Skip to content

Commit

Permalink
edit setters comments and security control comments for core-landing-…
Browse files Browse the repository at this point in the history
…zone pkg
  • Loading branch information
alaincormier-ssc committed Oct 18, 2023
1 parent 3e03a6f commit 440ea1e
Show file tree
Hide file tree
Showing 26 changed files with 437 additions and 115 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@
######
# Cloud Logging bucket for Security logs: Cloud Audit, Access Transparency Logs, and Data Access Logs
# Logs are routed using a log sink to a central logging project into a dedicated log bucket
# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects
# AU-7, AU-9 - The log buckets created within the Logging project are immutable (AU-7(B)). These buckets have a retention policy of 365 days and IAM Policy that defines who has access to the bucket (AU-9)
# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket
apiVersion: logging.cnrm.cloud.google.com/v1beta1
kind: LoggingLogBucket
metadata:
Expand All @@ -23,17 +24,19 @@ metadata:
annotations:
config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
spec:
# AU-4(1), AU-6(4), AU-9(2)
projectRef:
name: logging-project-id # kpt-set: ${logging-project-id}
namespace: projects
location: northamerica-northeast1
description: Cloud Logging bucket for Security logs
# Implement retention policy and retention locking policy
# AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specified number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability.
# Implement retention locking policy and number of retention days
# AU-7, AU-9
locked: false # kpt-set: ${retention-locking-policy}
retentionDays: 1 # kpt-set: ${retention-in-days}
---
# Cloud Logging bucket for Platform and Component logs
# Logs are routed using a log sink to a central logging project into a dedicated log bucket
apiVersion: logging.cnrm.cloud.google.com/v1beta1
kind: LoggingLogBucket
metadata:
Expand All @@ -42,12 +45,13 @@ metadata:
annotations:
config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
spec:
# AU-4(1), AU-6(4), AU-9(2)
projectRef:
name: logging-project-id # kpt-set: ${logging-project-id}
namespace: projects
location: northamerica-northeast1
description: Cloud Logging bucket for Platform and Component logs
# Implement retention policy and retention locking policy
# AU-9, AU-11
# Implement retention locking policy and number of retention days
# AU-7, AU-9
locked: false # kpt-set: ${retention-locking-policy}
retentionDays: 1 # kpt-set: ${retention-in-days}
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@
# limitations under the License.
######
# Logs Bucket writer IAM permissions for security log sink
# Binds the generated writer identity from the LoggingLogSink to the logging project
# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket
# AU-9, AC-3 - IAM Policy that assigns the dynamically created service account with the LoggingLogSink to the logging bucket writer role
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
Expand All @@ -26,7 +27,7 @@ spec:
kind: Project
name: logging-project-id # kpt-set: ${logging-project-id}
namespace: projects
# AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
# AU-9, AC-3
bindings:
- role: roles/logging.bucketWriter
members:
Expand All @@ -36,8 +37,7 @@ spec:
namespace: logging
---
# Logs Bucket writer IAM permissions for the platform and component log sinks
# Binds the generated writer identity from the LoggingLogSink to the logging project
# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level)
# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
Expand All @@ -50,7 +50,7 @@ spec:
kind: Project
name: logging-project-id # kpt-set: ${logging-project-id}
namespace: projects
# AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
# AU-9, AC-3
bindings:
- role: roles/logging.bucketWriter
members:
Expand All @@ -60,8 +60,7 @@ spec:
namespace: logging
---
# Logs Bucket writer IAM permissions for the platform and component services log sinks
# Binds the generated writer identity from the LoggingLogSink to the logging project
# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level)
# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
Expand All @@ -74,7 +73,7 @@ spec:
kind: Project
name: logging-project-id # kpt-set: ${logging-project-id}
namespace: projects
# AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
# AU-9, AC-3
bindings:
- role: roles/logging.bucketWriter
members:
Expand All @@ -84,7 +83,7 @@ spec:
namespace: logging
---
# Logs Bucket writer IAM permissions for the platform and component log sink
# Binds the generated writer identity from the LoggingLogSink to the logging project
# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
Expand All @@ -97,7 +96,7 @@ spec:
kind: Project
name: logging-project-id # kpt-set: ${logging-project-id}
namespace: projects
# AC-3(7)
# AU-9, AC-3
bindings:
- role: roles/logging.bucketWriter
members:
Expand All @@ -116,6 +115,7 @@ metadata:
config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
spec:
service: allServices
# AU-9, AC-3
auditLogConfigs:
- logType: ADMIN_READ
- logType: DATA_READ
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ metadata:
cnrm.cloud.google.com/auto-create-network: 'false'
spec:
name: logging-project-id # kpt-set: ${logging-project-id}
# AU-4(1), AU-9(2)
folderRef:
name: audits
namespace: hierarchy
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@
# limitations under the License.
#########
# Public Core DNS zone
# SC-22
# SC-20 - This is Parent zone and purely related to core landing zone only. Supports DNSSEC from spoofing attacks
# Client applications will be using sub zones created under parent zone, however, their configuration will be application specific and will require seperate assessment
apiVersion: dns.cnrm.cloud.google.com/v1beta1
kind: DNSManagedZone
metadata:
Expand All @@ -27,6 +28,7 @@ spec:
resourceID: standard-core-public-dns
