fix: adding security control tags (#810)

Adding security control tags to the following packages:

client-landing-zone
client-project-setup
client-setup
core-landing-zone
gke/configconnector/gke-admin-proxy
gke/configconnector/gke-cluster-autopilot
gke/configconnector/gke-defaults
gke/configconnector/gke-setup
gke/configconnector/gke-workload-identity
gke/kubernetes/cluster-defaults
gke/kubernetes/namespace-defaults
ids

examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-tier4-sa.yaml

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #########
+# AC-1 - Implementation of access control
 # AC-3, AC-3(7), AC-16(2) - IAM Partial Policy that binds tier4 namespace service account to the required minimum project scoped roles to deploy allowed resources
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPartialPolicy
@@ -23,7 +24,7 @@ spec:
   resourceRef:
     kind: Project
     external: projects/project-id # kpt-set: projects/${project-id}
-  # AC-3, AC-3(7), AC-16(2)
+  # AC-1, AC-3, AC-3(7), AC-16(2)
   bindings:
     # edit / add roles to tier4-sa as required
     #

examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-users.yaml

@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #########
+# AC-1 - Implementation of access control
+# AC-2(7) - Organize privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles
 # AC-3, AC-3(7), AC-16(2) - IAM Partial Policy that binds users to the required minimum project scoped roles to perform duties
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPartialPolicy
@@ -23,7 +25,7 @@ spec:
   resourceRef:
     kind: Project
     external: projects/project-id # kpt-set: projects/${project-id}
-  # AC-3, AC-3(7), AC-16(2)
+  # AC-1, AC-2(7), AC-3, AC-3(7), AC-16(2)
   bindings:
     # edit / add roles to users as required
     #

examples/landing-zone-v2/configconnector/tier3/cloud-armor/security-policy.yaml

@@ -15,6 +15,7 @@
 # creates a cloud armor policy with rules
 # the target load balancer is attached from its ComputeBackendService resource
 # SC-5, SC-5(2) - Deploy Web Application Firewall in front of public facing web applications for additional inspection of incoming traffic using Cloud armor policy
+# SI-4(4) - Cloud Armor is configured to monitor for potentially malicious behaviour
 # Cloud armor policy is made up of rules that filter traffic based on conditions such as incoming request ip address before it reaches target load balancer backend services.
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSecurityPolicy

examples/landing-zone-v2/configconnector/tier3/ssl-policies/ssl-policy-tls-1.2.yaml

@@ -15,6 +15,8 @@
 # https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062
 #########
 # SC-8, SC-13 - SSL policy with minimum TLS 1.2
+# SC-23 - SSL policy in place enforcing TLS 1.2+ and strong/approved ciphers only.
+# AC-17(2) - An SSL policy is deployed to ensure Google front end (GFE) load balancers use TLS 1.2 or later
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSSLPolicy
 metadata:

solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml

@@ -17,6 +17,7 @@
 # Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
 # AU-12 - Enable Logging for firewall
+# SI-4 - Logging denied traffic
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewallPolicyRule
 metadata:
@@ -84,7 +85,7 @@ spec:
   description: "Deny TOR exit nodes ingress traffic"
   direction: "INGRESS"
   disabled: false
-  # AU-12
+  # AU-12, SI-4
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:
@@ -113,7 +114,7 @@ spec:
   description: "Deny sanctioned countries ingress traffic"
   direction: "INGRESS"
   disabled: false
-  # AU-12
+  # AU-12, SI-4
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:

solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml

@@ -14,6 +14,7 @@
 #########
 # Allow os updates
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
+# SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5) - Access is restricted to the corresponding OS package repository on the Internet. It does not prevent the downloading and execution of mobile code from this source.
 # AU-12 - Enable Logging for firewall
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewallPolicyRule
@@ -40,6 +41,7 @@ spec:
           - "443"
     srcIPRanges: # kpt-set: ${allowed-os-update-source-ip-ranges}
       - "n.n.n.n/n"
+    # SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5)
     destFqdns: # kpt-set: ${allowed-os-update-domains}
       - "example.com"
   priority: 5000

