diff --git a/solutions/client-landing-zone/README.md b/solutions/client-landing-zone/README.md index 185a626db..83887a418 100755 --- a/solutions/client-landing-zone/README.md +++ b/solutions/client-landing-zone/README.md @@ -18,13 +18,13 @@ Package to create a client's folder hierarchy, logging resources and a network h | allowed-os-update-source-ip-ranges | ["10.1.0.0/21", "10.1.8.0/21", "10.1.128.0/21", "10.1.136.0/21"] | array | 1 | | client-billing-id | AAAAAA-BBBBBB-CCCCCC | str | 1 | | client-folderviewer | group:client1@example.com | str | 1 | -| client-name | client1 | str | 185 | -| denied-sanctioned-countries | ["CU", "IR", "KP", "SY"] | array | 1 | +| client-name | client1 | str | 187 | +| denied-sanctioned-countries | ["XX"] | array | 1 | | dns-name | client-name.example.com. | str | 2 | | dns-nameservers | ["ns-cloud-a1.googledomains.com.", "ns-cloud-a2.googledomains.com.", "ns-cloud-a3.googledomains.com.", "ns-cloud-a4.googledomains.com."] | array | 1 | | dns-project-id | dns-project-12345 | str | 2 | -| firewall-egress-allow-all-internal | [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 240.0.0.0/4] | array | 5 | -| host-project-id | net-host-project-12345 | str | 111 | +| firewall-internal-ip-ranges | [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 240.0.0.0/4] | array | 5 | +| host-project-id | net-host-project-12345 | str | 115 | | logging-project-id | logging-project-12345 | str | 2 | | project-allowed-restrict-vpc-peering | [under:projects/PROJECT_ID] | array | 0 | | retention-in-days | 1 | int | 1 | @@ -70,6 +70,7 @@ This package has no sub-packages. | client-folder/standard/applications-infrastructure/host-project/network/dnspolicy.yaml | dns.cnrm.cloud.google.com/v1beta1 | DNSPolicy | host-project-id-standard-logging-dnspolicy | client-name-networking | | client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | host-project-id-standard-egress-allow-all-internal-fwr | client-name-networking | | client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | host-project-id-standard-default-egress-deny-fwr | client-name-networking | +| client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | host-project-id-standard-default-ingress-deny-fwr | client-name-networking | | client-folder/standard/applications-infrastructure/host-project/network/nat.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeRouterNAT | host-project-id-nane1-nat | client-name-networking | | client-folder/standard/applications-infrastructure/host-project/network/nat.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeRouter | host-project-id-nane1-router | client-name-networking | | client-folder/standard/applications-infrastructure/host-project/network/nat.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeRouterNAT | host-project-id-nane2-nat | client-name-networking | diff --git a/solutions/client-landing-zone/client-folder/firewall-policy/policy.yaml b/solutions/client-landing-zone/client-folder/firewall-policy/policy.yaml index a24169617..f505373e1 100644 --- a/solutions/client-landing-zone/client-folder/firewall-policy/policy.yaml +++ b/solutions/client-landing-zone/client-folder/firewall-policy/policy.yaml @@ -12,13 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# The following rules are automatically created when the firewall policy is created: +# The following rules are automatically created when policy is created to delegate traffic to/from VPC resources to shared VPC network within host project: # 2147483644 default egress rule ipv6 Egress IPv6 ranges: ::/0 all Goto next # 2147483645 default ingress rule ipv6 Ingress IPv6 ranges: ::/0 all Goto next # 2147483646 default egress rule Egress IPv4 ranges: 0.0.0.0/0 all Goto next # 2147483647 default ingress rule Ingress IPv4 ranges: 0.0.0.0/0 all Goto next ######### -# Client Compute Firewall Policy on folder client-folder +# Client Compute Firewall Policy to folder client-folder +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicy metadata: @@ -31,12 +32,13 @@ spec: # - uncomment 'resourceID' below # - replace 1234567890 with the policy ID number (it can be found in the cloud console) # resourceID: firewallPolicies/1234567890 + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) folderRef: name: clients.client-name # kpt-set: clients.${client-name} namespace: hierarchy description: "Firewall policy for client-name" # kpt-set: Firewall policy for ${client-name} --- -# firewall policy association to client's folder +# Firewall policy association to client-folder folder apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyAssociation metadata: @@ -49,5 +51,6 @@ spec: kind: Folder name: clients.client-name # kpt-set: clients.${client-name} namespace: hierarchy + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol diff --git a/solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml b/solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml index 31782692f..3de9f089b 100644 --- a/solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml +++ b/solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml @@ -14,7 +14,8 @@ ######### # Rules 2147483541 to 2147483546 in are the suggested defaults by Google ######### -# Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (EGRESS) +# Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -24,24 +25,25 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "goto_next" - description: "Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (EGRESS)" + description: "Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network" direction: "EGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: layer4Configs: - ipProtocol: "all" - destIPRanges: # kpt-set: ${firewall-egress-allow-all-internal} + destIPRanges: # kpt-set: ${firewall-internal-ip-ranges} - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" - "240.0.0.0/4" priority: 2147483541 --- -# Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (INGRESS) +# Delegate to the next folder.standard down in the hierarchy that has a network isolation rule that denies ingress from private IP ranges, ingress traffic from private IP ranges to VPC resources in shared VPC network apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -51,17 +53,18 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "goto_next" - description: "Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (INGRESS)" + description: "Delegate to the next folder.standard down in the hierarchy that has a network isolation rule that denies ingress from private IP ranges, ingress traffic from private IP ranges to VPC resources in shared VPC network" direction: "INGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: layer4Configs: - ipProtocol: "all" - srcIPRanges: # kpt-set: ${firewall-egress-allow-all-internal} + srcIPRanges: # kpt-set: ${firewall-internal-ip-ranges} - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" @@ -83,6 +86,7 @@ spec: direction: "INGRESS" disabled: false enableLogging: true + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: @@ -110,6 +114,7 @@ spec: direction: "INGRESS" disabled: false enableLogging: true + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: diff --git a/solutions/client-landing-zone/client-folder/firewall-policy/rules/iap.yaml b/solutions/client-landing-zone/client-folder/firewall-policy/rules/iap.yaml index 9325f5d33..ff9323a10 100644 --- a/solutions/client-landing-zone/client-folder/firewall-policy/rules/iap.yaml +++ b/solutions/client-landing-zone/client-folder/firewall-policy/rules/iap.yaml @@ -12,7 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# Goto next for IAP +# Delegate to host project, ingress IAP traffic (firewall) from IP range 35.235.240.0/20 to VPC resources in shared VPC network +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -22,11 +23,12 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "goto_next" - description: "Goto next for IAP" + description: "Delegate to host project, ingress IAP traffic (firewall) from IP range 35.235.240.0/20 to VPC resources in shared VPC network" direction: "INGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: diff --git a/solutions/client-landing-zone/client-folder/firewall-policy/rules/lb-health-checks.yaml b/solutions/client-landing-zone/client-folder/firewall-policy/rules/lb-health-checks.yaml index 38f7f3263..9140e4d2a 100644 --- a/solutions/client-landing-zone/client-folder/firewall-policy/rules/lb-health-checks.yaml +++ b/solutions/client-landing-zone/client-folder/firewall-policy/rules/lb-health-checks.yaml @@ -12,7 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# Goto next for LB health checks +# Delegate to host project, ingress LB health checks traffic (firewall) from IP ranges 35.191.0.0/16, 130.211.0.0/22 to VPC resources in shared VPC network +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -22,11 +23,12 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "goto_next" - description: "Goto next for LB health checks" + description: "Delegate to host project, ingress LB health checks traffic (firewall) from IP ranges 35.191.0.0/16, 130.211.0.0/22 to VPC resources in shared VPC network" direction: "INGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: diff --git a/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml b/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml index 969816944..09ee71999 100644 --- a/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml +++ b/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml @@ -12,7 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# allow os updates +# Allow os updates +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -22,10 +23,11 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "allow" - description: "allow os updates" + description: "Allow os updates" direction: "EGRESS" disabled: false enableLogging: true + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: diff --git a/solutions/client-landing-zone/client-folder/folder-iam.yaml b/solutions/client-landing-zone/client-folder/folder-iam.yaml index 8ce0fffc9..699799499 100644 --- a/solutions/client-landing-zone/client-folder/folder-iam.yaml +++ b/solutions/client-landing-zone/client-folder/folder-iam.yaml @@ -13,7 +13,7 @@ # limitations under the License. ###### # Grant GCP role Folder Viewer on client's folder to client's user group -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL +# AC-3, AC-3(7), AC-16(2) - This IAM policy binding grants GCP Folder Viewer role on client's folder to client's user group based on least-privilege principle apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -27,5 +27,6 @@ spec: kind: Folder name: clients.client-name # kpt-set: clients.${client-name} namespace: hierarchy + # AC-3, AC-3(7), AC-16(2) role: roles/resourcemanager.folderViewer member: client-folderviewer # kpt-set: ${client-folderviewer} diff --git a/solutions/client-landing-zone/client-folder/folder-sink.yaml b/solutions/client-landing-zone/client-folder/folder-sink.yaml index 3a3ffc5dd..2eabc1ff9 100644 --- a/solutions/client-landing-zone/client-folder/folder-sink.yaml +++ b/solutions/client-landing-zone/client-folder/folder-sink.yaml @@ -15,6 +15,9 @@ # TODO: investigate using client ns, move functionality to client-setup and/or create new client logging project. Will be required if a config-controller is deployed per client OR we need to give permissions to the client service account into the core logging project. # Folder sink for Platform and Component logs of Client Resources # Destination: cloud logging bucket inside logging project +# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project +# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket +# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -23,6 +26,7 @@ metadata: annotations: config.kubernetes.io/depends-on: logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-client-name-log-bucket # kpt-set: logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-${client-name}-log-bucket spec: + # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) folderRef: name: clients.client-name # kpt-set: clients.${client-name} namespace: hierarchy @@ -33,7 +37,7 @@ spec: # Only `external` field is supported to configure the reference. external: platform-and-component-client-name-log-bucket # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/platform-and-component-${client-name}-log-bucket description: Folder sink for client-name Platform and Component logs # kpt-set: Folder sink for ${client-name} Platform and Component logs - # AU-2, AU-12(A), AU-12(C) + # AU-12, AU-12(1) # Includes the following types of logs: # Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, and HTTP(S) Load Balancer # Logs for such resources must be enabled on the respective resource as they are not enabled by default. @@ -43,7 +47,7 @@ spec: OR (LOG_ID("compute.googleapis.com/firewall") AND resource.type="gce_subnetwork") OR (LOG_ID("compute.googleapis.com/vpc_flows") AND resource.type="gce_subnetwork") OR (LOG_ID("requests") AND resource.type="http_load_balancer") - # Excludes all Security logs: Cloud Audit, Access Transparency, and Data Access Logs + # Excludes all Security logs from bucket: Cloud Audit, Access Transparency, and Data Access Logs. This is done to avoid duplication of logs that are captured by another log sink exclusions: - description: Exclude Security logs disabled: false diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml index d19318f78..c41005749 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml @@ -12,13 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# The following rules are automatically created when the firewall policy is created: +# The following rules are automatically created when policy is created to delegate traffic to/from VPC resources to shared VPC network within host project: # 2147483644 default egress rule ipv6 Egress IPv6 ranges: ::/0 all Goto next # 2147483645 default ingress rule ipv6 Ingress IPv6 ranges: ::/0 all Goto next # 2147483646 default egress rule Egress IPv4 ranges: 0.0.0.0/0 all Goto next # 2147483647 default ingress rule Ingress IPv4 ranges: 0.0.0.0/0 all Goto next ######### # Client Compute Firewall Policy on folder standard.applications-infrastructure +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicy metadata: @@ -33,12 +34,13 @@ spec: # - uncomment 'resourceID' below # - replace 1234567890 with the policy ID number (it can be found in the cloud console) # resourceID: firewallPolicies/1234567890 + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) folderRef: name: standard.applications-infrastructure namespace: client-name-hierarchy # kpt-set: ${client-name}-hierarchy description: "Firewall policy for client-name" # kpt-set: Firewall policy for ${client-name} --- -# firewall policy association to client's standard/applications-infrastructure folder +# firewall policy association to client's standard.applications-infrastructure folder apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyAssociation metadata: @@ -51,5 +53,6 @@ spec: kind: Folder name: standard.applications-infrastructure namespace: client-name-hierarchy # kpt-set: ${client-name}-hierarchy + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml index b2d7776fc..ef7b3e09b 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml @@ -14,7 +14,8 @@ ######### # Rules 2147483541 to 2147483546 are the suggested defaults by Google ######### -# Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (EGRESS) +# Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -24,24 +25,25 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "goto_next" - description: "Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (EGRESS)" + description: "Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network" direction: "EGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol match: layer4Configs: - ipProtocol: "all" - destIPRanges: # kpt-set: ${firewall-egress-allow-all-internal} + destIPRanges: # kpt-set: ${firewall-internal-ip-ranges} - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" - "240.0.0.0/4" priority: 2147483541 --- -# Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (INGRESS) +# Delegate to host project, ingress traffic(firewall) from private IP ranges to VPC resources in shared VPC network apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -51,17 +53,18 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "goto_next" - description: "Exclude communication with private IP ranges, leaving only Internet traffic to be inspected (INGRESS)" + description: "Delegate to host project, ingress traffic(firewall) from private IP ranges to VPC resources in shared VPC network" direction: "INGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol match: layer4Configs: - ipProtocol: "all" - srcIPRanges: # kpt-set: ${firewall-egress-allow-all-internal} + srcIPRanges: # kpt-set: ${firewall-internal-ip-ranges} - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" @@ -83,6 +86,7 @@ spec: direction: "INGRESS" disabled: false enableLogging: true + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol match: @@ -109,6 +113,7 @@ spec: direction: "EGRESS" disabled: false enableLogging: true + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol match: diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml index 8a45a5ce9..314acec71 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml @@ -12,7 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# Goto next for IAP +# Delegate to host project, ingress IAP traffic (firewall) from IP range 35.235.240.0/20 to VPC resources in shared VPC network +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -22,11 +23,12 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-standard-applications-infrastructure-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-standard-applications-infrastructure-fwpol spec: action: "goto_next" - description: "Goto next for IAP" + description: "Delegate to host project, ingress IAP traffic (firewall) from IP range 35.235.240.0/20 to VPC resources in shared VPC network" direction: "INGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol match: diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml index 7a5ba54db..fc37f6a7c 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml @@ -12,7 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# Goto next for LB health checks +# Delegate to host project, ingress LB health checks traffic (firewall) from IP ranges 35.191.0.0/16, 130.211.0.0/22 to VPC resources in shared VPC network +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -22,11 +23,12 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-standard-applications-infrastructure-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-standard-applications-infrastructure-fwpol spec: action: "goto_next" - description: "Goto next for LB health checks" + description: "Delegate to host project, ingress LB health checks traffic (firewall) from IP ranges 35.191.0.0/16, 130.211.0.0/22 to VPC resources in shared VPC network" direction: "INGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol match: diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml index 41ddec589..a786402fe 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml @@ -12,8 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# egress allow all internal -# AC-4, AC-4(21), SC-7(C), SC-7(5) +# Allow all egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network within host project +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: @@ -24,22 +24,24 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc spec: resourceID: standard-egress-allow-all-internal-fwr - description: "egress allow all internal" + description: "Allow all egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network within host project" direction: EGRESS priority: 5000 allow: - protocol: all - destinationRanges: # kpt-set: ${firewall-egress-allow-all-internal} + destinationRanges: # kpt-set: ${firewall-internal-ip-ranges} - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" + - "240.0.0.0/4" + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) networkRef: name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc logConfig: metadata: "INCLUDE_ALL_METADATA" --- -# Default egress deny all -# AC-4, AC-4(21), SC-7(C), SC-7(5) +# Deny all egress traffic(firewall) from VPC resources to external ip internet ranges in shared VPC network within host project +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: @@ -50,15 +52,43 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc spec: resourceID: standard-default-egress-deny-fwr - description: "Default egress deny all" + description: "Deny all egress traffic(firewall) from VPC resources to external ip internet ranges in shared VPC network within host project" direction: EGRESS priority: 65535 deny: - protocol: all sourceRanges: - - 10.0.0.0/8 + - 0.0.0.0/0 + destinationRanges: + - 0.0.0.0/0 + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) + networkRef: + name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc + logConfig: + metadata: "INCLUDE_ALL_METADATA" +--- +# Deny all ingress traffic(firewall) to vpc resources from any ip internet ranges in shared vpc host project +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: host-project-id-standard-default-ingress-deny-fwr # kpt-set: ${host-project-id}-standard-default-ingress-deny-fwr + namespace: client-name-networking # kpt-set: ${client-name}-networking + annotations: + cnrm.cloud.google.com/project-id: host-project-id # kpt-set: ${host-project-id} + config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc +spec: + resourceID: standard-default-ingress-deny-fwr + description: "Default ingress deny all" + direction: INGRESS + priority: 65535 + deny: + - protocol: all + sourceRanges: + - 0.0.0.0/0 destinationRanges: - 0.0.0.0/0 + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) networkRef: name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc logConfig: diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml index e94d906e9..ff420f96f 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml @@ -13,7 +13,7 @@ # limitations under the License. ######### # Egress allow traffic to Private Service Connect endpoint for Google API access -# AC-4, AC-4(21), SC-7(C), SC-7(5) +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: @@ -31,6 +31,7 @@ spec: - protocol: all destinationRanges: - 10.255.255.254/32 + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) networkRef: name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc logConfig: diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml index cf2c48345..3fa8692a1 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml @@ -12,12 +12,12 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### +# Set up subnets for non-protected (unclassified) and pbmm use # nonp and pbmm subnets have : # - logging enabled for flow logs https://cloud.google.com/vpc/docs/using-flow-logs # - private google access enabled https://cloud.google.com/vpc/docs/private-google-access ######### # Subnet nonp-main northamerica-northeast1 -# AC-4, AC-4(21) apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -40,7 +40,6 @@ spec: metadata: INCLUDE_ALL_METADATA --- # Subnet pbmm-main northamerica-northeast1 -# AC-4, AC-4(21) apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -63,7 +62,6 @@ spec: metadata: INCLUDE_ALL_METADATA --- # Subnet nonp-main northamerica-northeast2 -# AC-4, AC-4(21) apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -86,7 +84,6 @@ spec: metadata: INCLUDE_ALL_METADATA --- # Subnet pbmm-main northamerica-northeast2 -# AC-4, AC-4(21) apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/vpc.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/vpc.yaml index b1e6da928..09812105c 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/vpc.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/vpc.yaml @@ -25,6 +25,6 @@ metadata: spec: resourceID: global-standard-vpc description: VPC for internet facing application - routingMode: REGIONAL + routingMode: GLOBAL autoCreateSubnetworks: false # SC-7 deleteDefaultRoutesOnCreate: false # AC-4, SC-7(5) diff --git a/solutions/client-landing-zone/client-folder/standard/firewall-policy/policy.yaml b/solutions/client-landing-zone/client-folder/standard/firewall-policy/policy.yaml index f86cbcd46..9fdfb97ce 100644 --- a/solutions/client-landing-zone/client-folder/standard/firewall-policy/policy.yaml +++ b/solutions/client-landing-zone/client-folder/standard/firewall-policy/policy.yaml @@ -12,13 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# The following rules are automatically created when the firewall policy is created: +# The following rules are automatically created when policy is created to delegate traffic to/from VPC resources to shared VPC network within host project: # 2147483644 default egress rule ipv6 Egress IPv6 ranges: ::/0 all Goto next # 2147483645 default ingress rule ipv6 Ingress IPv6 ranges: ::/0 all Goto next # 2147483646 default egress rule Egress IPv4 ranges: 0.0.0.0/0 all Goto next # 2147483647 default ingress rule Ingress IPv4 ranges: 0.0.0.0/0 all Goto next ######### # Client Compute Firewall Policy on folder standard +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicy metadata: @@ -33,6 +34,7 @@ spec: # - uncomment 'resourceID' below # - replace 1234567890 with the policy ID number (it can be found in the cloud console) # resourceID: firewallPolicies/1234567890 + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) folderRef: name: standard namespace: client-name-hierarchy # kpt-set: ${client-name}-hierarchy @@ -51,5 +53,6 @@ spec: kind: Folder name: standard namespace: client-name-hierarchy # kpt-set: ${client-name}-hierarchy + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-fwpol # kpt-set: ${client-name}-standard-fwpol diff --git a/solutions/client-landing-zone/client-folder/standard/firewall-policy/rules/network-isolation.yaml b/solutions/client-landing-zone/client-folder/standard/firewall-policy/rules/network-isolation.yaml index 619826b74..73b06b794 100644 --- a/solutions/client-landing-zone/client-folder/standard/firewall-policy/rules/network-isolation.yaml +++ b/solutions/client-landing-zone/client-folder/standard/firewall-policy/rules/network-isolation.yaml @@ -12,7 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# isolate nonp +# Isolate non-protected subnet so it denies ingress traffic from pbmm subnet +# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -22,10 +23,11 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-standard-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-standard-fwpol spec: action: "deny" - description: "isolate nonp" + description: "Isolate non-protected subnet so it denies ingress traffic from pbmm subnet" direction: "INGRESS" disabled: false enableLogging: true + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-fwpol # kpt-set: ${client-name}-standard-fwpol match: @@ -37,7 +39,7 @@ spec: - "standard-nonp-cidr" # kpt-set: ${standard-nonp-cidr} priority: 1000 --- -# isolate pbmm +# Isolate PBMM subnet so it denies ingress traffic from non-protected subnet apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -47,10 +49,11 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-standard-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-standard-fwpol spec: action: "deny" - description: "isolate pbmm" + description: "Isolate PBMM subnet so it denies ingress traffic from non-protected subnet" direction: "INGRESS" disabled: false enableLogging: true + # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-standard-fwpol # kpt-set: ${client-name}-standard-fwpol match: diff --git a/solutions/client-landing-zone/logging-project/cloud-logging-bucket.yaml b/solutions/client-landing-zone/logging-project/cloud-logging-bucket.yaml index 02674a762..6a0dbbfb6 100644 --- a/solutions/client-landing-zone/logging-project/cloud-logging-bucket.yaml +++ b/solutions/client-landing-zone/logging-project/cloud-logging-bucket.yaml @@ -15,19 +15,21 @@ # TODO: investigate using client ns, move functionality to client-setup and/or create new client logging project. Will be required if a config-controller is deployed per client OR we need to give permissions to the client service account into the core logging project. # Cloud Logging bucket for client Platform and Component logs # Logs are routed using a log sink to a central logging project into a dedicated log bucket -# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects +# AU-7, AU-9 - The log buckets created within the Logging project are immutable (AU-7(B)). These buckets have a retention policy of xxx days and IAM Policy that defines who has access to the bucket (AU-9) +# AU-4(1), AU-6(4), AU-9(2), AU-12, AU-12(1) Log sinks sending the logs to same project in same region having a logging bucket apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogBucket metadata: name: platform-and-component-client-name-log-bucket # kpt-set: platform-and-component-${client-name}-log-bucket namespace: logging spec: + # AU-4(1), AU-6(4), AU-9(2), AU-12, AU-12(1) projectRef: name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects location: northamerica-northeast1 description: Cloud Logging bucket for client-name Platform and Component logs # kpt-set: Cloud Logging bucket for ${client-name} Platform and Component logs - # Implement retention policy and retention locking policy - # AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specificied number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability. + # RetentionDays sets the policy where existing log content cannot be changed/deleted for the specified number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability + # AU-7, AU-9 locked: false # kpt-set: ${retention-locking-policy} retentionDays: 1 # kpt-set: ${retention-in-days} diff --git a/solutions/client-landing-zone/logging-project/project-iam.yaml b/solutions/client-landing-zone/logging-project/project-iam.yaml index b91db522d..add51f64f 100644 --- a/solutions/client-landing-zone/logging-project/project-iam.yaml +++ b/solutions/client-landing-zone/logging-project/project-iam.yaml @@ -15,6 +15,7 @@ # TODO: investigate using client ns, move functionality to client-setup and/or create new client logging project. Will be required if a config-controller is deployed per client OR we need to give permissions to the client service account into the core logging project. # Logs Bucket writer IAM permissions # Binds the generated Writer identity from the LoggingLogSink to the logging project +# AC-3, AC-3(7), AC-16(2), AU-9 - This IAM policy binding grants bucketwriter role to the identity of the log sink configured on the bucket in the logging project apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: @@ -25,7 +26,7 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) - Write access to the logging bucket is limited by IAM to just the identity of the log sink configured to send logs to the bucket (set at the logging project level) + # AC-3, AC-3(7), AC-16(2), AU-9 bindings: - role: roles/logging.bucketWriter members: diff --git a/solutions/client-landing-zone/securitycontrols.md b/solutions/client-landing-zone/securitycontrols.md index 313cbe993..ecf4ab7bf 100644 --- a/solutions/client-landing-zone/securitycontrols.md +++ b/solutions/client-landing-zone/securitycontrols.md @@ -3,34 +3,175 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-16(2)|./client-folder/folder-iam.yaml|clients.client-name-client-folder-viewer-permissions| +|AC-16(2)|./client-folder/folder-iam.yaml|clients.client-name-client-folder-viewer-permissions| +|AC-16(2)|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| +|AC-16(2)|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| +|AC-3|./client-folder/folder-iam.yaml|clients.client-name-client-folder-viewer-permissions| +|AC-3|./client-folder/folder-iam.yaml|clients.client-name-client-folder-viewer-permissions| +|AC-3|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| +|AC-3|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| |AC-3(7)|./client-folder/folder-iam.yaml|clients.client-name-client-folder-viewer-permissions| +|AC-3(7)|./client-folder/folder-iam.yaml|clients.client-name-client-folder-viewer-permissions| +|AC-3(7)|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| |AC-3(7)|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| +|AC-3(9)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|AC-3(9)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|AC-3(9)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol-association| +|AC-3(9)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr| +|AC-3(9)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr| +|AC-3(9)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-3(9)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-3(9)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-ingress-fwr| +|AC-3(9)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|AC-3(9)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|AC-3(9)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-3(9)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-3(9)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|AC-3(9)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol-association| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-egress-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-ingress-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-ingress-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| +|AC-3(9)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| +|AC-3(9)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|AC-3(9)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|AC-3(9)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol-association| +|AC-3(9)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|AC-3(9)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|AC-3(9)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr| +|AC-4|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|AC-4|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|AC-4|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol-association| +|AC-4|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr| +|AC-4|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr| +|AC-4|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-4|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-4|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-ingress-fwr| +|AC-4|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|AC-4|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|AC-4|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-4|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-4|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|AC-4|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol-association| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-egress-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-ingress-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-ingress-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| |AC-4|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|AC-4|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| |AC-4|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| |AC-4|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| -|AC-4|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane1-standard-nonp-main-snet| -|AC-4|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane1-standard-pbmm-main-snet| -|AC-4|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane2-standard-nonp-main-snet| -|AC-4|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane2-standard-pbmm-main-snet| +|AC-4|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| |AC-4|./client-folder/standard/applications-infrastructure/host-project/network/vpc.yaml|host-project-id-global-standard-vpc| |AC-4|./client-folder/standard/applications-infrastructure/host-project/network/vpc.yaml|host-project-id-global-standard-vpc| +|AC-4|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|AC-4|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|AC-4|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol-association| +|AC-4|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|AC-4|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|AC-4|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr| +|AC-4(21)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|AC-4(21)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|AC-4(21)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol-association| +|AC-4(21)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr| +|AC-4(21)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr| +|AC-4(21)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-4(21)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-4(21)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-ingress-fwr| +|AC-4(21)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|AC-4(21)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|AC-4(21)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-4(21)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-4(21)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|AC-4(21)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol-association| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-egress-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-ingress-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-ingress-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| |AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| |AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| |AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| -|AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane1-standard-nonp-main-snet| -|AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane1-standard-pbmm-main-snet| -|AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane2-standard-nonp-main-snet| -|AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane2-standard-pbmm-main-snet| +|AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| |AC-4(21)|./client-folder/standard/applications-infrastructure/host-project/network/vpc.yaml|host-project-id-global-standard-vpc| -|AU-11|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AC-4(21)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|AC-4(21)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|AC-4(21)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol-association| +|AC-4(21)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|AC-4(21)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|AC-4(21)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr| |AU-11|./setters.yaml|setters| -|AU-12(A)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| -|AU-12(C)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| -|AU-2|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-12|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-12|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-12|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-12|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-12(1)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-12(1)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-12(1)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-12(1)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-3|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-3|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-3(1)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-3(1)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-4(1)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-4(1)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-4(1)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| |AU-4(1)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-6(4)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-6(4)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-6(4)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-6(4)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-7|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-7|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-7(B)).|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| |AU-9|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-9|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-9|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| +|AU-9|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| |AU-9|./setters.yaml|setters| +|AU-9(2)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-9(2)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-9(2)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| |AU-9(2)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-9)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| |SC-22|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/dns.yaml|host-project-id-standard-gcrio-dns| |SC-22|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/dns.yaml|host-project-id-standard-gcrio-rset| |SC-22|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/dns.yaml|host-project-id-standard-gcrio-wildcard-rset| @@ -40,12 +181,165 @@ |SC-22|./client-folder/standard/applications-infrastructure/host-project/network/public-dns.yaml|client-name-standard-core-public-dns-ns-rset| |SC-22|./client-folder/standard/applications-infrastructure/host-project/network/public-dns.yaml|client-name-standard-public-dns| |SC-7|./client-folder/standard/applications-infrastructure/host-project/network/vpc.yaml|host-project-id-global-standard-vpc| +|SC-7(11)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|SC-7(11)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|SC-7(11)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol-association| +|SC-7(11)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr| +|SC-7(11)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr| +|SC-7(11)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(11)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(11)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-ingress-fwr| +|SC-7(11)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|SC-7(11)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|SC-7(11)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(11)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(11)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-7(11)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol-association| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-egress-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-ingress-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-ingress-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| +|SC-7(11)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| +|SC-7(11)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|SC-7(11)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|SC-7(11)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol-association| +|SC-7(11)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|SC-7(11)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|SC-7(11)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr| +|SC-7(5)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|SC-7(5)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|SC-7(5)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol-association| +|SC-7(5)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr| +|SC-7(5)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr| +|SC-7(5)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(5)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(5)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-ingress-fwr| +|SC-7(5)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|SC-7(5)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|SC-7(5)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(5)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(5)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-7(5)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol-association| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-egress-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-ingress-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-ingress-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| |SC-7(5)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| |SC-7(5)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| |SC-7(5)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| +|SC-7(5)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| |SC-7(5)|./client-folder/standard/applications-infrastructure/host-project/network/vpc.yaml|host-project-id-global-standard-vpc| -|SC-7(C)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| -|SC-7(C)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| -|SC-7(C)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| +|SC-7(5)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|SC-7(5)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|SC-7(5)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol-association| +|SC-7(5)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|SC-7(5)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|SC-7(5)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr| +|SC-7(8)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|SC-7(8)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|SC-7(8)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol-association| +|SC-7(8)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr| +|SC-7(8)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr| +|SC-7(8)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(8)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(8)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-ingress-fwr| +|SC-7(8)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|SC-7(8)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|SC-7(8)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(8)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(8)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-7(8)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol-association| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-egress-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-ingress-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-ingress-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| +|SC-7(8)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| +|SC-7(8)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|SC-7(8)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|SC-7(8)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol-association| +|SC-7(8)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|SC-7(8)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|SC-7(8)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr| +|SC-7(9)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|SC-7(9)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol| +|SC-7(9)|./client-folder/firewall-policy/policy.yaml|client-name-client-folder-fwpol-association| +|SC-7(9)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr| +|SC-7(9)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr| +|SC-7(9)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(9)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(9)|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-ingress-fwr| +|SC-7(9)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|SC-7(9)|./client-folder/firewall-policy/rules/iap.yaml|client-name-client-folder-fwpol-goto-next-for-iap-fwr| +|SC-7(9)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(9)|./client-folder/firewall-policy/rules/lb-health-checks.yaml|client-name-client-folder-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(9)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-7(9)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/policy.yaml|client-name-standard-applications-infrastructure-fwpol-association| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-egress-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-ingress-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-ingress-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/iap.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-iap-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/firewall-policy/rules/lb-health-checks.yaml|client-name-standard-applications-infrastructure-fwpol-goto-next-for-lb-health-checks-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| +|SC-7(9)|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr| +|SC-7(9)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|SC-7(9)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol| +|SC-7(9)|./client-folder/standard/firewall-policy/policy.yaml|client-name-standard-fwpol-association| +|SC-7(9)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|SC-7(9)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|SC-7(9)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr| - diff --git a/solutions/client-landing-zone/setters.yaml b/solutions/client-landing-zone/setters.yaml index 348a3356d..35dfa96bb 100644 --- a/solutions/client-landing-zone/setters.yaml +++ b/solutions/client-landing-zone/setters.yaml @@ -90,8 +90,8 @@ data: standard-nane1-pbmm-main-snet: 10.1.128.0/21 # Subnet IP range for pbmm-main in northamerica-northeast2 standard-nane2-pbmm-main-snet: 10.1.136.0/21 - # Destination ranges for the egress allow all internal firewall rule - firewall-egress-allow-all-internal: | + # A list of internal IP ranges used by firewall rules + firewall-internal-ip-ranges: | - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 @@ -104,12 +104,9 @@ data: # Deny sanctioned countries ingress traffic # https://cloud.google.com/firewall/docs/firewall-policies-rule-details#geo-location-object # https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements - # The list below is Google's default, modify as required + # The list below MUST BE reconfigured. If the value stays XX it will fail reconciliation with an error for unrecognized country. denied-sanctioned-countries: | - - "CU" - - "IR" - - "KP" - - "SY" + - "XX" # # Allowed domain names for os updates # The list below is an example for Debian and Ubuntu, modify as per trusted images