From 440ea1e565002d31083763c4e9434bfcdec6bf9c Mon Sep 17 00:00:00 2001 From: alaincormier-ssc <94859304+alaincormier-ssc@users.noreply.github.com> Date: Wed, 18 Oct 2023 11:37:40 +0000 Subject: [PATCH] edit setters comments and security control comments for core-landing-zone pkg --- .../cloud-logging-buckets.yaml | 14 +- .../audits/logging-project/project-iam.yaml | 20 +- .../audits/logging-project/project.yaml | 1 + .../logging-project/securitycontrols.md | 48 --- .../dns-project/dns.yaml | 4 +- .../services-infrastructure/folder-sink.yaml | 6 +- .../lz-folder/services/folder-sink.yaml | 6 +- .../mgmt-project/project-sink.yaml | 7 +- .../namespaces/gatekeeper-system.yaml | 8 +- .../namespaces/hierarchy.yaml | 14 +- .../core-landing-zone/namespaces/logging.yaml | 10 +- .../namespaces/management-namespace.yaml | 4 + .../namespaces/networking.yaml | 13 +- .../namespaces/policies.yaml | 7 +- .../namespaces/projects.yaml | 15 +- .../org/custom-roles/gke-firewall-admin.yaml | 2 + .../custom-roles/tier2-dnsrecord-admin.yaml | 2 + .../custom-roles/tier2-vpcpeering-admin.yaml | 2 + .../custom-roles/tier3-dnsrecord-admin.yaml | 2 + .../tier3-firewallrule-admin.yaml | 2 + .../custom-roles/tier3-subnetwork-admin.yaml | 2 + .../org/custom-roles/tier3-vpcsc-admin.yaml | 2 + .../tier4-secretmanager-admin.yaml | 2 + solutions/core-landing-zone/org/org-sink.yaml | 7 +- .../core-landing-zone/securitycontrols.md | 308 ++++++++++++++++-- solutions/core-landing-zone/setters.yaml | 44 ++- 26 files changed, 437 insertions(+), 115 deletions(-) delete mode 100644 solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml b/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml index 4dc82c2d2..669d6ffa8 100644 --- a/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml +++ b/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml @@ -14,7 +14,8 @@ ###### # Cloud Logging bucket for Security logs: Cloud Audit, Access Transparency Logs, and Data Access Logs # Logs are routed using a log sink to a central logging project into a dedicated log bucket -# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects +# AU-7, AU-9 - The log buckets created within the Logging project are immutable (AU-7(B)). These buckets have a retention policy of 365 days and IAM Policy that defines who has access to the bucket (AU-9) +# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogBucket metadata: @@ -23,17 +24,19 @@ metadata: annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} spec: + # AU-4(1), AU-6(4), AU-9(2) projectRef: name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects location: northamerica-northeast1 description: Cloud Logging bucket for Security logs - # Implement retention policy and retention locking policy - # AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specified number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability. + # Implement retention locking policy and number of retention days + # AU-7, AU-9 locked: false # kpt-set: ${retention-locking-policy} retentionDays: 1 # kpt-set: ${retention-in-days} --- # Cloud Logging bucket for Platform and Component logs +# Logs are routed using a log sink to a central logging project into a dedicated log bucket apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogBucket metadata: @@ -42,12 +45,13 @@ metadata: annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} spec: + # AU-4(1), AU-6(4), AU-9(2) projectRef: name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects location: northamerica-northeast1 description: Cloud Logging bucket for Platform and Component logs - # Implement retention policy and retention locking policy - # AU-9, AU-11 + # Implement retention locking policy and number of retention days + # AU-7, AU-9 locked: false # kpt-set: ${retention-locking-policy} retentionDays: 1 # kpt-set: ${retention-in-days} diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml b/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml index c7a6d7889..4db7d9cf1 100644 --- a/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml +++ b/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml @@ -13,7 +13,8 @@ # limitations under the License. ###### # Logs Bucket writer IAM permissions for security log sink -# Binds the generated writer identity from the LoggingLogSink to the logging project +# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket +# AU-9, AC-3 - IAM Policy that assigns the dynamically created service account with the LoggingLogSink to the logging bucket writer role apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: @@ -26,7 +27,7 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL + # AU-9, AC-3 bindings: - role: roles/logging.bucketWriter members: @@ -36,8 +37,7 @@ spec: namespace: logging --- # Logs Bucket writer IAM permissions for the platform and component log sinks -# Binds the generated writer identity from the LoggingLogSink to the logging project -# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level) +# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: @@ -50,7 +50,7 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL + # AU-9, AC-3 bindings: - role: roles/logging.bucketWriter members: @@ -60,8 +60,7 @@ spec: namespace: logging --- # Logs Bucket writer IAM permissions for the platform and component services log sinks -# Binds the generated writer identity from the LoggingLogSink to the logging project -# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level) +# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: @@ -74,7 +73,7 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL + # AU-9, AC-3 bindings: - role: roles/logging.bucketWriter members: @@ -84,7 +83,7 @@ spec: namespace: logging --- # Logs Bucket writer IAM permissions for the platform and component log sink -# Binds the generated writer identity from the LoggingLogSink to the logging project +# Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: @@ -97,7 +96,7 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) + # AU-9, AC-3 bindings: - role: roles/logging.bucketWriter members: @@ -116,6 +115,7 @@ metadata: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id} spec: service: allServices + # AU-9, AC-3 auditLogConfigs: - logType: ADMIN_READ - logType: DATA_READ diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/project.yaml b/solutions/core-landing-zone/lz-folder/audits/logging-project/project.yaml index 91dc2dec8..5814093df 100644 --- a/solutions/core-landing-zone/lz-folder/audits/logging-project/project.yaml +++ b/solutions/core-landing-zone/lz-folder/audits/logging-project/project.yaml @@ -26,6 +26,7 @@ metadata: cnrm.cloud.google.com/auto-create-network: 'false' spec: name: logging-project-id # kpt-set: ${logging-project-id} + # AU-4(1), AU-9(2) folderRef: name: audits namespace: hierarchy diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md b/solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md deleted file mode 100644 index b1bf11e52..000000000 --- a/solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md +++ /dev/null @@ -1,48 +0,0 @@ -# Security Controls - -## AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL - -AC-3(7) – Write access to the logs is constrained by IAM permissions to just the log sinks. -Added this control to project-iam.yaml in bindings where bucketWriter role is assigned. - -## AU-2 AUDITABLE EVENTS - -AU-2 – Event families being audited are set here. Added this control to lz-folder/services/folder-sink.yaml, lz-folder/services-infrastructure/folder-sink.yaml, -mgmt-project/project-sink.yaml, org-sink.yaml immediately preceding the filter including/excluding -various log types - -Ops Note: This is an org control so the AU-2 tagging in the code is there to support the -narrative Ops will write to demonstrate the org requirements - -### AU-4(1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE - -AU-4(1) – Logs are being sent to a logging project which is separate from the projects -performing actions which generate log entries. Added to the cloud-logging-buckets.yaml -where separate logging project is selected as target. - -## AU-8 TIME STAMPS - -AU-8 – Time stamps for audit records use internal Google time which is recorded in -RFC3339 UTC format in log