solutions/client-landing-zone/client-folder/folder-iam.yaml

@@ -13,6 +13,7 @@
 # limitations under the License.
 ######
 # Grant GCP role Folder Viewer on client's folder to client's user group
+# AC-1 - Implementation of access control
 # AC-3, AC-3(7), AC-16(2) - This IAM policy binding grants GCP Folder Viewer role on client's folder to client's user group based on least-privilege principle
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
@@ -27,6 +28,6 @@ spec:
     kind: Folder
     name: clients.client-name # kpt-set: clients.${client-name}
     namespace: hierarchy
-  # AC-3, AC-3(7), AC-16(2)
+  # AC-1, AC-3, AC-3(7), AC-16(2)
   role: roles/resourcemanager.folderViewer
   member: client-folderviewer # kpt-set: ${client-folderviewer}

solutions/client-landing-zone/client-folder/folder-sink.yaml

@@ -15,6 +15,7 @@
 # TODO: investigate using client ns, move functionality to client-setup and/or create new client logging project. Will be required if a config-controller is deployed per client OR we need to give permissions to the client service account into the core logging project.
 # Folder sink for Platform and Component logs of Client Resources
 # Destination: cloud logging bucket inside logging project
+# AU-2 - Organization-defined auditable events
 # AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project
 # AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket
 # AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to
@@ -39,7 +40,7 @@ spec:
   description: Folder sink for client-name Platform and Component logs # kpt-set: Folder sink for ${client-name} Platform and Component logs
   # the log sink must be enabled (disabled: false) to meet the listed security controls
   disabled: false
-  # AU-12, AU-12(1)
+  # AU-2, AU-12, AU-12(1)
   # Includes the following types of logs:
   # Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, HTTP(S) Load Balancer and Intrusion Detection System (IDS)
   # Logs for such resources must be enabled on the respective resource as they are not enabled by default.

solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml

@@ -17,6 +17,7 @@
 # Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
 # AU-12 - Enable Logging for firewall policies
+# SI-4 - Logging denied traffic
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewallPolicyRule
 metadata:
@@ -84,7 +85,7 @@ spec:
   description: "Deny known malicious IPs ingress traffic"
   direction: "INGRESS"
   disabled: false
-  # AU-12
+  # AU-12, SI-4
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:
@@ -112,7 +113,7 @@ spec:
   description: "Deny known malicious IPs egress traffic"
   direction: "EGRESS"
   disabled: false
-  # AU-12
+  # AU-12, SI-4
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:

solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml

@@ -15,6 +15,7 @@
 # Allow all egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network within host project
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
 # AU-12 - Enable Logging for firewall
+# SI-4 - Logging denied traffic
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
@@ -65,7 +66,7 @@ spec:
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   networkRef:
     name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
-  # AU-12
+  # AU-12, SI-4
   logConfig:
     metadata: "INCLUDE_ALL_METADATA"
 ---
@@ -93,6 +94,6 @@ spec:
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   networkRef:
     name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
-  # AU-12
+  # AU-12, SI-4
   logConfig:
     metadata: "INCLUDE_ALL_METADATA"

solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml

@@ -19,6 +19,7 @@
 #########
 # Subnet nonp-main northamerica-northeast1
 # AU-12 - Enable Logging for Subnet
+# IA-3(3) - IP space is assigned for dynamic allocation
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -29,6 +30,7 @@ metadata:
     config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc
 spec:
   resourceID: nane1-standard-nonp-main-snet
+  # IA-3(3)
   ipCidrRange: 10.1.0.0/21 # kpt-set: ${standard-nane1-nonp-main-snet}
   region: northamerica-northeast1
   description: northamerica-northeast1 nonp-main subnet
@@ -52,6 +54,7 @@ metadata:
     config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc
 spec:
   resourceID: nane1-standard-pbmm-main-snet
+  # IA-3(3)
   ipCidrRange: 10.1.128.0/21 # kpt-set: ${standard-nane1-pbmm-main-snet}
   region: northamerica-northeast1
   description: northamerica-northeast1 pbmm-main subnet
@@ -75,6 +78,7 @@ metadata:
     config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc
 spec:
   resourceID: nane2-standard-nonp-main-snet
+  # IA-3(3)
   ipCidrRange: 10.1.8.0/21 # kpt-set: ${standard-nane2-nonp-main-snet}
   region: northamerica-northeast2
   description: northamerica-northeast2 nonp-main subnet
@@ -98,6 +102,7 @@ metadata:
     config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc
 spec:
   resourceID: nane2-standard-pbmm-main-snet
+  # IA-3(3)
   ipCidrRange: 10.1.136.0/21 # kpt-set: ${standard-nane2-pbmm-main-snet}
   region: northamerica-northeast2
   description: northamerica-northeast2 pbmm-main subnet

solutions/client-landing-zone/client-folder/standard/firewall-policy/rules/network-isolation.yaml

@@ -15,6 +15,7 @@
 # Isolate non-protected subnet so it denies ingress traffic from pbmm subnet
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
 # AU-12 - Enable Logging for firewall
+# SI-4 - Logging denied traffic
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewallPolicyRule
 metadata:
@@ -27,7 +28,7 @@ spec:
   description: "Isolate non-protected subnet so it denies ingress traffic from pbmm subnet"
   direction: "INGRESS"
   disabled: false
-  # AU-12
+  # AU-12, SI-4
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:

solutions/client-landing-zone/logging-project/cloud-logging-bucket.yaml

@@ -17,6 +17,8 @@
 # Logs are routed using a log sink to a central logging project into a dedicated log bucket
 # AU-7, AU-9 - The log buckets created within the Logging project are immutable (AU-7(B)). These buckets have a retention policy of xxx days and IAM Policy that defines who has access to the bucket (AU-9)
 # AU-4(1), AU-6(4), AU-9(2), AU-12, AU-12(1) Log sinks sending the logs to same project in same region having a logging bucket
+# AU-9(4), SI-4 - The centralized logging solution has a configuration in place that defines all logging buckets to be locked
+# AU-11 - Logging bucket retention configuration
 apiVersion: logging.cnrm.cloud.google.com/v1beta1
 kind: LoggingLogBucket
 metadata:
@@ -30,6 +32,7 @@ spec:
   location: northamerica-northeast1
   description: Cloud Logging bucket for client-name Platform and Component logs # kpt-set: Cloud Logging bucket for ${client-name} Platform and Component logs
   # RetentionDays sets the policy where existing log content cannot be changed/deleted for the specified number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability
-  # AU-7, AU-9
+  # AU-7, AU-9, AU-9(4), SI-4
   locked: false # kpt-set: ${retention-locking-policy}
+  # AU-11
   retentionDays: 1 # kpt-set: ${retention-in-days}

solutions/client-landing-zone/logging-project/project-iam.yaml

@@ -15,6 +15,7 @@
 # TODO: investigate using client ns, move functionality to client-setup and/or create new client logging project. Will be required if a config-controller is deployed per client OR we need to give permissions to the client service account into the core logging project.
 # Logs Bucket writer IAM permissions
 # Binds the generated Writer identity from the LoggingLogSink to the logging project
+# AC-1 - Implementation of access control
 # AC-3, AC-3(7), AC-16(2), AU-9 - This IAM policy binding grants bucketwriter role to the identity of the log sink configured on the bucket in the logging project
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPartialPolicy
@@ -26,7 +27,7 @@ spec:
     kind: Project
     name: logging-project-id # kpt-set: ${logging-project-id}
     namespace: projects
-  # AC-3, AC-3(7), AC-16(2), AU-9
+  # AC-1, AC-3, AC-3(7), AC-16(2), AU-9
   bindings:
     - role: roles/logging.bucketWriter
       members: