本页面介绍了 Google Cloud 中 扩展的 v1.0 预定义 VPC Service Controls 安全状况。此安全状况 包含两个政策集:
一组政策,其中包含应用于 VPC Service Controls。
一组政策,其中包含适用于 VPC Service Controls。
您可以使用此预定义的安全状况来配置安全状况,以帮助 VPC Service Controls如果您想部署这个预定义的安全状况, 您必须自定义一些政策,以使其适用于您的环境。
组织政策限制条件
下表介绍了 这种安全状况。
政策 | 说明 | 合规性标准 |
---|---|---|
compute.skipDefaultNetworkCreation |
这个 政策会禁止自动创建默认 VPC 网络,并将默认设置为 防火墙规则,确保网络和防火墙规则 。 值为 |
NIST SP 800-53 对照组:SC-7 和 SC-8 |
ainotebooks.restrictPublicIp |
此限制条件会限制公共 IP 对新创建的 Vertex AI Workbench 笔记本和实例的访问。默认情况下,公共 IP 地址可以访问 Vertex AI Workbench 笔记本和实例。 值为 |
NIST SP 800-53 对照组:SC-7 和 SC-8 |
compute.disableNestedVirtualization |
本政策 会为所有 Compute Engine 虚拟机停用嵌套虚拟化,以降低与不受监控的 嵌套实例。 值为 |
NIST SP 800-53 对照组:SC-7 和 SC-8 |
compute.vmExternalIpAccess |
此限制条件定义了允许使用外部 IP 地址的 Compute Engine 虚拟机实例。默认情况下,所有虚拟机实例都可以使用外部 IP 地址。限制条件使用 在采用此预定义状况时,您必须配置此值。 |
NIST SP 800-53 对照组:SC-7 和 SC-8 |
ainotebooks.restrictVpcNetworks |
此列表定义了 用户在创建新的 Vertex AI Workbench 时可以选择的 VPC 网络 会强制执行此限制条件的实例。 在采用此预定义状况时,您必须配置此值。 |
NIST SP 800-53 对照组:SC-7 和 SC-8 |
compute.vmCanIpForward |
此限制条件定义了用户在创建新的 Vertex AI Workbench 实例时可以选择的 VPC 网络。默认情况下,您可以使用任何 VPC 网络创建 Vertex AI Workbench 实例。 在采用此预定义状况时,您必须配置此值。 |
NIST SP 800-53 对照组:SC-7 和 SC-8 |
Security Health Analytics 检测器
下表介绍了 预定义的安全状况。如需详细了解这些检测器,请参阅 漏洞 发现结果。
检测器名称 | 说明 |
---|---|
FIREWALL_NOT_MONITORED |
此检测器会检查是否未将日志指标和提醒配置为监控 VPC 防火墙规则更改。 |
NETWORK_NOT_MONITORED |
此检测器会检查是否未将日志指标和提醒配置为监控 VPC 网络更改。 |
ROUTE_NOT_MONITORED |
此检测器会检查是否未将日志指标和提醒配置为监控 VPC 网络路由更改。 |
DNS_LOGGING_DISABLED |
此检测器会检查 VPC 网络是否启用了 DNS 日志记录。 |
FLOW_LOGS_DISABLED |
此检测器会检查 VPC 子网是否启用了流日志。 |
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED |
此检测器会检查 VPC 子网的 |
YAML 定义
以下是 VPC Service Controls 预定义状况的 YAML 定义。
name: organizations/123/locations/global/postureTemplates/vpcsc_extended
description: VPCSC Posture Template
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: VPCSC preventative policy set
description: 6 org policies that new customers can automatically enable.
policies:
- policy_id: Skip default network creation
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.skipDefaultNetworkCreation
policy_rules:
- enforce: true
description: This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
- policy_id: Restrict public IP access on new Vertex AI Workbench notebooks and instances
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: ainotebooks.restrictPublicIp
policy_rules:
- enforce: true
description: This boolean constraint, when enforced, restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IPs can access Vertex AI Workbench notebooks and instances.
- policy_id: Disable VM nested virtualization
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.disableNestedVirtualization
policy_rules:
- enforce: true
description: This boolean constraint disables hardware-accelerated nested virtualization for all Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True. By default, hardware-accelerated nested virtualization is allowed for all Compute Engine VMs running on Intel Haswell or newer CPU platforms.
- policy_id: Define allowed external IPs for VM instances
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.vmExternalIpAccess
policy_rules:
- values:
allowed_values:
- is:projects/PROJECT_ID/zones/ZONE/instances/INSTANCE
description: This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses. The allowed/denied list of VM instances must be identified by the VM instance name, in the form of projects/PROJECT_ID/zones/ZONE/instances/INSTANCE
- policy_id: Restrict VPC networks on new Vertex AI Workbench instances
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: ainotebooks.restrictVpcNetworks
policy_rules:
- values:
allowed_values:
- is:organizations/ORGANIZATION_ID
- is:folders/FOLDER_ID
- is:projects/PROJECT_ID
- is:projects/PROJECT_ID/global/networks/NETWORK_NAME
description: This list constraint defines the VPC networks a user can select when creating new Vertex AI Workbench instances where this constraint is enforced. By default, a Vertex AI Workbench instance can be created with any VPC networks. The allowed or denied list of networks must be identified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.
- policy_id: Restrict VM IP Forwarding
compliance_standards:
- standard: NIST SP 800-53
control: SC-7
- standard: NIST SP 800-53
control: SC-8
constraint:
org_policy_constraint:
canned_constraint_id: compute.vmCanIpForward
policy_rules:
- values:
allowed_values:
- is:organizations/ORGANIZATION_ID
- is:folders/FOLDER_ID
- is:projects/PROJECT_ID
- is:projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME.
description: This list constraint defines the set of VM instances that can enable IP forwarding. By default, any VM can enable IP forwarding in any virtual network. VM instances must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME. This constraint is not retroactive.
- policy_set_id: VPCSC detective policy set
description: 6 SHA modules that new customers can automatically enable.
policies:
- policy_id: Firewall not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FIREWALL_NOT_MONITORED
- policy_id: Network not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: NETWORK_NOT_MONITORED
- policy_id: Route not monitored
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: ROUTE_NOT_MONITORED
- policy_id: DNS logging disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: DNS_LOGGING_DISABLED
- policy_id: Flow logs disabled
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: FLOW_LOGS_DISABLED
- policy_id: Flow logs settings not recommended
constraint:
securityHealthAnalyticsModule:
moduleEnablementState: ENABLED
moduleName: VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED