.googleapis.com/compute/v1/projects/project-2/global/networks/network-2
         - https://www.googleapis.com/compute/v1/projects/project-2/global/networks/network-2-2
         - https://www.googleapis.com/compute/v1/projects/project-3/global/networks/network-3

KMS

Description: You can configure the KMS scanner to alert if the enabled cryptographic keys in the organization are not rotated within the time specified. You can also check if the algorithm, protection level and purpose of the cryptographic key is correctly configured.

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

• cloudkms.googleapis.com/CryptoKey

Rego constraint properties

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the KMS scanner to require the cryptographic keys in the organization to be rotated within the time specified (rotation_period), and to ensure that algorithm, protection level (protection_level) and purpose are correctly configured.

kms_rules.yaml:

rules:
  - name: All crypto keys with following config should be rotated in 100 days
    mode: whitelist
    resource:
      - type: organization
        resource_ids:
          - '*'
    key:
       -  rotation_period: 100 #days
         algorithms:
         - GOOGLE_SYMMETRIC_ENCRYPTION
         protection_level: SOFTWARE
         purpose:
         - ENCRYPT_DECRYPT

Add the Rego constraint template gcp_cmek_settings_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

cmek_settings.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPCMEKRotationConstraintV1
metadata:
  name: cmek_rotation_one_hundred_days
spec:
  severity: high
  match:
    target: ["organization/*"]
  parameters:
    period: 2400h
    algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
    purpose: ENCRYPT_DECRYPT
    protection_level: SOFTWARE

Kubernetes Engine

Description: Kubernetes Engine clusters have a wide-variety of options. You might want to have standards so your clusters are deployed in a uniform fashion. Some of the options can introduce unnecessary security risks. The KE scanner allows you to write rules that check arbitrary cluster properties for violations. It supports the following features:

• Any cluster property can be checked in a rule by providing a JMESPath expression that extracts the right fields. See http://jmespath.org/ for a tutorial and detailed specifications.
• Rules can be allowlists or denylists.

Rego constraint asset type

This Rego constraint can scan for any CAI asset type. You can define the asset type(s) to look for in the constraint itself.

E.g.

• container.googleapis.com/Cluster
• bigquery.googleapis.com/Dataset
• storage.googleapis.com/Bucket

Rego constraint properties

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Kubernetes Engine scanner to require that all logging is enabled in Kubernetes clusters.

ke_scanner.yaml:

 - name: logging should be enabled
    resource:
      - type: project
        resource_ids:
          - '*'
    key: loggingService
    mode: whitelist
    values:
      - logging.googleapis.com

Add the Rego constraint template gcp_resource_value_pattern_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

gke_enable_logging.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPResourceValuePatternConstraintV1
metadata:
  name: gke-cluster-enable-logging
spec:
  severity: high
  match:
    target: ["organizations/123456"]
  parameters:
    mode: allowlist
    asset_types:
        - "container.googleapis.com/Cluster"
    field_name: "loggingService"
    pattern: "logging.googleapis.com"

Kubernetes Engine Version

Description: Kubernetes Engine clusters running on older versions can be exposed to security vulnerabilities, or lack of support. The KE version scanner can ensure your Kubernetes Engine clusters are running safe and supported versions.

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

• container.googleapis.com/Cluster

Rego constraint properties

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Kubernetes Engine Version scanner to allow only specific nodepool versions.

ke_rules.yaml:

 - name: Nodepool version not patched for critical security vulnerabilities
    resource:
      - type: organization
        resource_ids:
          - '*'
    check_serverconfig_valid_node_versions: false
    check_serverconfig_valid_master_versions: false
    allowed_nodepool_versions:
        # Note: We must use = here because using >= will also allow earlier
        # versions of 11-gke.* and 12-gke.* (e.g. 11-gke.1) which might have
        # the vulnerabilities.
      - major: '1.8'
        minor: '10-gke.2'
        operator: '='
      - major: '1.9'
        minor: '6-gke.2'
        operator: '='

Add the Rego constraint template gcp_gke_cluster_version_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

gke_allowlist_nodepool_versions.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GKEClusterVersionConstraintV1
metadata:
  name: gke-cluster-version
spec:
  severity: high
  match:
    target: ["organization/*"]
  parameters:
    mode: "allowlist"
    version_type: "master"
    versions:
      - 1.8.10-gke.2
      - 1.9.6-gke.2
    exemptions: []

Load Balancer Forwarding Rules

Description: You can configure load balancer forwarding rules to direct unauthorized external traffic to your target instances. The forwarding rule scanner supports an allowlist mode, to ensure each forwarding rule only directs to the intended target instances.

Rego constraint asset type

The Rego constraints scan for the following CAI asset types:

• compute.googleapis.com/ForwardingRule
• compute.googleapis.com/GlobalForwardingRule

Rego constraint properties

gcp_lb_forwarding_rules.yaml

Python scanner to Rego constraint sample

The following Python scanner rules utilize the Load Balancer Forwarding Rules scanner to only allow UDP load balancers for external VPN. forwarding_rules.yaml:

  - name: UDP LB for External VPN
    target: https://www.googleapis.com/compute/v1/projects/THEPROJECT/regions/us-central1/THELB/FWD_RULE_NAME
    mode: whitelist
    load_balancing_scheme: EXTERNAL
    port_range: 4500-4500
    ip_protocol: UDP
    ip_address: "198.51.100.99"

Add the Rego constraint template gcp_lb_forwarding_rules.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

gcp_lb_forwarding_rules.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPLBAllowedForwardingRulesConstraintV2
metadata:
  name: gcp_lb_forwarding_rule_allowlist
spec:
  severity: high
  parameters:
    allowlist:
     - target: https://www.googleapis.com/compute/v1/projects/THEPROJECT/regions/us-central1/THELB/FWD_RULE_NAME
       load_balancing_scheme: EXTERNAL
       port_range: 4500-4500
       ip_protocol: UDP
       ip_address: "198.51.100.99"

Location

Description: Allow customers to ensure their resources are located only in the intended locations. Set guards around locations as part of automated project deployment.

