Skip to content

Latest commit

 

History

History
233 lines (224 loc) · 99.3 KB

index.md

File metadata and controls

233 lines (224 loc) · 99.3 KB

Config Validator Policy Library

Constraint templates specify the logic to be used by constraints. This repository contains pre-defined constraint templates that you can implement or modify for your own needs.

Creating a constraint template

You can create and implement your own custom constraint templates. For instructions on how to write constraint templates, see How to write your own constraint templates.

Policy Bundles

In addition to browsing all Available Templates and Sample Constraints, you can explore these policy bundles:

Available Templates

Template Samples
GCPAllowedResourceTypesConstraintV1
GCPAllowedResourceTypesConstraintV2 deny_some_resource_types
GCPAlwaysViolatesConstraintV1 always_violates_all
GCPAppEngineServiceVersionsConstraintV1 service_versions
GCPAppengineLocationConstraintV1 allow_appengine_applications_in_australia_and_south_america
GCPBigQueryCMEKEncryptionConstraintV1 gcp-bq-cmek-encryption-v1
GCPBigQueryDatasetLocationConstraintV1 bq_dataset_allowed_locations
GCPBigQueryDatasetWorldReadableConstraintV1 require_bq_table_iam
GCPBigQueryTableRetentionConstraintV1 bq_table_minimum_maximum_retention
GCPCMEKRotationConstraintV1 cmek_rotation, cmek_rotation_one_hundred_days
GCPCMEKSettingsConstraintV1 cmek_rotation
GCPComputeAllowedNetworksConstraintV2 allowed-networks
GCPComputeBlockSSHKeysConstraintV1 compute_block_ssh_keys
GCPComputeDiskResourcePoliciesConstraintV1 compute_disk_resource_policies_allowlist_one
GCPComputeExternalIpAccessConstraintV1
GCPComputeExternalIpAccessConstraintV2 forbid_external_ip
GCPComputeIpForwardConstraintV1
GCPComputeIpForwardConstraintV2 forbid_ip_forward
GCPComputeNetworkInterfaceWhitelistConstraintV1
GCPComputeRequireOSLoginConstraintV1 compute-enable-oslogin-project
GCPComputeZoneConstraintV1 compute_zone_allowlist_one
GCPDNSSECConstraintV1 require_dnssec
GCPDNSSECPreventRSASHA1ConstraintV1 dnssec_prevent_rsasha1_ksk, dnssec_prevent_rsasha1_zsk
GCPDataprocLocationConstraintV1 allow_dataproc_clusters_in_asia
GCPEnforceLabelConstraintV1 require_labels
GCPEnforceNamingConstraintV1 enforce_naming_convention
GCPExternalIpAccessConstraintV1
GCPGKEAllowedNodeSAConstraintV1 gke_allowed_node_service_account_scope_default
GCPGKEContainerOptimizedOSConstraintV1 gke_container_optimized_os
GCPGKEDashboardConstraintV1 disable_gke_dashboard
GCPGKEDisableDefaultServiceAccountConstraintV1 disable_gke_default_service_account
GCPGKEDisableLegacyEndpointsConstraintV1 disable_gke_legacy_endpoints
GCPGKEEnableAliasIPRangesConstraintV1 enable_alias_ip_ranges
GCPGKEEnableBinAuthzConstraintV1 gke-enable-binary-authorization
GCPGKEEnablePrivateEndpointConstraintV1 gke_enable_private_endpoint
GCPGKEEnableShieldedNodesConstraintV1 enable_gke_shielded_nodes
GCPGKEEnableStackdriverKubernetesEngineMonitoringV1 enable_gke_stackdriver_kubernetes_engine_monitoring
GCPGKEEnableStackdriverLoggingConstraintV1 enable_gke_stackdriver_logging
GCPGKEEnableStackdriverMonitoringConstraintV1 enable_gke_stackdriver_monitoring
GCPGKEEnableWorkloadIdentityConstraintV1 enable_gke_workload_identity
GCPGKELegacyAbacConstraintV1 disable_gke_legacy_abac
GCPGKEMasterAuthorizedNetworksEnabledConstraintV1 enable_gke_master_authorized_networks
GCPGKENodeAutoRepairConstraintV1 enable_auto_repair
GCPGKENodeAutoUpgradeConstraintV1 enable_auto_upgrade
GCPGKEPrivateClusterConstraintV1 allow_only_private_cluster
GCPGKERestrictClientAuthenticationMethodsConstraintV1 gke_restrict_client_auth_methods
GCPGKERestrictPodTrafficConstraintV1 gke_restrict_pod_traffic
GCPGKERestrictPodTrafficConstraintV2 gke_restrict_pod_traffic
GCPGLBExternalIpAccessConstraintV1 glb_external_ip_allowlist
GCPIAMAllowedBindingsConstraintV1
GCPIAMAllowedBindingsConstraintV2
GCPIAMAllowedBindingsConstraintV3 block_serviceaccount_token_creator, deny_allusers, deny_role, restrict-gmail-bigquery-dataset, restrict-googlegroups-bigquery-dataset, restrict_gmail, restrict_owner_role
GCPIAMAllowedPolicyMemberDomainsConstraintV1
GCPIAMAllowedPolicyMemberDomainsConstraintV2 only_my_domain, service_accounts_only
GCPIAMAuditLogConstraintV1 audit_log_all, audit_log_data_read_write
GCPIAMCustomRolePermissionsConstraintV1 allowlist-custom-role-permissions
GCPIAMRequiredBindingsConstraintV1 require_members_and_domains_owner
GCPIAMRestrictServiceAccountCreationConstraintV1 iam_restrict_service_account_creation
GCPIAMRestrictServiceAccountKeyAgeConstraintV1 iam-restrict-service-account-key-age-ninety-days, iam-restrict-service-account-key-age-one-hundred-days
GCPIAMRestrictServiceAccountKeyTypeConstraintV1 iam_restrict_service_account_key_type
GCPLBAllowedForwardingRulesConstraintV2 gcp_lb_forwarding_rule_allowlist
GCPNetworkEnableFirewallLogsConstraintV1 enable-network-firewall-logs
GCPNetworkEnableFlowLogsConstraintV1 enable_network_flow_logs
GCPNetworkEnablePrivateGoogleAccessConstraintV1 enable_network_private_google_access
GCPNetworkRestrictDefaultV1 network_restrict_default
GCPNetworkRoutingConstraintV1 require_global_routing
GCPResourceValuePatternConstraintV1 gke-cluster-enable-logging
GCPRestrictedFirewallRulesConstraintV1 restrict-firewall-rule-allow-ingress-demo, restrict-firewall-rule-rdp-world-open, restrict-firewall-rule-ssh-world-open, restrict-firewall-rule-world-open, restrict-firewall-rule-world-open-tcp-udp-all-ports
GCPSQLAllowedAuthorizedNetworksConstraintV1 sql_allowed_authorized_networks_allowlist
GCPSQLBackupConstraintV1 gcp-sql-backup-no-exemptions, gcp-sql-backup-with-exemptions
GCPSQLInstanceTypeConstraintV1 sql_type_deny_sqlserver
GCPSQLLocationConstraintV1 allow_some_sql_location
GCPSQLMaintenanceWindowConstraintV1 gcp-sql-maintenance-window-v1
GCPSQLPublicIpConstraintV1 prevent-public-ip-cloudsql
GCPSQLSSLConstraintV1 require_sql_ssl
GCPSQLWorldReadableConstraintV1 sql-world-readable
GCPServiceUsageConstraintV1 allow_basic_set_of_apis, deny_some_apis
GCPSpannerLocationConstraintV1 allow_spanner_clusters_in_asia_and_europe
GCPStorageBucketPolicyOnlyConstraintV1 require_bucket_policy_only
GCPStorageBucketRetentionConstraintV1 storage_bucket_minimum_maximum_retention
GCPStorageBucketWorldReadableConstraintV1 denylist_public_users
GCPStorageCMEKEncryptionConstraintV1 storage_cmek_encryption
GCPStorageLocationConstraintV1 allow_some_storage_location
GCPStorageLoggingConstraintV1 storage_logging
GCPVPCSCAllowedRegionsConstraintV2 vpc_sc_allowlist_regions
GCPVPCSCEnsureAccessLevelsConstraintV1 vpc_sc_ensure_access_levels
GCPVPCSCEnsureProjectConstraintV1 vpc_sc_ensure_project
GCPVPCSCEnsureServicesConstraintV1 vpc_sc_ensure_services
GCPVPCSCIPRangeConstraintV1 vpc_sc_ip_range
GCPVPCSCProjectPerimeterConstraintV1 vpc_sc_project_perimeter_whitelist
GCPVPCSCProjectPerimeterConstraintV2
GCPVPCSCProjectPerimeterConstraintV3 vpc_sc_project_perimeter_allowlist, vpc_sc_project_perimeter_denylist
GCPVPCSCWhitelistRegionsConstraintV1
GKEClusterLocationConstraintV1 gke_cluster_location
GKEClusterLocationConstraintV2
GKEClusterVersionConstraintV1 gke-cluster-version

Sample Constraints

The repo also contains a number of sample constraints:

Sample Template Description
allow_appengine_applications_in_australia_and_south_america Link Restrict locations (regions) where App Engine applications are deployed.
allow_basic_set_of_apis Link Only a basic set of APIS
allow_dataproc_clusters_in_asia Link Checks that Dataproc clusters are in correct regions.
allow_only_private_cluster Link Verifies all GKE clusters are Private Clusters.
allow_some_sql_location Link Checks Cloud SQL instance locations against allowed or disallowed locations.
allow_some_storage_location Link Checks Cloud Storage bucket locations against allowed or disallowed locations.
allow_spanner_clusters_in_asia_and_europe Link Checks Cloud Spanner locations.
allowed-networks Link Checks all VM network interfaces are attached to certain VPC networks.
allowlist-custom-role-permissions Link Custom BigQuery role must only have specific permissions
always_violates_all Link Testing policy, will always violate.
audit_log_all Link Checks that all services have all types of audit logs enabled.
audit_log_data_read_write Link Checks that the defined services have audit logs enabled (ADMIN_READ, DATA_READ, DATA_WRITE).
block_serviceaccount_token_creator Link Ban any users from being granted Service Account Token Creator access
bq_dataset_allowed_locations Link Checks in which locations BigQuery datasets exist.
bq_table_minimum_maximum_retention Link Checks if a BigQuery table violates retention policy.
cmek_rotation Link Checks multiple CMEK key settings (protection level, algorithm, purpose, rotation period).
cmek_rotation Link Checks that CMEK rotation policy is in place and is sufficiently short.
cmek_rotation_one_hundred_days Link Checks that CMEK rotation policy is in place and is sufficiently short.
compute-enable-oslogin-project Link Verifies that all VMs in a project have OS login enabled.
compute_block_ssh_keys Link Checks if "Block Project-wide SSH keys" is enabled for VM instances
compute_disk_resource_policies_allowlist_one Link Checks that Persistent Disks have correct resource policies (eg. snapshot schedules) attached to them.
compute_zone_allowlist_one Link Checks the instances and Persistent Disks are in desired zones.
deny_allusers Link Prevent public users from having access to resources via IAM
deny_role Link Ban any users from being granted Service Account User access
deny_some_apis Link Deny a set of APIS
deny_some_resource_types Link Restricts kind of resources that are allowed in your projects.
denylist_public_users Link Prevent public users from having access to resources via IAM
disable_gke_dashboard Link Ensure Kubernetes web UI / Dashboard is disabled
disable_gke_default_service_account Link Ensure default Service account is not used for Project access in Kubernetes Clusters
disable_gke_legacy_abac Link Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
disable_gke_legacy_endpoints Link Checks that legacy metadata endpoints are disabled (disabled by default since GKE 1.12+).
dnssec_prevent_rsasha1_ksk Link Ensure that RSASHA1 is not used for key-signing key in Cloud DNS
dnssec_prevent_rsasha1_zsk Link Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS
enable-network-firewall-logs Link Ensure Firewall logs is enabled for every firewall in VPC Network
enable_alias_ip_ranges Link Ensure Kubernetes Cluster is created with Alias IP ranges enabled
enable_auto_repair Link Ensure automatic node repair is enabled on all node pools in a GKE cluster
enable_auto_upgrade Link Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
enable_gke_master_authorized_networks Link Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
enable_gke_shielded_nodes Link Checks that GKE is using Shielded nodes (secure boot).
enable_gke_stackdriver_kubernetes_engine_monitoring Link Ensure Stackdriver Kubernetes Engine Monitoring is enabled
enable_gke_stackdriver_logging Link Ensure stackdriver logging is enabled on a GKE cluster
enable_gke_stackdriver_monitoring Link Ensure stackdriver monitoring is enabled on a GKE cluster
enable_gke_workload_identity Link Ensure Workload Identity is enabled on a GKE cluster
enable_network_flow_logs Link Ensure VPC Flow logs is enabled for every subnet in VPC Network
enable_network_private_google_access Link Ensure Private Google Access is enabled for all subnetworks in VPC
enforce_naming_convention Link Checks defined resources that are supported by Cloud Asset Inventory are named according to regular expression pattern.
forbid_external_ip Link Checks if Compute Engine instances have public IPs.
forbid_ip_forward Link Checks if a VM has IP forwarding turned on.
gcp-bq-cmek-encryption-v1 Link Checks if BigQuery datasets have a CMEK key set.
gcp-sql-backup-no-exemptions Link Checks that Cloud SQL backups are enabled.
gcp-sql-backup-with-exemptions Link Checks that Cloud SQL backups are enabled.
gcp-sql-maintenance-window-v1 Link Checks that every Cloud SQL instance has a specified maintenance window set.
gcp_lb_forwarding_rule_allowlist Link Verifies load balancer forwarding rules against allowed values.
gke-cluster-allowed-locations Checks which zones are allowed/disallowed for GKE clusters.
gke-cluster-enable-logging Link Ensure Kubernetes Clusters have logging enabled.
gke-cluster-version Link Checks if a GKE cluster is using a master version type other than 1.12.10-gke.17.
gke-enable-binary-authorization Link
gke_allowed_node_service_account_scope_default Link Checks that certain service account scopes are not assigned to nodes.
gke_cluster_location Link
gke_container_optimized_os Link Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters
gke_enable_private_endpoint Link Enable a private endpoint for the cluster to be accessible from an internal network only.
gke_restrict_client_auth_methods Link Checks that client certificate and password authentication methods are disabled for GKE clusters.
gke_restrict_pod_traffic Link Checks that GKE clusters have a Network Policy installed.
gke_restrict_pod_traffic Link Checks that GKE clusters have a Network Policy installed.
glb_external_ip_allowlist Link Checks if Global Load Balancers have external IPs.
iam-restrict-service-account-key-age-ninety-days Link Checks if service account keys are older than 90 days.
iam-restrict-service-account-key-age-one-hundred-days Link Checks if service account keys are older than 100 days.
iam_allow_roles Only the roles in this list are allowed. All other roles trigger violation.
iam_ban_roles Only the roles in this list trigger violation. All other roles allowed.
iam_restrict_service_account_creation Link Checks if any service accounts have been created.
iam_restrict_service_account_key_type Link Checks if any service accounts have user created keys.
network_restrict_default Link Restrict default networks with open firewall rules
only_my_domain Link Only allow members from my domain to be added to IAM roles
prevent-public-ip-cloudsql Link Prevents a public IP from being assigned to a Cloud SQL instance.
require_bq_table_iam Link Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers.
require_bucket_policy_only Link Checks if Cloud Storage buckets have Bucket Only Policy turned on.
require_dnssec Link Checks that DNSSEC is enabled for a Cloud DNS managed zone.
require_global_routing Link Checks that every VPC is in global routing mode.
require_labels Link Checks that labels are set for all resources (or a subset of resources) and that they match a certain regular expression pattern.
require_members_and_domains_owner Link Trigger violations if the following members and domains are absent in roles/owner
require_sql_ssl Link Checks if Cloud SQL instances have SSL turned on.
restrict-firewall-rule-allow-ingress-demo Link Checks that every firewall rule matches certain settings.
restrict-firewall-rule-rdp-world-open Link Checks for open firewall rules allowing RDP from the internet.
restrict-firewall-rule-ssh-world-open Link Checks for open firewall rules allowing SSH from the internet.
restrict-firewall-rule-world-open Link Checks for open firewall rules allowing ingress from the internet.
restrict-firewall-rule-world-open-tcp-udp-all-ports Link Checks for open firewall rules allowing TCP/UDP from the internet.
restrict-gmail-bigquery-dataset Link Enforce corporate domain by banning gmail.com addresses access to BigQuery datasets
restrict-googlegroups-bigquery-dataset Link Enforce corporate domain by banning googlegroups.com addresses access to BigQuery datasets
restrict_gmail Link Enforce corporate domain by banning gmail.com addresses
restrict_owner_role Link Only my domain members are allowed to have the Owner role on projects
service_accounts_only Link Checks that members that have been granted IAM roles belong to allowlisted domains.
service_versions Link Limit the number App Engine application versions simultaneously running. installed.
sql-world-readable Link Checks if Cloud SQL instances are world readable.
sql_allowed_authorized_networks_allowlist Link Checks Cloud SQL master authorized networks list against a allowlist.
sql_type_deny_sqlserver Link Checks for allowed or disallowed Cloud SQL instance types.
storage_bucket_minimum_maximum_retention Link
storage_cmek_encryption Link Checks if Cloud Storage buckets have CMEK turned on.
storage_logging Link Ensure storage logs are delivered to a separate bucket
vpc_sc_allowlist_regions Link Checks that only allowed geographical regions are allowed in VPC Service Controls perimeters.
vpc_sc_ensure_access_levels Link Checks if a VPC Service Controls perimeter has desired access levels set.
vpc_sc_ensure_project Link Checks if a VPC Service Controls perimeter has correct projects in them.
vpc_sc_ensure_services Link Checks is a VPC Service Controls perimeter has correct services set.
vpc_sc_ip_range Link Checks the CIDR notation size in VPC Service Controls access levels.
vpc_sc_project_perimeter_allowlist Link Checks that only allowed VPC Service Controls perimeters exists.
vpc_sc_project_perimeter_denylist Link Older, deprecated version of above policy.
vpc_sc_project_perimeter_whitelist Link