Ce document décrit les types d'éléments et les règles compatibles avec les fonctionnalité de validation IaC (Infrastructure as Code) dans Security Command Center.
Types d'éléments compatibles
Voici la liste des types d'éléments Google Cloud compatibles:
artifactregistry.googleapis.com/Repository
bigquery.googleapis.com/Dataset
bigquery.googleapis.com/Table
cloudfunctions.googleapis.com/CloudFunction
cloudkms.googleapis.com/ImportJob
cloudkms.googleapis.com/KeyRing
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project
composer.googleapis.com/Environment
compute.googleapis.com/Autoscaler
compute.googleapis.com/BackendService
compute.googleapis.com/Disk
compute.googleapis.com/Firewall
compute.googleapis.com/ForwardingRule
compute.googleapis.com/GlobalForwardingRule
compute.googleapis.com/HealthCheck
compute.googleapis.com/Instance
compute.googleapis.com/InstanceGroup
compute.googleapis.com/Network
compute.googleapis.com/NodeGroup
compute.googleapis.com/NodeTemplate
compute.googleapis.com/ResourcePolicy
compute.googleapis.com/Route
compute.googleapis.com/Router
compute.googleapis.com/Snapshot
compute.googleapis.com/SslCertificate
compute.googleapis.com/SslPolicy
compute.googleapis.com/Subnetwork
compute.googleapis.com/TargetHttpProxy
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetPool
compute.googleapis.com/TargetSslProxy
compute.googleapis.com/UrlMap
compute.googleapis.com/VpnTunnel
container.googleapis.com/Cluster
container.googleapis.com/NodePool
dataflow.googleapis.com/Job
datastream.googleapis.com/ConnectionProfile
datastream.googleapis.com/PrivateConnection
datastream.googleapis.com/Stream
dns.googleapis.com/ManagedZone
dns.googleapis.com/Policy
file.googleapis.com/Instance
gkehub.googleapis.com/Membership
pubsub.googleapis.com/Subscription
pubsub.googleapis.com/Topic
run.googleapis.com/DomainMapping
run.googleapis.com/Job
run.googleapis.com/Service
serviceusage.googleapis.com/Service
spanner.googleapis.com/Database
spanner.googleapis.com/Instance
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
vpcaccess.googleapis.com/Connector
Validations sur le champ disks[].initializeParams.sourceImage
de
Les compute.googleapis.com/Instance
ne sont pas acceptés.
Règles prises en charge
Cette section décrit les règles compatibles avec la validation IaC.
Règles d'administration
Voici la liste des règles d'administration compatibles:
Allowed VPC egress settings
(constraints/run.allowedVPCEgress
)Disable Guest Attributes of Compute Engine metadata
(constraints/compute.disableGuestAttributesAccess
)Disable VM serial port access
(constraints/compute.disableSerialPortAccess
)Disable VM serial port logging to Stackdriver
(constraints/compute.disableSerialPortLogging
)Disable VPC External IPv6 usage
(constraints/compute.disableVpcExternalIpv6
)Require OS Login
(constraints/compute.requireOsLogin
)Restrict Authorized Networks on Cloud SQL instances
(constraints/sql.restrictAuthorizedNetworks
)Require VPC Connector (Cloud Functions)
(constraints/cloudfunctions.requireVPCConnector
)Disable VPC External IPv6 usage
(constraints/compute.disableVpcExternalIpv6
)Allowed ingress settings (Cloud Run)
(constraints/run.allowedIngress
)Enforce uniform bucket-level access
(constraints/storage.uniformBucketLevelAccess
)
Contrainte personnalisée de règle d'administration
Toutes les contraintes personnalisées des règles d'administration sont acceptées. Toutefois, vous ne pouvez pas à valider les règles d'administration tags.
Modules personnalisés de Security Health Analytics
Tous les modules personnalisés Security Health Analytics sont compatibles.