dnsName: "dns-name" # kpt-set: ${dns-name}
visibility: public
# SC-20
dnssecConfig:
state: "on"
cloudLoggingConfig:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
######
# Folder sink for Platform and Component logs of Services Resources
# Destination: Cloud Logging bucket hosted inside logging project
# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project
# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket
# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to
apiVersion: logging.cnrm.cloud.google.com/v1beta1
kind: LoggingLogSink
metadata:
Expand All @@ -27,12 +30,13 @@ spec:
namespace: hierarchy
includeChildren: true
destination:
# AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2)
loggingLogBucketRef:
# destination.loggingLogBucketRef
# Only `external` field is supported to configure the reference.
external: platform-and-component-log-bucket # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket}
description: Folder sink for Platform and Component logs of services Resources
# AU-2, AU-12(A), AU-12(C)
# AU-12, AU-12(1)
# No inclusion filter. Includes all Platform and Component logs
# Google Cloud platform logs are service-specific logs
# For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
######
# Folder sink for Platform and Component logs of Services Resources
# Destination: Cloud Logging bucket hosted inside logging project
# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project
# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket
# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to
apiVersion: logging.cnrm.cloud.google.com/v1beta1
kind: LoggingLogSink
metadata:
Expand All @@ -27,12 +30,13 @@ spec:
namespace: hierarchy
includeChildren: true
destination:
# AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2)
loggingLogBucketRef:
# destination.loggingLogBucketRef
# Only `external` field is supported to configure the reference.
external: platform-and-component-log-bucket # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket}
description: Folder sink for Platform and Component logs of services Resources
# AU-2, AU-12(A), AU-12(C)
# AU-12, AU-12(1)
# No inclusion filter. Includes all Platform and Component logs
# Google Cloud platform logs are service-specific logs
# For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs
Expand Down
7 changes: 6 additions & 1 deletion solutions/core-landing-zone/mgmt-project/project-sink.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
######
# Project sink for the Platform and Component logs of the Landing Zone Management Cluster
# Destination: Cloud Logging bucket hosted inside logging project
# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project
# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket
# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to
apiVersion: logging.cnrm.cloud.google.com/v1beta1
kind: LoggingLogSink
metadata:
Expand All @@ -25,13 +28,14 @@ spec:
projectRef:
external: management-project-12345 # kpt-set: ${management-project-id}
destination:
# AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2)
loggingLogBucketRef:
external: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket} # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket}
# The following setting is required
# You must set unique_writer_identity to true if you wish to publish logs across projects
uniqueWriterIdentity: true
description: Project sink for Platform and Component logs of the Landing Zone Management Cluster
# AU-2, AU-12(A), AU-12(C)
# AU-12, AU-12(1)
# No inclusion filter. Includes all Platform and Component logs
# Google Cloud platform logs are service-specific logs
# For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs
Expand Down Expand Up @@ -74,6 +78,7 @@ spec:
destination:
# destination.loggingLogBucketRef
# Only `external` field is supported to configure the reference.
# AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2)
loggingLogBucketRef:
external: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/_Default # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/_Default
resourceID: _Default
Expand Down
8 changes: 5 additions & 3 deletions solutions/core-landing-zone/namespaces/gatekeeper-system.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
# to implement Policy Controller Metrics and avoid numerous IAM errors on the Config Controller instance.
#########
# GCP SA
# AC-3(7) - Creates lower priv service account for Policy Controller metrics
# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
Expand All @@ -27,10 +27,10 @@ metadata:
cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id}
cnrm.cloud.google.com/ignore-clusterless: "true"
spec:
# AC-3(7), AC-3, AC-16(2)
displayName: gatekeeper-admin-sa
---
# Grant GCP role Metrics Writer to gatekeeper-admin SA on KCC Project
# AC-3(7) - RBAC role to account with required permissions for Policy Controller metrics
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
Expand All @@ -44,10 +44,10 @@ spec:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
external: management-project-id # kpt-set: ${management-project-id}
# AC-3(7), AC-3, AC-16(2)
role: roles/monitoring.metricWriter
member: "serviceAccount:gatekeeper-admin-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:gatekeeper-admin-sa@${management-project-id}.iam.gserviceaccount.com
---
# K8S SA
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
Expand All @@ -61,6 +61,7 @@ spec:
name: gatekeeper-admin-sa
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
# AC-3(7), AC-3, AC-16(2)
bindings:
- role: roles/iam.workloadIdentityUser
members:
Expand All @@ -75,4 +76,5 @@ metadata:
annotations:
cnrm.cloud.google.com/ignore-clusterless: "true"
spec:
# AC-3(7), AC-3, AC-16(2)
googleServiceAccount: gatekeeper-admin-sa@management-project-id.iam.gserviceaccount.com # kpt-set: gatekeeper-admin-sa@${management-project-id}.iam.gserviceaccount.com
Loading

0 comments on commit 440ea1e

Please sign in to comment.