The rules engine checks data like Cloud IAM policies and firewall rules against some user-defined rules. The current version of Forseti Security supports rule checking for the following resources:
For examples, see the rules directory.
IamRulesEngine, Forseti Scanner integrates with Forseti Inventory to
get Cloud IAM policy data for organizations, folders, and projects, and audits the policies
against user-defined rules.
IamRulesEngine uses the organization resources’ hierarchy, so
rules can “roll up” to resource parents. For example, a project under an
organization can look for rules for that project and for its parent
If a policy binding violates a rule, the
IamRulesEngine reports a rule violation.
The rule violations can be stored in a CSV, a Cloud Storage bucket, and a Cloud SQL table.
The base rules engine class
google.cloud.security.scanner.audit.BaseRulesEngine contains some generic
methods for loading rules files in YAML or JSON format. Because Google Cloud
Platform (GCP) resources have different kinds of data that can be checked for
whether they are secureliy configured, you’ll need to design the rule checking
based on the kind of data you want to audit.
To design a rules engine, follow the guidelines below:
find_policy_violations()method searches the rule book and compares the policy against the rule in the book, if found.