Rego constraint asset type

gcp_storage_location_v1.yaml scans for the following CAI asset types:

• storage.googleapis.com/Bucket

gcp_sql_location_v1.yaml scans for the following CAI asset types:

• sqladmin.googleapis.com/Instance

gcp_bq_dataset_location_v1.yaml scans for the following CAI asset types:

• bigquery.googleapis.com/Dataset

gcp_gke_cluster_location.yaml scans for the following CAI asset types:

• container.googleapis.com/Cluster

gcp_compute_zone_v1.yaml scans for the following CAI asset types:

• compute.googleapis.com/Instance
• compute.googleapis.com/Disk

Rego constraint properties

gcp_storage_location_v1.yaml

gcp_sql_location_v1.yaml

gcp_bq_dataset_location_v1.yaml

gcp_gke_cluster_location.yaml

gcp_compute_zone_v1.yaml

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Location scanner to ensure that all buckets in organization with ID 123456 are NOT be in EU.

location_rules.yaml:

- name: All buckets in organization must not be in EU.
  mode: blacklist
  resource:
   - type: organization
     resource_ids:
       - ${org_id}
  applies_to:
   - type: 'bucket'
     resource_ids:
       - '*'
  locations:
   - 'eu*'

Add the Rego constraint template gcp_storage_location_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

storage_location_eu_denylist.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPStorageLocationConstraintV1
metadata:
  name: denylist_bucket_eu_location
spec:
  severity: high
  match:
    target: ["organizations/123456*"]
  parameters:
    mode: "denylist"
    locations:
    - europe-north1
    - europe-west1
    - europe-west2
    - europe-west3
    - europe-west4
    - europe-west6
    exemptions: []

Retention Policy

Description: Allow customers to ensure the retention policies on their resources are set as intended.

Rego constraint asset type

gcp_storage_bucket_retention_v1.yaml scans for the following CAI asset types:

• storage.googleapis.com/Bucket

gcp_bigquery_table_retention_v1.yaml scans for the following CAI asset types:

• bigquery.googleapis.com/Table

Rego constraint properties

gcp_storage_bucket_retention_v1.yaml

gcp_bigquery_table_retention_v1.yaml

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Retention Policy scanner to require all buckets in organization with ID 123456 to have a retention shorter than 730 days.

retention_rules.yaml:

  - name: Buckets in Organization must have a retention shorter than 730 days.
     applies_to:
       - bucket
     resource:
       - type: organization
         resource_ids:
           - "1234556"
     maximum_retention: 730

Add the Rego constraint template gcp_storage_bucket_retention_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

storage_bucket_retention.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPStorageBucketRetentionConstraintV1
metadata:
  name: storage_bucket_maximum_retention
spec:
  severity: high
  match:
    target: ["organizations/123456"]
  parameters:
    maximum_retention_days: 730
    exemptions: []

Role

Description: Control permissions that are actually in IAM roles - ensure that custom IAM roles do not have more permissions than they should to prevent access.

Rego constraint asset type

This Rego constraint can scan the following CAI asset type:

• iam.googleapis.com/Role

Rego constraint properties

Python scanner to Rego constraint sample

The following Python scanner rule utilizes the Role scanner to search for the ‘BigqueryViewer’ role to ensure that there are only the permissions defined.

role_rules.yaml:

  - name: "The role BigqueryViewer contains exactly the following 3 permissions"
     role_name: "BigqueryViewer"
     permissions:
     - "bigquery.datasets.get"
     - "bigquery.tables.get"
     - "bigquery.tables.list"
     resource:
     - type: project
       resource_ids: ['*']

Add the Rego constraint template gcp_iam_custom_role_permissions_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

iam_custom_role_permissions.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMCustomRolePermissionsConstraintV1
metadata:
  name: allowlist-role-permissions
  annotations:
    description: Bigquery Viewer role must only have specific permissions
spec:
  severity: high
  parameters:
    mode: allowlist
    title: "Bigquery Viewer"
    permissions:
     - "bigquery.datasets.get"
     - "bigquery.tables.get"
     - "bigquery.tables.list"

Service Account Key

Description: It’s best to periodically rotate your user-managed service account keys, in case the keys get compromised without your knowledge. With the service account key scanner, you can define the max age at which your service account keys should be rotated. The scanner will then find any key that is older than the max age.

Rego constraint asset type

This Rego constraint scans IAM policies for the following CAI asset types:

• iam.googleapis.com/ServiceAccountKey

Rego constraint properties

Python scanner to Rego constraint sample

The following Python scanner rules utilize the Service Account Key scanner to define the max age at which the Service Account Keys should be rotated.

service_account_key_rules.yaml:

rules:
  # The max allowed age of user managed service account keys (in days)
  - name: Service account keys not rotated
    resource:
      - type: organization
        resource_ids:
          - '*'
    max_age: 100 # days

Add the Rego constraint template gcp_iam_restrict_service_account_key_age_v1.yaml in your policies/templates/directory.

Create a new yaml file in your policies/constraints/directory with the following:

gcp_iam_restrict_service_account_key_age.yaml:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMRestrictServiceAccountKeyAgeConstraintV1
metadata:
  name: iam-restrict-service-account-key-age-ninety-days
  annotations:
    # This constraint is not certified by CIS.
    bundles.validator.forsetisecurity.org/cis-v1.1: 1.06
spec:
  severity: high
  parameters:
      max_age: 2160h