entries (see GCP documentation for LogEntry object, timestamp field) - -## AU-9 PROTECTION OF AUDIT INFORMATION - -AU-9 – Retention policies and policy locks are implemented so log contents is immutable. Added to -cloud-logging-buckets.yaml prior to locked and retentionDays entries. Also added to setters.yaml -as previous entries are set from here. - -### AU-9(2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS - -AU-9(2) – Logs sent to separate project, same response as AU-4(1) - -## AU-11 AUDIT RECORD RETENTION - -AU-11 – Audit log retention, same response as AU-9 - -## AU-12(A) - -Same as AU-2 (this control is the implementation of AU-2) - -## AU-12(C) - -Same as AU-2 (this control is the implementation of AU-2) diff --git a/solutions/core-landing-zone/lz-folder/services-infrastructure/dns-project/dns.yaml b/solutions/core-landing-zone/lz-folder/services-infrastructure/dns-project/dns.yaml index b13ade18c..4bcbfe23f 100644 --- a/solutions/core-landing-zone/lz-folder/services-infrastructure/dns-project/dns.yaml +++ b/solutions/core-landing-zone/lz-folder/services-infrastructure/dns-project/dns.yaml @@ -13,7 +13,8 @@ # limitations under the License. ######### # Public Core DNS zone -# SC-22 +# SC-20 - This is Parent zone and purely related to core landing zone only. Supports DNSSEC from spoofing attacks +# Client applications will be using sub zones created under parent zone, however, their configuration will be application specific and will require seperate assessment apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSManagedZone metadata: @@ -27,6 +28,7 @@ spec: resourceID: standard-core-public-dns dnsName: "dns-name" # kpt-set: ${dns-name} visibility: public + # SC-20 dnssecConfig: state: "on" cloudLoggingConfig: diff --git a/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml b/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml index a88297d98..f873c6c12 100644 --- a/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml +++ b/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml @@ -14,6 +14,9 @@ ###### # Folder sink for Platform and Component logs of Services Resources # Destination: Cloud Logging bucket hosted inside logging project +# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project +# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket +# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -27,12 +30,13 @@ spec: namespace: hierarchy includeChildren: true destination: + # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) loggingLogBucketRef: # destination.loggingLogBucketRef # Only `external` field is supported to configure the reference. external: platform-and-component-log-bucket # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket} description: Folder sink for Platform and Component logs of services Resources - # AU-2, AU-12(A), AU-12(C) + # AU-12, AU-12(1) # No inclusion filter. Includes all Platform and Component logs # Google Cloud platform logs are service-specific logs # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs diff --git a/solutions/core-landing-zone/lz-folder/services/folder-sink.yaml b/solutions/core-landing-zone/lz-folder/services/folder-sink.yaml index 1b441463f..4b887c8f3 100644 --- a/solutions/core-landing-zone/lz-folder/services/folder-sink.yaml +++ b/solutions/core-landing-zone/lz-folder/services/folder-sink.yaml @@ -14,6 +14,9 @@ ###### # Folder sink for Platform and Component logs of Services Resources # Destination: Cloud Logging bucket hosted inside logging project +# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project +# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket +# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -27,12 +30,13 @@ spec: namespace: hierarchy includeChildren: true destination: + # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) loggingLogBucketRef: # destination.loggingLogBucketRef # Only `external` field is supported to configure the reference. external: platform-and-component-log-bucket # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket} description: Folder sink for Platform and Component logs of services Resources - # AU-2, AU-12(A), AU-12(C) + # AU-12, AU-12(1) # No inclusion filter. Includes all Platform and Component logs # Google Cloud platform logs are service-specific logs # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs diff --git a/solutions/core-landing-zone/mgmt-project/project-sink.yaml b/solutions/core-landing-zone/mgmt-project/project-sink.yaml index 9995099bd..ff301be69 100644 --- a/solutions/core-landing-zone/mgmt-project/project-sink.yaml +++ b/solutions/core-landing-zone/mgmt-project/project-sink.yaml @@ -14,6 +14,9 @@ ###### # Project sink for the Platform and Component logs of the Landing Zone Management Cluster # Destination: Cloud Logging bucket hosted inside logging project +# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project +# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket +# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -25,13 +28,14 @@ spec: projectRef: external: management-project-12345 # kpt-set: ${management-project-id} destination: + # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) loggingLogBucketRef: external: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket} # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${platform-and-component-log-bucket} # The following setting is required # You must set unique_writer_identity to true if you wish to publish logs across projects uniqueWriterIdentity: true description: Project sink for Platform and Component logs of the Landing Zone Management Cluster - # AU-2, AU-12(A), AU-12(C) + # AU-12, AU-12(1) # No inclusion filter. Includes all Platform and Component logs # Google Cloud platform logs are service-specific logs # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs @@ -74,6 +78,7 @@ spec: destination: # destination.loggingLogBucketRef # Only `external` field is supported to configure the reference. + # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) loggingLogBucketRef: external: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/_Default # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/_Default resourceID: _Default diff --git a/solutions/core-landing-zone/namespaces/gatekeeper-system.yaml b/solutions/core-landing-zone/namespaces/gatekeeper-system.yaml index efd4ed7a8..25c3b8c8e 100644 --- a/solutions/core-landing-zone/namespaces/gatekeeper-system.yaml +++ b/solutions/core-landing-zone/namespaces/gatekeeper-system.yaml @@ -17,7 +17,7 @@ # to implement Policy Controller Metrics and avoid numerous IAM errors on the Config Controller instance. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for Policy Controller metrics +# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -27,10 +27,10 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) displayName: gatekeeper-admin-sa --- # Grant GCP role Metrics Writer to gatekeeper-admin SA on KCC Project -# AC-3(7) - RBAC role to account with required permissions for Policy Controller metrics apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -44,10 +44,10 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} + # AC-3(7), AC-3, AC-16(2) role: roles/monitoring.metricWriter member: "serviceAccount:gatekeeper-admin-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:gatekeeper-admin-sa@${management-project-id}.iam.gserviceaccount.com --- -# K8S SA apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: @@ -61,6 +61,7 @@ spec: name: gatekeeper-admin-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount + # AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: @@ -75,4 +76,5 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) googleServiceAccount: gatekeeper-admin-sa@management-project-id.iam.gserviceaccount.com # kpt-set: gatekeeper-admin-sa@${management-project-id}.iam.gserviceaccount.com diff --git a/solutions/core-landing-zone/namespaces/hierarchy.yaml b/solutions/core-landing-zone/namespaces/hierarchy.yaml index d333d18c0..dd3cdf3f8 100644 --- a/solutions/core-landing-zone/namespaces/hierarchy.yaml +++ b/solutions/core-landing-zone/namespaces/hierarchy.yaml @@ -13,7 +13,7 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for folder hierarchy administration +# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -23,10 +23,10 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) displayName: hierarchy-sa --- # Grant GCP role Folder Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -40,10 +40,10 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder external: "123456789012" # kpt-set: ${lz-folder-id} + # AC-3(7), AC-3, AC-16(2) role: roles/resourcemanager.folderAdmin member: "serviceAccount:hierarchy-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:hierarchy-sa@${management-project-id}.iam.gserviceaccount.com --- -# K8S SA apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: @@ -57,12 +57,13 @@ spec: name: hierarchy-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount + # AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: - member: serviceAccount:management-project-id.svc.id.goog[cnrm-system/cnrm-controller-manager-hierarchy] # kpt-set: serviceAccount:${management-project-id}.svc.id.goog[cnrm-system/cnrm-controller-manager-hierarchy] --- -# K8S namespace +# Namespace created to seggregate resources. Each Namespace will be given a specific Kubernetes Service account and GCP Service Account apiVersion: v1 kind: Namespace metadata: @@ -78,6 +79,7 @@ metadata: namespace: hierarchy annotations: cnrm.cloud.google.com/ignore-clusterless: "true" +# AC-3(7), AC-3, AC-16(2) spec: googleServiceAccount: hierarchy-sa@management-project-id.iam.gserviceaccount.com # kpt-set: hierarchy-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -89,6 +91,7 @@ metadata: namespace: hierarchy annotations: cnrm.cloud.google.com/ignore-clusterless: "true" +# AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -106,6 +109,7 @@ metadata: namespace: hierarchy annotations: cnrm.cloud.google.com/ignore-clusterless: "true" +# AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -124,6 +128,7 @@ metadata: namespace: hierarchy annotations: cnrm.cloud.google.com/ignore-clusterless: "true" +# AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -141,6 +146,7 @@ metadata: namespace: hierarchy annotations: cnrm.cloud.google.com/ignore-clusterless: "true" +# AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole diff --git a/solutions/core-landing-zone/namespaces/logging.yaml b/solutions/core-landing-zone/namespaces/logging.yaml index 66e04a9ca..def4b50a9 100644 --- a/solutions/core-landing-zone/namespaces/logging.yaml +++ b/solutions/core-landing-zone/namespaces/logging.yaml @@ -13,7 +13,7 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for logging administration +# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -23,10 +23,10 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) displayName: logging-sa --- # Grant GCP role Logging Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions for logging administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -40,6 +40,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: "0000000000" # kpt-set: ${org-id} + # AC-3(7), AC-3, AC-16(2) role: roles/logging.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -57,6 +58,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder external: "123456789012" # kpt-set: ${lz-folder-id} + # AC-3(7), AC-3, AC-16(2) role: roles/bigquery.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -74,12 +76,14 @@ spec: name: logging-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount + # AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: - member: serviceAccount:management-project-id.svc.id.goog[cnrm-system/cnrm-controller-manager-logging] # kpt-set: serviceAccount:${management-project-id}.svc.id.goog[cnrm-system/cnrm-controller-manager-logging] --- # K8S namespace +# Namespace created to seggregate resources. Each Namespace will be given a specific Kubernetes Service account and GCP Service Account apiVersion: v1 kind: Namespace metadata: @@ -96,6 +100,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) googleServiceAccount: logging-sa@management-project-id.iam.gserviceaccount.com # kpt-set: logging-sa@${management-project-id}.iam.gserviceaccount.com --- # Grant viewer role on the logging namespace to projects K8S SA @@ -106,6 +111,7 @@ metadata: namespace: logging annotations: cnrm.cloud.google.com/ignore-clusterless: "true" +# AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole diff --git a/solutions/core-landing-zone/namespaces/management-namespace.yaml b/solutions/core-landing-zone/namespaces/management-namespace.yaml index fc4320d03..e04fb70e5 100644 --- a/solutions/core-landing-zone/namespaces/management-namespace.yaml +++ b/solutions/core-landing-zone/namespaces/management-namespace.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Grant GCP role Organization Role Admin to GCP config-control-sa a.k.a yakima +# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -26,6 +27,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: "123456789012" # kpt-set: ${org-id} + # AC-3(7), AC-3, AC-16(2) role: roles/iam.organizationRoleAdmin member: "serviceAccount:service-management-project-number@gcp-sa-yakima.iam.gserviceaccount.com" # kpt-set: serviceAccount:service-${management-project-number}@gcp-sa-yakima.iam.gserviceaccount.com --- @@ -43,6 +45,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} + # AC-3(7), AC-3, AC-16(2) role: roles/editor member: "serviceAccount:service-management-project-number@gcp-sa-yakima.iam.gserviceaccount.com" # kpt-set: serviceAccount:service-${management-project-number}@gcp-sa-yakima.iam.gserviceaccount.com --- @@ -60,5 +63,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} + # AC-3(7), AC-3, AC-16(2) role: roles/iam.serviceAccountAdmin member: "serviceAccount:service-management-project-number@gcp-sa-yakima.iam.gserviceaccount.com" # kpt-set: serviceAccount:service-${management-project-number}@gcp-sa-yakima.iam.gserviceaccount.com diff --git a/solutions/core-landing-zone/namespaces/networking.yaml b/solutions/core-landing-zone/namespaces/networking.yaml index 75de87ab7..a28c0473c 100644 --- a/solutions/core-landing-zone/namespaces/networking.yaml +++ b/solutions/core-landing-zone/namespaces/networking.yaml @@ -13,7 +13,7 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for networking administration +# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -23,10 +23,9 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) displayName: networking-sa --- -# Grant GCP role Network Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions for networking administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -40,6 +39,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder external: "123456789012" # kpt-set: ${lz-folder-id} + # AC-3(7), AC-3, AC-16(2) role: roles/compute.networkAdmin member: "serviceAccount:networking-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:networking-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -53,6 +53,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -70,6 +71,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -87,6 +89,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization @@ -106,6 +109,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization @@ -123,6 +127,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -140,6 +145,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: name: networking-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 @@ -166,4 +172,5 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) googleServiceAccount: networking-sa@management-project-id.iam.gserviceaccount.com # kpt-set: networking-sa@${management-project-id}.iam.gserviceaccount.com diff --git a/solutions/core-landing-zone/namespaces/policies.yaml b/solutions/core-landing-zone/namespaces/policies.yaml index 793868e10..4509cecb4 100644 --- a/solutions/core-landing-zone/namespaces/policies.yaml +++ b/solutions/core-landing-zone/namespaces/policies.yaml @@ -13,7 +13,7 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for policy administration +# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -23,10 +23,10 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) displayName: policies-sa --- # Grant GCP role Organization Policy Administrator to GCP SA -# AC-3(7) - RBAC role to account with required permissions for policy administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -36,6 +36,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization @@ -53,6 +54,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: name: policies-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 @@ -79,4 +81,5 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) googleServiceAccount: policies-sa@management-project-id.iam.gserviceaccount.com # kpt-set: policies-sa@${management-project-id}.iam.gserviceaccount.com diff --git a/solutions/core-landing-zone/namespaces/projects.yaml b/solutions/core-landing-zone/namespaces/projects.yaml index 5ca9c6190..2f992066b 100644 --- a/solutions/core-landing-zone/namespaces/projects.yaml +++ b/solutions/core-landing-zone/namespaces/projects.yaml @@ -13,7 +13,7 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for administration of projects +# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -23,10 +23,10 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) displayName: projects-sa --- # Grant GCP role Project IAM Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions for administration of projects apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -36,6 +36,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -53,6 +54,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -70,6 +72,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -87,6 +90,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -104,6 +108,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -122,6 +127,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization @@ -139,6 +145,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) resourceRef: name: projects-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 @@ -165,6 +172,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: + # AC-3(7), AC-3, AC-16(2) googleServiceAccount: projects-sa@management-project-id.iam.gserviceaccount.com # kpt-set: projects-sa@${management-project-id}.iam.gserviceaccount.com --- # Grant viewer role on the projects namespace to logging K8S SA @@ -176,6 +184,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" roleRef: + # AC-3(7), AC-3, AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -193,6 +202,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" roleRef: + # AC-3(7), AC-3, AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -210,6 +220,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" roleRef: + # AC-3(7), AC-3, AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io diff --git a/solutions/core-landing-zone/org/custom-roles/gke-firewall-admin.yaml b/solutions/core-landing-zone/org/custom-roles/gke-firewall-admin.yaml index e504e3f50..0dd5bcc9e 100644 --- a/solutions/core-landing-zone/org/custom-roles/gke-firewall-admin.yaml +++ b/solutions/core-landing-zone/org/custom-roles/gke-firewall-admin.yaml @@ -17,6 +17,7 @@ # Create a custom IAM role that includes only the following permissions # compute.networks.updatePolicy, compute.firewalls.list, compute.firewalls.get, compute.firewalls.create, compute.firewalls.update, and compute.firewalls.delete # https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#managing_firewall_resources +# AC-3(7), AC-3, AC-16(2) - Custom role for assigning permissions to the Google IAM Service Account following least priveledge model apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMCustomRole metadata: @@ -27,6 +28,7 @@ metadata: cnrm.cloud.google.com/organization-id: "0000000000" # kpt-set: ${org-id} spec: description: To allow a GKE cluster in a service project to create and manage the firewall resources in the host project + # AC-3(7), AC-3, AC-16(2) permissions: - compute.networks.updatePolicy - compute.firewalls.list diff --git a/solutions/core-landing-zone/org/custom-roles/tier2-dnsrecord-admin.yaml b/solutions/core-landing-zone/org/custom-roles/tier2-dnsrecord-admin.yaml index 101ea3bf3..5fac4c201 100644 --- a/solutions/core-landing-zone/org/custom-roles/tier2-dnsrecord-admin.yaml +++ b/solutions/core-landing-zone/org/custom-roles/tier2-dnsrecord-admin.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Tier2 DNS Record Admin +# AC-3(7), AC-3, AC-16(2) - Custom role for assigning permissions to the Google IAM Service Account following least priveledge model apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMCustomRole metadata: @@ -23,6 +24,7 @@ metadata: cnrm.cloud.google.com/organization-id: "0000000000" # kpt-set: ${org-id} spec: description: Tier2 DNS Record Admin + # AC-3(7), AC-3, AC-16(2) permissions: - dns.changes.create - dns.changes.get diff --git a/solutions/core-landing-zone/org/custom-roles/tier2-vpcpeering-admin.yaml b/solutions/core-landing-zone/org/custom-roles/tier2-vpcpeering-admin.yaml index 2c961c266..82f6f9429 100644 --- a/solutions/core-landing-zone/org/custom-roles/tier2-vpcpeering-admin.yaml +++ b/solutions/core-landing-zone/org/custom-roles/tier2-vpcpeering-admin.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Tier2 VPC Peering Admin +# AC-3(7), AC-3, AC-16(2) - Custom role for assigning permissions to the Google IAM Service Account following least priveledge model apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMCustomRole metadata: @@ -23,6 +24,7 @@ metadata: cnrm.cloud.google.com/organization-id: "0000000000" # kpt-set: ${org-id} spec: description: Tier2 VPC Peering Admin + # AC-3(7), AC-3, AC-16(2) permissions: - compute.networks.addPeering - compute.networks.get diff --git a/solutions/core-landing-zone/org/custom-roles/tier3-dnsrecord-admin.yaml b/solutions/core-landing-zone/org/custom-roles/tier3-dnsrecord-admin.yaml index a35f77ee3..d81dfdeba 100644 --- a/solutions/core-landing-zone/org/custom-roles/tier3-dnsrecord-admin.yaml +++ b/solutions/core-landing-zone/org/custom-roles/tier3-dnsrecord-admin.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Tier3 DNS Record Admin +# AC-3(7), AC-3, AC-16(2) - Custom role for assigning permissions to the Google IAM Service Account following least priveledge model apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMCustomRole metadata: @@ -23,6 +24,7 @@ metadata: cnrm.cloud.google.com/organization-id: "0000000000" # kpt-set: ${org-id} spec: description: Tier3 DNS Record Admin + # AC-3(7), AC-3, AC-16(2) permissions: - dns.changes.create - dns.changes.get diff --git a/solutions/core-landing-zone/org/custom-roles/tier3-firewallrule-admin.yaml b/solutions/core-landing-zone/org/custom-roles/tier3-firewallrule-admin.yaml index 3347b08c5..5cf51db1f 100644 --- a/solutions/core-landing-zone/org/custom-roles/tier3-firewallrule-admin.yaml +++ b/solutions/core-landing-zone/org/custom-roles/tier3-firewallrule-admin.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Tier3 Firewall Rule Admin +# AC-3(7), AC-3, AC-16(2) - Custom role for assigning permissions to the Google IAM Service Account following least priveledge model apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMCustomRole metadata: @@ -23,6 +24,7 @@ metadata: cnrm.cloud.google.com/organization-id: "0000000000" # kpt-set: ${org-id} spec: description: Tier3 Firewall Rule Admin + # AC-3(7), AC-3, AC-16(2) permissions: - compute.firewalls.create - compute.firewalls.delete diff --git a/solutions/core-landing-zone/org/custom-roles/tier3-subnetwork-admin.yaml b/solutions/core-landing-zone/org/custom-roles/tier3-subnetwork-admin.yaml index afc3e9dbb..3dd168cfe 100644 --- a/solutions/core-landing-zone/org/custom-roles/tier3-subnetwork-admin.yaml +++ b/solutions/core-landing-zone/org/custom-roles/tier3-subnetwork-admin.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Tier3 Subnetwork Admin +# AC-3(7), AC-3, AC-16(2) - Custom role for assigning permissions to the Google IAM Service Account following least priveledge model apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMCustomRole metadata: @@ -23,6 +24,7 @@ metadata: cnrm.cloud.google.com/organization-id: "0000000000" # kpt-set: ${org-id} spec: description: Tier3 Subnetwork Admin + # AC-3(7), AC-3, AC-16(2) permissions: - compute.subnetworks.create - compute.subnetworks.delete diff --git a/solutions/core-landing-zone/org/custom-roles/tier3-vpcsc-admin.yaml b/solutions/core-landing-zone/org/custom-roles/tier3-vpcsc-admin.yaml index e40938b0d..01830cd02 100644 --- a/solutions/core-landing-zone/org/custom-roles/tier3-vpcsc-admin.yaml +++ b/solutions/core-landing-zone/org/custom-roles/tier3-vpcsc-admin.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Tier3 VPC SC Admin +# AC-3(7), AC-3, AC-16(2) - Custom role for assigning permissions to the Google IAM Service Account following least priveledge model apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMCustomRole metadata: @@ -23,6 +24,7 @@ metadata: cnrm.cloud.google.com/organization-id: "0000000000" # kpt-set: ${org-id} spec: description: Tier3 VPC SC Admin + # AC-3(7), AC-3, AC-16(2) permissions: - accesscontextmanager.accessLevels.create - accesscontextmanager.accessLevels.delete diff --git a/solutions/core-landing-zone/org/custom-roles/tier4-secretmanager-admin.yaml b/solutions/core-landing-zone/org/custom-roles/tier4-secretmanager-admin.yaml index e35b7ab21..1449fd6ce 100644 --- a/solutions/core-landing-zone/org/custom-roles/tier4-secretmanager-admin.yaml +++ b/solutions/core-landing-zone/org/custom-roles/tier4-secretmanager-admin.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Tier4 Secret Manager Admin +# AC-3(7), AC-3, AC-16(2) - Custom role for assigning permissions to the Google IAM Service Account following least priveledge model apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMCustomRole metadata: @@ -23,6 +24,7 @@ metadata: cnrm.cloud.google.com/organization-id: "0000000000" # kpt-set: ${org-id} spec: description: Tier4 Secret Manager Admin + # AC-3(7), AC-3, AC-16(2) permissions: - secretmanager.locations.get - secretmanager.locations.list diff --git a/solutions/core-landing-zone/org/org-sink.yaml b/solutions/core-landing-zone/org/org-sink.yaml index 0c6700158..15d55526a 100644 --- a/solutions/core-landing-zone/org/org-sink.yaml +++ b/solutions/core-landing-zone/org/org-sink.yaml @@ -14,6 +14,10 @@ ###### # Organization sink for Security logs: Cloud Audit, Access Transparency, and Data Access Logs # Destination: Cloud Logging bucket hosted inside logging project +# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the organization to send the logs to the logging bucket in the logging project +# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket +# AC-2(4) - Includes Security logs: Cloud Audit, Access Transparency, and Data Access Logs +# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -26,12 +30,13 @@ spec: external: "0000000000" # kpt-set: ${org-id} includeChildren: true destination: + # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) loggingLogBucketRef: # destination.loggingLogBucketRef # Only `external` field is supported to configure the reference. external: security-log-bucket # kpt-set: logging.googleapis.com/projects/${logging-project-id}/locations/northamerica-northeast1/buckets/${security-log-bucket} description: Organization sink for Security Logs - # AU-2, AU-12(A), AU-12(C) + # AC-2(4), AU-12, AU-12(1) # Includes Security logs: Cloud Audit, Access Transparency, and Data Access Logs # Security logs help you answer "who did what, where, and when" # diff --git a/solutions/core-landing-zone/securitycontrols.md b/solutions/core-landing-zone/securitycontrols.md index e2ecd79c2..d5f20c446 100644 --- a/solutions/core-landing-zone/securitycontrols.md +++ b/solutions/core-landing-zone/securitycontrols.md @@ -3,46 +3,312 @@ |Security Control|File Name|Resource Name| |---|---|---| -|AC-3(7)|./lz-folder/audits/logging-project/project-iam.yaml|mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions| -|AC-3(7)|./lz-folder/audits/logging-project/project-iam.yaml|platform-and-component-services-infra-log-bucket-writer-permissions| -|AC-3(7)|./lz-folder/audits/logging-project/project-iam.yaml|platform-and-component-services-infra-log-bucket-writer-permissions| -|AC-3(7)|./lz-folder/audits/logging-project/project-iam.yaml|platform-and-component-services-log-bucket-writer-permissions| -|AC-3(7)|./lz-folder/audits/logging-project/project-iam.yaml|platform-and-component-services-log-bucket-writer-permissions| -|AC-3(7)|./lz-folder/audits/logging-project/project-iam.yaml|security-log-bucket-writer-permissions| +|AC-16(2)|./namespaces/gatekeeper-system.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-16(2)|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa| +|AC-16(2)|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa| +|AC-16(2)|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa-metric-writer-permissions| +|AC-16(2)|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa-workload-identity-binding| +|AC-16(2)|./namespaces/hierarchy.yaml|allow-folders-resource-reference-to-logging| +|AC-16(2)|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-config-control| +|AC-16(2)|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-policies| +|AC-16(2)|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-projects| +|AC-16(2)|./namespaces/hierarchy.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-16(2)|./namespaces/hierarchy.yaml|hierarchy-sa| +|AC-16(2)|./namespaces/hierarchy.yaml|hierarchy-sa| +|AC-16(2)|./namespaces/hierarchy.yaml|hierarchy-sa-folderadmin-permissions| +|AC-16(2)|./namespaces/hierarchy.yaml|hierarchy-sa-workload-identity-binding| +|AC-16(2)|./namespaces/logging.yaml|allow-logging-resource-reference-from-projects| +|AC-16(2)|./namespaces/logging.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-16(2)|./namespaces/logging.yaml|logging-sa| +|AC-16(2)|./namespaces/logging.yaml|logging-sa| +|AC-16(2)|./namespaces/logging.yaml|logging-sa-bigqueryadmin-permissions| +|AC-16(2)|./namespaces/logging.yaml|logging-sa-logadmin-permissions| +|AC-16(2)|./namespaces/logging.yaml|logging-sa-workload-identity-binding| +|AC-16(2)|./namespaces/management-namespace.yaml|config-control-sa-management-project-editor-permissions| +|AC-16(2)|./namespaces/management-namespace.yaml|config-control-sa-management-project-serviceaccountadmin-permissions| +|AC-16(2)|./namespaces/management-namespace.yaml|config-control-sa-orgroleadmin-permissions| +|AC-16(2)|./namespaces/management-namespace.yaml|config-control-sa-orgroleadmin-permissions| +|AC-16(2)|./namespaces/networking.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-16(2)|./namespaces/networking.yaml|networking-sa| +|AC-16(2)|./namespaces/networking.yaml|networking-sa| +|AC-16(2)|./namespaces/networking.yaml|networking-sa-dns-permissions| +|AC-16(2)|./namespaces/networking.yaml|networking-sa-networkadmin-permissions| +|AC-16(2)|./namespaces/networking.yaml|networking-sa-security-permissions| +|AC-16(2)|./namespaces/networking.yaml|networking-sa-service-control-org-permissions| +|AC-16(2)|./namespaces/networking.yaml|networking-sa-servicedirectoryeditor-permissions| +|AC-16(2)|./namespaces/networking.yaml|networking-sa-workload-identity-binding| +|AC-16(2)|./namespaces/networking.yaml|networking-sa-xpnadmin-permissions| +|AC-16(2)|./namespaces/policies.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-16(2)|./namespaces/policies.yaml|policies-sa| +|AC-16(2)|./namespaces/policies.yaml|policies-sa| +|AC-16(2)|./namespaces/policies.yaml|policies-sa-orgpolicyadmin-permissions| +|AC-16(2)|./namespaces/policies.yaml|policies-sa-workload-identity-binding| +|AC-16(2)|./namespaces/projects.yaml|allow-projects-resource-reference-from-logging| +|AC-16(2)|./namespaces/projects.yaml|allow-projects-resource-reference-from-networking| +|AC-16(2)|./namespaces/projects.yaml|allow-projects-resource-reference-from-policies| +|AC-16(2)|./namespaces/projects.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-16(2)|./namespaces/projects.yaml|projects-sa| +|AC-16(2)|./namespaces/projects.yaml|projects-sa| +|AC-16(2)|./namespaces/projects.yaml|projects-sa-billinguser-permissions| +|AC-16(2)|./namespaces/projects.yaml|projects-sa-projectcreator-permissions| +|AC-16(2)|./namespaces/projects.yaml|projects-sa-projectdeleter-permissions| +|AC-16(2)|./namespaces/projects.yaml|projects-sa-projectiamadmin-permissions| +|AC-16(2)|./namespaces/projects.yaml|projects-sa-projectmover-permissions| +|AC-16(2)|./namespaces/projects.yaml|projects-sa-serviceusageadmin-permissions| +|AC-16(2)|./namespaces/projects.yaml|projects-sa-workload-identity-binding| +|AC-16(2)|./org/custom-roles/gke-firewall-admin.yaml|gke-firewall-admin| +|AC-16(2)|./org/custom-roles/gke-firewall-admin.yaml|gke-firewall-admin| +|AC-16(2)|./org/custom-roles/tier2-dnsrecord-admin.yaml|tier2-dnsrecord-admin| +|AC-16(2)|./org/custom-roles/tier2-dnsrecord-admin.yaml|tier2-dnsrecord-admin| +|AC-16(2)|./org/custom-roles/tier2-vpcpeering-admin.yaml|tier2-vpcpeering-admin| +|AC-16(2)|./org/custom-roles/tier2-vpcpeering-admin.yaml|tier2-vpcpeering-admin| +|AC-16(2)|./org/custom-roles/tier3-dnsrecord-admin.yaml|tier3-dnsrecord-admin| +|AC-16(2)|./org/custom-roles/tier3-dnsrecord-admin.yaml|tier3-dnsrecord-admin| +|AC-16(2)|./org/custom-roles/tier3-firewallrule-admin.yaml|tier3-firewallrule-admin| +|AC-16(2)|./org/custom-roles/tier3-firewallrule-admin.yaml|tier3-firewallrule-admin| +|AC-16(2)|./org/custom-roles/tier3-subnetwork-admin.yaml|tier3-subnetwork-admin| +|AC-16(2)|./org/custom-roles/tier3-subnetwork-admin.yaml|tier3-subnetwork-admin| +|AC-16(2)|./org/custom-roles/tier3-vpcsc-admin.yaml|tier3-vpcsc-admin| +|AC-16(2)|./org/custom-roles/tier3-vpcsc-admin.yaml|tier3-vpcsc-admin| +|AC-16(2)|./org/custom-roles/tier4-secretmanager-admin.yaml|tier4-secretmanager-admin| +|AC-16(2)|./org/custom-roles/tier4-secretmanager-admin.yaml|tier4-secretmanager-admin| +|AC-2(4)|./org/org-sink.yaml|logging-project-id-security-sink| +|AC-2(4)|./org/org-sink.yaml|logging-project-id-security-sink| +|AC-3|./lz-folder/audits/logging-project/project-iam.yaml|logging-project-data-access-log-config| +|AC-3|./lz-folder/audits/logging-project/project-iam.yaml|mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions| +|AC-3|./lz-folder/audits/logging-project/project-iam.yaml|platform-and-component-services-infra-log-bucket-writer-permissions| +|AC-3|./lz-folder/audits/logging-project/project-iam.yaml|platform-and-component-services-log-bucket-writer-permissions| +|AC-3|./lz-folder/audits/logging-project/project-iam.yaml|security-log-bucket-writer-permissions| +|AC-3|./lz-folder/audits/logging-project/project-iam.yaml|security-log-bucket-writer-permissions| +|AC-3|./namespaces/gatekeeper-system.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa| +|AC-3|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa| +|AC-3|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa-metric-writer-permissions| +|AC-3|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa-workload-identity-binding| +|AC-3|./namespaces/hierarchy.yaml|allow-folders-resource-reference-to-logging| +|AC-3|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-config-control| +|AC-3|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-policies| +|AC-3|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-projects| +|AC-3|./namespaces/hierarchy.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3|./namespaces/hierarchy.yaml|hierarchy-sa| +|AC-3|./namespaces/hierarchy.yaml|hierarchy-sa| +|AC-3|./namespaces/hierarchy.yaml|hierarchy-sa-folderadmin-permissions| +|AC-3|./namespaces/hierarchy.yaml|hierarchy-sa-workload-identity-binding| +|AC-3|./namespaces/logging.yaml|allow-logging-resource-reference-from-projects| +|AC-3|./namespaces/logging.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3|./namespaces/logging.yaml|logging-sa| +|AC-3|./namespaces/logging.yaml|logging-sa| +|AC-3|./namespaces/logging.yaml|logging-sa-bigqueryadmin-permissions| +|AC-3|./namespaces/logging.yaml|logging-sa-logadmin-permissions| +|AC-3|./namespaces/logging.yaml|logging-sa-workload-identity-binding| +|AC-3|./namespaces/management-namespace.yaml|config-control-sa-management-project-editor-permissions| +|AC-3|./namespaces/management-namespace.yaml|config-control-sa-management-project-serviceaccountadmin-permissions| +|AC-3|./namespaces/management-namespace.yaml|config-control-sa-orgroleadmin-permissions| +|AC-3|./namespaces/management-namespace.yaml|config-control-sa-orgroleadmin-permissions| +|AC-3|./namespaces/networking.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3|./namespaces/networking.yaml|networking-sa| +|AC-3|./namespaces/networking.yaml|networking-sa| +|AC-3|./namespaces/networking.yaml|networking-sa-dns-permissions| +|AC-3|./namespaces/networking.yaml|networking-sa-networkadmin-permissions| +|AC-3|./namespaces/networking.yaml|networking-sa-security-permissions| +|AC-3|./namespaces/networking.yaml|networking-sa-service-control-org-permissions| +|AC-3|./namespaces/networking.yaml|networking-sa-servicedirectoryeditor-permissions| +|AC-3|./namespaces/networking.yaml|networking-sa-workload-identity-binding| +|AC-3|./namespaces/networking.yaml|networking-sa-xpnadmin-permissions| +|AC-3|./namespaces/policies.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3|./namespaces/policies.yaml|policies-sa| +|AC-3|./namespaces/policies.yaml|policies-sa| +|AC-3|./namespaces/policies.yaml|policies-sa-orgpolicyadmin-permissions| +|AC-3|./namespaces/policies.yaml|policies-sa-workload-identity-binding| +|AC-3|./namespaces/projects.yaml|allow-projects-resource-reference-from-logging| +|AC-3|./namespaces/projects.yaml|allow-projects-resource-reference-from-networking| +|AC-3|./namespaces/projects.yaml|allow-projects-resource-reference-from-policies| +|AC-3|./namespaces/projects.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3|./namespaces/projects.yaml|projects-sa| +|AC-3|./namespaces/projects.yaml|projects-sa| +|AC-3|./namespaces/projects.yaml|projects-sa-billinguser-permissions| +|AC-3|./namespaces/projects.yaml|projects-sa-projectcreator-permissions| +|AC-3|./namespaces/projects.yaml|projects-sa-projectdeleter-permissions| +|AC-3|./namespaces/projects.yaml|projects-sa-projectiamadmin-permissions| +|AC-3|./namespaces/projects.yaml|projects-sa-projectmover-permissions| +|AC-3|./namespaces/projects.yaml|projects-sa-serviceusageadmin-permissions| +|AC-3|./namespaces/projects.yaml|projects-sa-workload-identity-binding| +|AC-3|./org/custom-roles/gke-firewall-admin.yaml|gke-firewall-admin| +|AC-3|./org/custom-roles/gke-firewall-admin.yaml|gke-firewall-admin| +|AC-3|./org/custom-roles/tier2-dnsrecord-admin.yaml|tier2-dnsrecord-admin| +|AC-3|./org/custom-roles/tier2-dnsrecord-admin.yaml|tier2-dnsrecord-admin| +|AC-3|./org/custom-roles/tier2-vpcpeering-admin.yaml|tier2-vpcpeering-admin| +|AC-3|./org/custom-roles/tier2-vpcpeering-admin.yaml|tier2-vpcpeering-admin| +|AC-3|./org/custom-roles/tier3-dnsrecord-admin.yaml|tier3-dnsrecord-admin| +|AC-3|./org/custom-roles/tier3-dnsrecord-admin.yaml|tier3-dnsrecord-admin| +|AC-3|./org/custom-roles/tier3-firewallrule-admin.yaml|tier3-firewallrule-admin| +|AC-3|./org/custom-roles/tier3-firewallrule-admin.yaml|tier3-firewallrule-admin| +|AC-3|./org/custom-roles/tier3-subnetwork-admin.yaml|tier3-subnetwork-admin| +|AC-3|./org/custom-roles/tier3-subnetwork-admin.yaml|tier3-subnetwork-admin| +|AC-3|./org/custom-roles/tier3-vpcsc-admin.yaml|tier3-vpcsc-admin| +|AC-3|./org/custom-roles/tier3-vpcsc-admin.yaml|tier3-vpcsc-admin| +|AC-3|./org/custom-roles/tier4-secretmanager-admin.yaml|tier4-secretmanager-admin| +|AC-3|./org/custom-roles/tier4-secretmanager-admin.yaml|tier4-secretmanager-admin| +|AC-3(7)|./namespaces/gatekeeper-system.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3(7)|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa| |AC-3(7)|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa| |AC-3(7)|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa-metric-writer-permissions| +|AC-3(7)|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa-workload-identity-binding| +|AC-3(7)|./namespaces/hierarchy.yaml|allow-folders-resource-reference-to-logging| +|AC-3(7)|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-config-control| +|AC-3(7)|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-policies| +|AC-3(7)|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-projects| +|AC-3(7)|./namespaces/hierarchy.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3(7)|./namespaces/hierarchy.yaml|hierarchy-sa| |AC-3(7)|./namespaces/hierarchy.yaml|hierarchy-sa| |AC-3(7)|./namespaces/hierarchy.yaml|hierarchy-sa-folderadmin-permissions| +|AC-3(7)|./namespaces/hierarchy.yaml|hierarchy-sa-workload-identity-binding| +|AC-3(7)|./namespaces/logging.yaml|allow-logging-resource-reference-from-projects| +|AC-3(7)|./namespaces/logging.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3(7)|./namespaces/logging.yaml|logging-sa| |AC-3(7)|./namespaces/logging.yaml|logging-sa| +|AC-3(7)|./namespaces/logging.yaml|logging-sa-bigqueryadmin-permissions| |AC-3(7)|./namespaces/logging.yaml|logging-sa-logadmin-permissions| +|AC-3(7)|./namespaces/logging.yaml|logging-sa-workload-identity-binding| +|AC-3(7)|./namespaces/management-namespace.yaml|config-control-sa-management-project-editor-permissions| +|AC-3(7)|./namespaces/management-namespace.yaml|config-control-sa-management-project-serviceaccountadmin-permissions| +|AC-3(7)|./namespaces/management-namespace.yaml|config-control-sa-orgroleadmin-permissions| +|AC-3(7)|./namespaces/management-namespace.yaml|config-control-sa-orgroleadmin-permissions| +|AC-3(7)|./namespaces/networking.yaml|configconnectorcontext.core.cnrm.cloud.google.com| |AC-3(7)|./namespaces/networking.yaml|networking-sa| +|AC-3(7)|./namespaces/networking.yaml|networking-sa| +|AC-3(7)|./namespaces/networking.yaml|networking-sa-dns-permissions| |AC-3(7)|./namespaces/networking.yaml|networking-sa-networkadmin-permissions| +|AC-3(7)|./namespaces/networking.yaml|networking-sa-security-permissions| +|AC-3(7)|./namespaces/networking.yaml|networking-sa-service-control-org-permissions| +|AC-3(7)|./namespaces/networking.yaml|networking-sa-servicedirectoryeditor-permissions| +|AC-3(7)|./namespaces/networking.yaml|networking-sa-workload-identity-binding| +|AC-3(7)|./namespaces/networking.yaml|networking-sa-xpnadmin-permissions| +|AC-3(7)|./namespaces/policies.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3(7)|./namespaces/policies.yaml|policies-sa| |AC-3(7)|./namespaces/policies.yaml|policies-sa| |AC-3(7)|./namespaces/policies.yaml|policies-sa-orgpolicyadmin-permissions| +|AC-3(7)|./namespaces/policies.yaml|policies-sa-workload-identity-binding| +|AC-3(7)|./namespaces/projects.yaml|allow-projects-resource-reference-from-logging| +|AC-3(7)|./namespaces/projects.yaml|allow-projects-resource-reference-from-networking| +|AC-3(7)|./namespaces/projects.yaml|allow-projects-resource-reference-from-policies| +|AC-3(7)|./namespaces/projects.yaml|configconnectorcontext.core.cnrm.cloud.google.com| +|AC-3(7)|./namespaces/projects.yaml|projects-sa| |AC-3(7)|./namespaces/projects.yaml|projects-sa| +|AC-3(7)|./namespaces/projects.yaml|projects-sa-billinguser-permissions| +|AC-3(7)|./namespaces/projects.yaml|projects-sa-projectcreator-permissions| +|AC-3(7)|./namespaces/projects.yaml|projects-sa-projectdeleter-permissions| |AC-3(7)|./namespaces/projects.yaml|projects-sa-projectiamadmin-permissions| -|AU-11|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| -|AU-11|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AC-3(7)|./namespaces/projects.yaml|projects-sa-projectmover-permissions| +|AC-3(7)|./namespaces/projects.yaml|projects-sa-serviceusageadmin-permissions| +|AC-3(7)|./namespaces/projects.yaml|projects-sa-workload-identity-binding| +|AC-3(7)|./org/custom-roles/gke-firewall-admin.yaml|gke-firewall-admin| +|AC-3(7)|./org/custom-roles/gke-firewall-admin.yaml|gke-firewall-admin| +|AC-3(7)|./org/custom-roles/tier2-dnsrecord-admin.yaml|tier2-dnsrecord-admin| +|AC-3(7)|./org/custom-roles/tier2-dnsrecord-admin.yaml|tier2-dnsrecord-admin| +|AC-3(7)|./org/custom-roles/tier2-vpcpeering-admin.yaml|tier2-vpcpeering-admin| +|AC-3(7)|./org/custom-roles/tier2-vpcpeering-admin.yaml|tier2-vpcpeering-admin| +|AC-3(7)|./org/custom-roles/tier3-dnsrecord-admin.yaml|tier3-dnsrecord-admin| +|AC-3(7)|./org/custom-roles/tier3-dnsrecord-admin.yaml|tier3-dnsrecord-admin| +|AC-3(7)|./org/custom-roles/tier3-firewallrule-admin.yaml|tier3-firewallrule-admin| +|AC-3(7)|./org/custom-roles/tier3-firewallrule-admin.yaml|tier3-firewallrule-admin| +|AC-3(7)|./org/custom-roles/tier3-subnetwork-admin.yaml|tier3-subnetwork-admin| +|AC-3(7)|./org/custom-roles/tier3-subnetwork-admin.yaml|tier3-subnetwork-admin| +|AC-3(7)|./org/custom-roles/tier3-vpcsc-admin.yaml|tier3-vpcsc-admin| +|AC-3(7)|./org/custom-roles/tier3-vpcsc-admin.yaml|tier3-vpcsc-admin| +|AC-3(7)|./org/custom-roles/tier4-secretmanager-admin.yaml|tier4-secretmanager-admin| +|AC-3(7)|./org/custom-roles/tier4-secretmanager-admin.yaml|tier4-secretmanager-admin| |AU-11|./setters.yaml|setters| -|AU-12(A)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| -|AU-12(A)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| -|AU-12(A)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| -|AU-12(A)|./org/org-sink.yaml|logging-project-id-security-sink| -|AU-12(C)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| -|AU-12(C)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| -|AU-12(C)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| -|AU-12(C)|./org/org-sink.yaml|logging-project-id-security-sink| -|AU-2|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| -|AU-2|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| -|AU-2|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| -|AU-2|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-12|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-12|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-12|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-12|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-12|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-12|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-12|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-12|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-12(1)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-12(1)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-12(1)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-12(1)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-12(1)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-12(1)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-12(1)|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-12(1)|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-3|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-3|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-3|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-3|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-3|./mgmt-project/project-sink.yaml|mgmt-project-cluster-disable-default-bucket| +|AU-3|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-3|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-3|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-3|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-3(1)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-3(1)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-3(1)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-3(1)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-3(1)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-disable-default-bucket| +|AU-3(1)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-3(1)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-3(1)|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-3(1)|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-4(1)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| |AU-4(1)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-4(1)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-4(1)|./lz-folder/audits/logging-project/project.yaml|logging-project-id| |AU-4(1)|./lz-folder/audits/logging-project/project.yaml|logging-project-id| +|AU-4(1)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-4(1)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-4(1)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-4(1)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-4(1)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-disable-default-bucket| +|AU-4(1)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-4(1)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-4(1)|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-4(1)|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-6(4)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| +|AU-6(4)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-6(4)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-6(4)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-6(4)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-6(4)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-6(4)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-6(4)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-disable-default-bucket| +|AU-6(4)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-6(4)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-6(4)|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-6(4)|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-7|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| +|AU-7|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-7|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-7(B)).|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| |AU-9|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| |AU-9|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-9|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-9|./lz-folder/audits/logging-project/project-iam.yaml|logging-project-data-access-log-config| +|AU-9|./lz-folder/audits/logging-project/project-iam.yaml|mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions| +|AU-9|./lz-folder/audits/logging-project/project-iam.yaml|platform-and-component-services-infra-log-bucket-writer-permissions| +|AU-9|./lz-folder/audits/logging-project/project-iam.yaml|platform-and-component-services-log-bucket-writer-permissions| +|AU-9|./lz-folder/audits/logging-project/project-iam.yaml|security-log-bucket-writer-permissions| +|AU-9|./lz-folder/audits/logging-project/project-iam.yaml|security-log-bucket-writer-permissions| |AU-9|./setters.yaml|setters| +|AU-9(2)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| |AU-9(2)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-9(2)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-9(2)|./lz-folder/audits/logging-project/project.yaml|logging-project-id| |AU-9(2)|./lz-folder/audits/logging-project/project.yaml|logging-project-id| -|SC-22|./lz-folder/services-infrastructure/dns-project/dns.yaml|dns-project-id-standard-core-public-dns| +|AU-9(2)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-9(2)|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-9(2)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-9(2)|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-9(2)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-disable-default-bucket| +|AU-9(2)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-9(2)|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-9(2)|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-9(2)|./org/org-sink.yaml|logging-project-id-security-sink| +|AU-9)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|SC-20|./lz-folder/services-infrastructure/dns-project/dns.yaml|dns-project-id-standard-core-public-dns| +|SC-20|./lz-folder/services-infrastructure/dns-project/dns.yaml|dns-project-id-standard-core-public-dns| diff --git a/solutions/core-landing-zone/setters.yaml b/solutions/core-landing-zone/setters.yaml index 45b2d2cce..0b9148af4 100644 --- a/solutions/core-landing-zone/setters.yaml +++ b/solutions/core-landing-zone/setters.yaml @@ -38,20 +38,30 @@ data: # General Settings Values ########################## # + # Use the same Google Cloud Organization ID that was used during the bootstrap procedure + # customization: required org-id: "0000000000" + # root folder to which the Landing Zone will be deployed into. This folder is created during the bootstrap procedure + # customization: required lz-folder-id: '0000000000' + # core-landing-zone billing id + # customization: required billing-id: "AAAAAA-BBBBBB-CCCCCC" # ########################## # Management Project ########################## # - # This is the project where the config controller instance is running - # Values can be viewed in the Project Dashboard via https://console.cloud.google.com/welcome?project=$PROJECT_ID under "Project number" where PROJECT_ID is defined as management-project-id below or in the export block as PROJECT_ID in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#initial-organization-configuration + # The management project is where the Landing Zone config controller instance is running. + # The $PROJECT_ID (management-project-id) is defined during Initial Organization Configuration (https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#initial-organization-configuration) + # customization: required management-project-id: management-project-12345 - # derive project-number (an expected numeric id like 5...57396547) using the project-id above via gcloud command: gcloud projects list --filter="${PROJECT_ID}" '--format=value(PROJECT_NUMBER)' + # The management-project-number can be obtained from the Dashboard via https://console.cloud.google.com/home/dashboard?project=$PROJECT_ID + # Alternatively, obtain the management-project-number from gcloud: gcloud projects list --filter="${PROJECT_ID}" '--format=value(PROJECT_NUMBER)' + # customization: required management-project-number: "0000000000" - # leave the kubernetes namespace as a default + # kubernetes namespace set to the default, config-control. + # customization: Do not change this value. management-namespace: config-control # ########################## @@ -62,26 +72,26 @@ data: # # a list of allowed trusted image projects, see YAML file for more info: # org/org-policies/compute-trusted-image-projects.yaml - # this setting can be left as default or modified as required + # customization: This setting can be left as default or modified as required allowed-trusted-image-projects: | - "projects/cos-cloud" # # a list of allowed essential contact domains, see YAML file for more info: # org/org-policies/essentialcontacts-allowed-contact-domains.yaml - # this setting MUST be changed + # customization: this setting MUST be changed to a domain in which you choose to allow to receive notifications from Google. allowed-contact-domains: | - "@example.com" # # a list of directory customer IDs from which users can be added to IAM policies, see YAML file for more info: # org/org-policies/iam-allowed-policy-member-domains.yaml - # this setting MUST be changed to include the GCP org's directory ID and any other directory containing users that will need IAM roles assigned # run 'gcloud organizations list' as described in https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#retrieving_customer_id + # customization: # this setting MUST be changed to include the GCP org's directory customer ID and any other directory containing users that will need IAM roles assigned allowed-policy-domain-members: | - "DIRECTORY_CUSTOMER_ID" # # a list of allowed projects, folders, networks for VPC peering, see YAML file for more info: # org/org-policies/compute-restrict-vpc-peering.yaml - # this setting MUST be changed, replace ORGANIZATION_ID with the GCP organizations's ID + # customization: this setting MUST be changed, replace ORGANIZATION_ID with the GCP organizations's ID allowed-vpc-peering: | - "under:organizations/ORGANIZATION_ID" # @@ -89,12 +99,18 @@ data: # Logging ########################## # + # Core landing Zone logging project, used by the logging packages + # project id for the logging project to be created, following rules and conventions + # customization: required logging-project-id: logging-project-12345 # # Log Buckets # Security Logs Bucket + # customization: required security-log-bucket: security-log-bucket-12345 + # # Platform and Component Log Bucket + # customization: required platform-and-component-log-bucket: platform-and-component-log-bucket-12345 # # Retention settings @@ -103,8 +119,7 @@ data: # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period # AU-9 PROTECTION OF AUDIT INFORMATION # AU-11 AUDIT RECORD RETENTION - # - # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. + # customization: The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. retention-locking-policy: "false" retention-in-days: "1" # @@ -112,8 +127,17 @@ data: # DNS ########################## # + # DNS project + # + # project id for the dns project to be created, following rules and conventions + # customization: required dns-project-id: dns-project-12345 + # + # Core Landing Zone fqdn. The "dns-name" must end with a "." + # dns-name needs needs to receive delegation from the upper level of the domain example.com. + # customization: required dns-name: "example.com." + # ########################## # End of Configurations ##########################