本页面介绍了 Google Cloud 中 扩展的 v1.0 预定义 Cloud Storage 安全状况版本。此安全状况 包含两个政策集:
一组政策,其中包含应用于 Cloud Storage
一组政策,其中包含适用于 Cloud Storage
您可以使用此预定义的安全状况来配置安全状况,以帮助 保护 Cloud Storage。如果您想部署这个预定义的安全状况, 您必须自定义一些政策,以使其适用于您的环境。
组织政策限制条件
下表介绍了 这种安全状况。
政策 | 说明 | 合规性标准 |
---|---|---|
storage.publicAccessPrevention |
此政策可防止 Cloud Storage 存储分区从开放到未经身份验证的公开 访问权限。 值为 |
NIST SP 800-53 对照组:AC-3、AC-17 和 AC-20 |
storage.uniformBucketLevelAccess |
本政策 可防止 Cloud Storage 存储分区使用对象 ACL(一个独立的系统 来自 IAM 政策)以提供访问权限,从而对 访问管理和审核。 值为 |
NIST SP 800-53 对照组:AC-3、AC-17 和 AC-20 |
storage.retentionPolicySeconds |
此限制条件定义了存储分区保留政策的时长(以秒为单位)。 在采用此预定义状况时,您必须配置此值。 |
NIST SP 800-53 控件:SI-12 |
Security Health Analytics 检测器
下表介绍了 预定义的安全状况。如需详细了解这些检测器,请参阅 漏洞 发现结果。
检测器名称 | 说明 |
---|---|
BUCKET_LOGGING_DISABLED |
此检测器会检查是否存在未启用日志记录的存储桶。 |
LOCKED_RETENTION_POLICY_NOT_SET |
此检测器会检查是否为日志设置了锁定的保留政策。 |
OBJECT_VERSIONING_DISABLED |
此检测器会检查对于具有接收器的存储分区,是否启用了对象版本控制。 |
BUCKET_CMEK_DISABLED |
此检测器会检查存储分区是否使用客户管理的加密密钥 (CMEK) 进行了加密。 |
BUCKET_POLICY_ONLY_DISABLED |
此检测器会检查是否配置了统一存储桶级访问权限。 |
PUBLIC_BUCKET_ACL |
此检测器会检查存储桶是否可公开访问。 |
PUBLIC_LOG_BUCKET |
此检测器会检查具有日志接收器的存储桶是否可公开访问。 |
ORG_POLICY_LOCATION_RESTRICTION |
此检测器会检查 Compute Engine 资源是否不符合 |
YAML 定义
以下是预定义 Cloud Storage 状况的 YAML 定义。
name: organizations/123/locations/global/postureTemplates/cloud_storage_extended
description: Posture Template to make your Cloud storage workload secure.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: Cloud storage preventative policy set
description: 3 org policies that new customers can automatically enable.
policies:
- policy_id: Enforce Public Access Prevention
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-17
- standard: NIST SP 800-53
control: AC-20
constraint:
org_policy_constraint:
canned_constraint_id: storage.publicAccessPrevention
policy_rules:
- enforce: true
description: This governance policy prevents access to existing and future resources via the public internet by disabling and blocking Access Control Lists (ACLs) and IAM permissions that grant access to allUsers and allAuthenticatedUsers.
- policy_id: Enforce uniform bucket-level access
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-17
- standard: NIST SP 800-53
control: AC-20
constraint:
org_policy_constraint:
canned_constraint_id: storage.uniformBucketLevelAccess
policy_rules:
- enforce: true
description: This boolean constraint requires buckets to use uniform bucket-level access where this constraint is set to TRUE.
- policy_id: Retention policy duration in seconds
compliance_standards:
- standard: NIST SP 800-53
control: SI-12
constraint:
org_policy_constraint:
canned_constraint_id: storage.retentionPolicySeconds
policy_rules:
- enforce: true
description: This list constraint defines the set of durations for retention policies that can be set on Cloud Storage buckets. By default, if no organization policy is specified, a Cloud Storage bucket can have a retention policy of any duration. The list of allowed durations must be specified as a positive integer value greater than zero, representing the retention policy in seconds. Any insert, update, or patch operation on a bucket in the organization resource must have a retention policy duration that matches the constraint. Enforcement of this constraint is not retroactive. When a new organization policy is enforced, the retention policy of existing buckets remains unchanged and valid.
- policy_set_id: Cloud storage detective policy set
description: 8 SHA modules that new customers can automatically enable.
policies:
- policy_id: Bucket logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_LOGGING_DISABLED
- policy_id: Locked retention policy not set
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: LOCKED_RETENTION_POLICY_NOT_SET
- policy_id: Object versioning disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: OBJECT_VERSIONING_DISABLED
- policy_id: Bucket CMEK disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_CMEK_DISABLED
- policy_id: Bucket policy only disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: BUCKET_POLICY_ONLY_DISABLED
- policy_id: Public bucket ACL
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_BUCKET_ACL
- policy_id: Public log bucket
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: PUBLIC_LOG_BUCKET
- policy_id: Org policy location restriction
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ORG_POLICY_LOCATION_RESTRICTION