Détecteurs intégrés de Security Health Analytics
Voici la liste des détecteurs intégrés compatibles:
AUTO_BACKUP_DISABLED
AUTO_REPAIR_DISABLED
AUTO_UPGRADE_DISABLED
BIGQUERY_TABLE_CMEK_DISABLED
BUCKET_CMEK_DISABLED
BUCKET_LOGGING_DISABLED
BUCKET_POLICY_ONLY_DISABLED
CLUSTER_LOGGING_DISABLED
CLUSTER_MONITORING_DISABLED
CLUSTER_SECRETS_ENCRYPTION_DISABLED
CLUSTER_SHIELDED_NODES_DISABLED
COS_NOT_USED
FIREWALL_RULE_LOGGING_DISABLED
FLOW_LOGS_DISABLED
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
INTEGRITY_MONITORING_DISABLED
INTRANODE_VISIBILITY_DISABLED
KMS_KEY_NOT_ROTATED
KMS_PUBLIC_KEY
LEGACY_AUTHORIZATION_ENABLED
LEGACY_METADATA_ENABLED
MASTER_AUTHORIZED_NETWORKS_DISABLED
NETWORK_POLICY_DISABLED
NODEPOOL_BOOT_CMEK_DISABLED
NODEPOOL_SECURE_BOOT_DISABLED
OPEN_CASSANDRA_PORT
OPEN_CISCOSECURE_WEBSM_PORT
OPEN_DIRECTORY_SERVICES_PORT
OPEN_DNS_PORT
OPEN_ELASTICSEARCH_PORT
OPEN_FIREWALL
OPEN_FTP_PORT
OPEN_HTTP_PORT
OPEN_LDAP_PORT
OPEN_MEMCACHED_PORT
OPEN_MONGODB_PORT
OPEN_MYSQL_PORT
OPEN_NETBIOS_PORT
OPEN_ORACLEDB_PORT
OPEN_POP3_PORT
OPEN_POSTGRESQL_PORT
OPEN_RDP_PORT
OPEN_REDIS_PORT
OPEN_SMTP_PORT
OPEN_SSH_PORT
OPEN_TELNET_PORT
OVER_PRIVILEGED_ACCOUNT
OVER_PRIVILEGED_SCOPES
PRIVATE_GOOGLE_ACCESS_DISABLED
PUBLIC_BUCKET_ACL
PUBLIC_DATASET
PUBLIC_SQL_INSTANCE
RELEASE_CHANNEL_DISABLED
RSASHA1_FOR_SIGNING
SQL_CMEK_DISABLED
SQL_CONTAINED_DATABASE_AUTHENTICATION
SQL_CROSS_DB_OWNERSHIP_CHAINING
SQL_EXTERNAL_SCRIPTS_ENABLED
SQL_LOCAL_INFILE
SQL_LOG_CHECKPOINTS_DISABLED
SQL_LOG_CONNECTIONS_DISABLED
SQL_LOG_DISCONNECTIONS_DISABLED
SQL_LOG_DURATION_DISABLED
SQL_LOG_ERROR_VERBOSITY
SQL_LOG_EXECUTOR_STATS_ENABLED
SQL_LOG_HOSTNAME_ENABLED
SQL_LOG_LOCK_WAITS_DISABLED
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
SQL_LOG_MIN_ERROR_STATEMENT
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
SQL_LOG_MIN_MESSAGES
SQL_LOG_PARSER_STATS_ENABLED
SQL_LOG_PLANNER_STATS_ENABLED
SQL_LOG_STATEMENT
SQL_LOG_STATEMENT_STATS_ENABLED
SQL_LOG_TEMP_FILES
SQL_PUBLIC_IP
SQL_REMOTE_ACCESS_ENABLED
SQL_SKIP_SHOW_DATABASE_DISABLED
SQL_TRACE_FLAG_3625
SQL_USER_CONNECTIONS_CONFIGURED
SQL_USER_OPTIONS_CONFIGURED
WEB_UI_ENABLED
WORKLOAD_IDENTITY_DISABLED