diff --git a/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-tier4-sa.yaml b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-tier4-sa.yaml index fa6063943..061993f90 100644 --- a/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-tier4-sa.yaml +++ b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-tier4-sa.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2) - IAM Partial Policy that binds tier4 namespace service account to the required minimum project scoped roles to deploy allowed resources apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy @@ -23,7 +24,7 @@ spec: resourceRef: kind: Project external: projects/project-id # kpt-set: projects/${project-id} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) bindings: # edit / add roles to tier4-sa as required # diff --git a/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-users.yaml b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-users.yaml index 056b5b317..7b83d7bda 100644 --- a/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-users.yaml +++ b/examples/landing-zone-v2/configconnector/tier3/client-project-iam/iam-users.yaml @@ -12,6 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### +# AC-1 - Implementation of access control +# AC-2(7) - Organize privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles # AC-3, AC-3(7), AC-16(2) - IAM Partial Policy that binds users to the required minimum project scoped roles to perform duties apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy @@ -23,7 +25,7 @@ spec: resourceRef: kind: Project external: projects/project-id # kpt-set: projects/${project-id} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-2(7), AC-3, AC-3(7), AC-16(2) bindings: # edit / add roles to users as required # diff --git a/examples/landing-zone-v2/configconnector/tier3/cloud-armor/security-policy.yaml b/examples/landing-zone-v2/configconnector/tier3/cloud-armor/security-policy.yaml index eb1f439b9..ac04d57fd 100644 --- a/examples/landing-zone-v2/configconnector/tier3/cloud-armor/security-policy.yaml +++ b/examples/landing-zone-v2/configconnector/tier3/cloud-armor/security-policy.yaml @@ -15,6 +15,7 @@ # creates a cloud armor policy with rules # the target load balancer is attached from its ComputeBackendService resource # SC-5, SC-5(2) - Deploy Web Application Firewall in front of public facing web applications for additional inspection of incoming traffic using Cloud armor policy +# SI-4(4) - Cloud Armor is configured to monitor for potentially malicious behaviour # Cloud armor policy is made up of rules that filter traffic based on conditions such as incoming request ip address before it reaches target load balancer backend services. apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSecurityPolicy diff --git a/examples/landing-zone-v2/configconnector/tier3/ssl-policies/ssl-policy-tls-1.2.yaml b/examples/landing-zone-v2/configconnector/tier3/ssl-policies/ssl-policy-tls-1.2.yaml index 46eb9eb46..114f3bd64 100644 --- a/examples/landing-zone-v2/configconnector/tier3/ssl-policies/ssl-policy-tls-1.2.yaml +++ b/examples/landing-zone-v2/configconnector/tier3/ssl-policies/ssl-policy-tls-1.2.yaml @@ -15,6 +15,8 @@ # https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062 ######### # SC-8, SC-13 - SSL policy with minimum TLS 1.2 +# SC-23 - SSL policy in place enforcing TLS 1.2+ and strong/approved ciphers only. +# AC-17(2) - An SSL policy is deployed to ensure Google front end (GFE) load balancers use TLS 1.2 or later apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSSLPolicy metadata: diff --git a/solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml b/solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml index 88f67a388..ed6927b4e 100644 --- a/solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml +++ b/solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml @@ -17,6 +17,7 @@ # Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. # AU-12 - Enable Logging for firewall +# SI-4 - Logging denied traffic apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -84,7 +85,7 @@ spec: description: "Deny TOR exit nodes ingress traffic" direction: "INGRESS" disabled: false - # AU-12 + # AU-12, SI-4 enableLogging: true # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: @@ -113,7 +114,7 @@ spec: description: "Deny sanctioned countries ingress traffic" direction: "INGRESS" disabled: false - # AU-12 + # AU-12, SI-4 enableLogging: true # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: diff --git a/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml b/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml index c1734465d..c4fb2935b 100644 --- a/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml +++ b/solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml @@ -14,6 +14,7 @@ ######### # Allow os updates # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. +# SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5) - Access is restricted to the corresponding OS package repository on the Internet. It does not prevent the downloading and execution of mobile code from this source. # AU-12 - Enable Logging for firewall apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule @@ -40,6 +41,7 @@ spec: - "443" srcIPRanges: # kpt-set: ${allowed-os-update-source-ip-ranges} - "n.n.n.n/n" + # SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5) destFqdns: # kpt-set: ${allowed-os-update-domains} - "example.com" priority: 5000 diff --git a/solutions/client-landing-zone/client-folder/folder-iam.yaml b/solutions/client-landing-zone/client-folder/folder-iam.yaml index 699799499..34398490c 100644 --- a/solutions/client-landing-zone/client-folder/folder-iam.yaml +++ b/solutions/client-landing-zone/client-folder/folder-iam.yaml @@ -13,6 +13,7 @@ # limitations under the License. ###### # Grant GCP role Folder Viewer on client's folder to client's user group +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2) - This IAM policy binding grants GCP Folder Viewer role on client's folder to client's user group based on least-privilege principle apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember @@ -27,6 +28,6 @@ spec: kind: Folder name: clients.client-name # kpt-set: clients.${client-name} namespace: hierarchy - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/resourcemanager.folderViewer member: client-folderviewer # kpt-set: ${client-folderviewer} diff --git a/solutions/client-landing-zone/client-folder/folder-sink.yaml b/solutions/client-landing-zone/client-folder/folder-sink.yaml index 5aaf7cef3..f1e30f16e 100644 --- a/solutions/client-landing-zone/client-folder/folder-sink.yaml +++ b/solutions/client-landing-zone/client-folder/folder-sink.yaml @@ -15,6 +15,7 @@ # TODO: investigate using client ns, move functionality to client-setup and/or create new client logging project. Will be required if a config-controller is deployed per client OR we need to give permissions to the client service account into the core logging project. # Folder sink for Platform and Component logs of Client Resources # Destination: cloud logging bucket inside logging project +# AU-2 - Organization-defined auditable events # AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project # AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket # AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to @@ -39,7 +40,7 @@ spec: description: Folder sink for client-name Platform and Component logs # kpt-set: Folder sink for ${client-name} Platform and Component logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-12, AU-12(1) + # AU-2, AU-12, AU-12(1) # Includes the following types of logs: # Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, HTTP(S) Load Balancer and Intrusion Detection System (IDS) # Logs for such resources must be enabled on the respective resource as they are not enabled by default. diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml index 40f148978..1af3439a7 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml @@ -17,6 +17,7 @@ # Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. # AU-12 - Enable Logging for firewall policies +# SI-4 - Logging denied traffic apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -84,7 +85,7 @@ spec: description: "Deny known malicious IPs ingress traffic" direction: "INGRESS" disabled: false - # AU-12 + # AU-12, SI-4 enableLogging: true # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: @@ -112,7 +113,7 @@ spec: description: "Deny known malicious IPs egress traffic" direction: "EGRESS" disabled: false - # AU-12 + # AU-12, SI-4 enableLogging: true # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml index 7edc91208..88655361a 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml @@ -15,6 +15,7 @@ # Allow all egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network within host project # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. # AU-12 - Enable Logging for firewall +# SI-4 - Logging denied traffic apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: @@ -65,7 +66,7 @@ spec: # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) networkRef: name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc - # AU-12 + # AU-12, SI-4 logConfig: metadata: "INCLUDE_ALL_METADATA" --- @@ -93,6 +94,6 @@ spec: # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) networkRef: name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc - # AU-12 + # AU-12, SI-4 logConfig: metadata: "INCLUDE_ALL_METADATA" diff --git a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml index 492349b40..0286fd6e4 100644 --- a/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml +++ b/solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml @@ -19,6 +19,7 @@ ######### # Subnet nonp-main northamerica-northeast1 # AU-12 - Enable Logging for Subnet +# IA-3(3) - IP space is assigned for dynamic allocation apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -29,6 +30,7 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc spec: resourceID: nane1-standard-nonp-main-snet + # IA-3(3) ipCidrRange: 10.1.0.0/21 # kpt-set: ${standard-nane1-nonp-main-snet} region: northamerica-northeast1 description: northamerica-northeast1 nonp-main subnet @@ -52,6 +54,7 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc spec: resourceID: nane1-standard-pbmm-main-snet + # IA-3(3) ipCidrRange: 10.1.128.0/21 # kpt-set: ${standard-nane1-pbmm-main-snet} region: northamerica-northeast1 description: northamerica-northeast1 pbmm-main subnet @@ -75,6 +78,7 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc spec: resourceID: nane2-standard-nonp-main-snet + # IA-3(3) ipCidrRange: 10.1.8.0/21 # kpt-set: ${standard-nane2-nonp-main-snet} region: northamerica-northeast2 description: northamerica-northeast2 nonp-main subnet @@ -98,6 +102,7 @@ metadata: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc spec: resourceID: nane2-standard-pbmm-main-snet + # IA-3(3) ipCidrRange: 10.1.136.0/21 # kpt-set: ${standard-nane2-pbmm-main-snet} region: northamerica-northeast2 description: northamerica-northeast2 pbmm-main subnet diff --git a/solutions/client-landing-zone/client-folder/standard/firewall-policy/rules/network-isolation.yaml b/solutions/client-landing-zone/client-folder/standard/firewall-policy/rules/network-isolation.yaml index 82604c10e..0e09507c3 100644 --- a/solutions/client-landing-zone/client-folder/standard/firewall-policy/rules/network-isolation.yaml +++ b/solutions/client-landing-zone/client-folder/standard/firewall-policy/rules/network-isolation.yaml @@ -15,6 +15,7 @@ # Isolate non-protected subnet so it denies ingress traffic from pbmm subnet # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. # AU-12 - Enable Logging for firewall +# SI-4 - Logging denied traffic apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -27,7 +28,7 @@ spec: description: "Isolate non-protected subnet so it denies ingress traffic from pbmm subnet" direction: "INGRESS" disabled: false - # AU-12 + # AU-12, SI-4 enableLogging: true # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: diff --git a/solutions/client-landing-zone/logging-project/cloud-logging-bucket.yaml b/solutions/client-landing-zone/logging-project/cloud-logging-bucket.yaml index 6a0dbbfb6..9ef326b8c 100644 --- a/solutions/client-landing-zone/logging-project/cloud-logging-bucket.yaml +++ b/solutions/client-landing-zone/logging-project/cloud-logging-bucket.yaml @@ -17,6 +17,8 @@ # Logs are routed using a log sink to a central logging project into a dedicated log bucket # AU-7, AU-9 - The log buckets created within the Logging project are immutable (AU-7(B)). These buckets have a retention policy of xxx days and IAM Policy that defines who has access to the bucket (AU-9) # AU-4(1), AU-6(4), AU-9(2), AU-12, AU-12(1) Log sinks sending the logs to same project in same region having a logging bucket +# AU-9(4), SI-4 - The centralized logging solution has a configuration in place that defines all logging buckets to be locked +# AU-11 - Logging bucket retention configuration apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogBucket metadata: @@ -30,6 +32,7 @@ spec: location: northamerica-northeast1 description: Cloud Logging bucket for client-name Platform and Component logs # kpt-set: Cloud Logging bucket for ${client-name} Platform and Component logs # RetentionDays sets the policy where existing log content cannot be changed/deleted for the specified number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability - # AU-7, AU-9 + # AU-7, AU-9, AU-9(4), SI-4 locked: false # kpt-set: ${retention-locking-policy} + # AU-11 retentionDays: 1 # kpt-set: ${retention-in-days} diff --git a/solutions/client-landing-zone/logging-project/project-iam.yaml b/solutions/client-landing-zone/logging-project/project-iam.yaml index add51f64f..7566733a4 100644 --- a/solutions/client-landing-zone/logging-project/project-iam.yaml +++ b/solutions/client-landing-zone/logging-project/project-iam.yaml @@ -15,6 +15,7 @@ # TODO: investigate using client ns, move functionality to client-setup and/or create new client logging project. Will be required if a config-controller is deployed per client OR we need to give permissions to the client service account into the core logging project. # Logs Bucket writer IAM permissions # Binds the generated Writer identity from the LoggingLogSink to the logging project +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2), AU-9 - This IAM policy binding grants bucketwriter role to the identity of the log sink configured on the bucket in the logging project apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy @@ -26,7 +27,7 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3, AC-3(7), AC-16(2), AU-9 + # AC-1, AC-3, AC-3(7), AC-16(2), AU-9 bindings: - role: roles/logging.bucketWriter members: diff --git a/solutions/client-landing-zone/securitycontrols.md b/solutions/client-landing-zone/securitycontrols.md index 1301d660b..d22807caa 100644 --- a/solutions/client-landing-zone/securitycontrols.md +++ b/solutions/client-landing-zone/securitycontrols.md @@ -3,6 +3,10 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-1|./client-folder/folder-iam.yaml|clients.client-name-client-folder-viewer-permissions| +|AC-1|./client-folder/folder-iam.yaml|clients.client-name-client-folder-viewer-permissions| +|AC-1|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| +|AC-1|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| |AC-16(2)|./client-folder/folder-iam.yaml|clients.client-name-client-folder-viewer-permissions| |AC-16(2)|./client-folder/folder-iam.yaml|clients.client-name-client-folder-viewer-permissions| |AC-16(2)|./logging-project/project-iam.yaml|platform-and-component-log-client-name-bucket-writer-permissions| @@ -138,6 +142,8 @@ |AC-4(21)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| |AC-4(21)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| |AC-4(21)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr| +|AU-11|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-11|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| |AU-11|./setters.yaml|setters| |AU-12|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr| |AU-12|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr| @@ -176,6 +182,8 @@ |AU-12(1)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| |AU-12(1)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| |AU-12(1)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-2|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| +|AU-2|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| |AU-3|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| |AU-3|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| |AU-3(1)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| @@ -200,7 +208,24 @@ |AU-9(2)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink| |AU-9(2)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| |AU-9(2)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-9(4)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|AU-9(4)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| |AU-9)|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|IA-3(3)|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane1-standard-nonp-main-snet| +|IA-3(3)|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane1-standard-nonp-main-snet| +|IA-3(3)|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane1-standard-pbmm-main-snet| +|IA-3(3)|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane2-standard-nonp-main-snet| +|IA-3(3)|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane2-standard-pbmm-main-snet| +|SC-18|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-18|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-18(1)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-18(1)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-18(2)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-18(2)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-18(4)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-18(4)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-18(5)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| +|SC-18(5)|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr| |SC-22|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/dns.yaml|host-project-id-standard-gcrio-dns| |SC-22|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/dns.yaml|host-project-id-standard-gcrio-rset| |SC-22|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/dns.yaml|host-project-id-standard-gcrio-wildcard-rset| @@ -371,4 +396,17 @@ |SC-7(9)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| |SC-7(9)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| |SC-7(9)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr| +|SI-4|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr| +|SI-4|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr| +|SI-4|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr| +|SI-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-egress-fwr| +|SI-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-ingress-fwr| +|SI-4|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr| +|SI-4|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr| +|SI-4|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr| +|SI-4|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr| +|SI-4|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|SI-4|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr| +|SI-4|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| +|SI-4|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket| diff --git a/solutions/client-project-setup/namespaces/project-id-tier3.yaml b/solutions/client-project-setup/namespaces/project-id-tier3.yaml index e73dadeac..f912819fa 100644 --- a/solutions/client-project-setup/namespaces/project-id-tier3.yaml +++ b/solutions/client-project-setup/namespaces/project-id-tier3.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP Service Account for tier3 +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -42,7 +43,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/iam.serviceAccountAdmin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- @@ -60,7 +61,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/iam.securityAdmin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- @@ -78,7 +79,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: standard.applications-infrastructure - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: organizations/org-id/roles/tier3.firewallrule.admin # kpt-set: organizations/${org-id}/roles/tier3.firewallrule.admin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- @@ -96,7 +97,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: host-project-id # kpt-set: ${host-project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: organizations/org-id/roles/tier3.dnsrecord.admin # kpt-set: organizations/${org-id}/roles/tier3.dnsrecord.admin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- @@ -114,7 +115,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/compute.publicIpAdmin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- @@ -132,7 +133,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/compute.securityAdmin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- @@ -151,7 +152,7 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount namespace: client-name-config-control # kpt-set: ${client-name}-${management-namespace} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: @@ -188,7 +189,7 @@ metadata: namespace: client-name-projects # kpt-set: ${client-name}-projects annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -207,7 +208,7 @@ metadata: namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -226,7 +227,7 @@ metadata: namespace: client-name-logging # kpt-set: ${client-name}-logging annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -244,7 +245,7 @@ metadata: namespace: project-id-tier4 # kpt-set: ${project-id}-tier4 annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -264,7 +265,7 @@ subjects: - kind: ServiceAccount name: ns-reconciler-project-id-tier3 # kpt-set: ns-reconciler-${project-id}-tier3 namespace: config-management-system -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: kind: ClusterRole name: admin diff --git a/solutions/client-project-setup/namespaces/project-id-tier4.yaml b/solutions/client-project-setup/namespaces/project-id-tier4.yaml index 172ee0c1e..51713d3bc 100644 --- a/solutions/client-project-setup/namespaces/project-id-tier4.yaml +++ b/solutions/client-project-setup/namespaces/project-id-tier4.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP Service Account for tier4 +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -41,7 +42,7 @@ spec: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork name: allowed-nane1-subnet # kpt-set: ${allowed-nane1-main-subnet} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/compute.networkUser member: "serviceAccount:tier4-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier4-sa@${project-id}.iam.gserviceaccount.com --- @@ -59,7 +60,7 @@ spec: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork name: allowed-nane2-main-subnet # kpt-set: ${allowed-nane2-main-subnet} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/compute.networkUser member: "serviceAccount:tier4-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier4-sa@${project-id}.iam.gserviceaccount.com --- @@ -78,7 +79,7 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount namespace: client-name-config-control # kpt-set: ${client-name}-${management-namespace} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: @@ -115,7 +116,7 @@ metadata: namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -133,7 +134,7 @@ metadata: namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -153,7 +154,7 @@ subjects: - kind: ServiceAccount name: ns-reconciler-project-id-tier4 # kpt-set: ns-reconciler-${project-id}-tier4 namespace: config-management-system -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: kind: ClusterRole name: admin diff --git a/solutions/client-project-setup/project-iam.yaml b/solutions/client-project-setup/project-iam.yaml index 829562b08..b3bd77606 100644 --- a/solutions/client-project-setup/project-iam.yaml +++ b/solutions/client-project-setup/project-iam.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Grant GCP Role IAM service account admin on project to client-config-control SA so that it can create service accounts. +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember @@ -27,6 +28,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/iam.serviceAccountAdmin member: "serviceAccount:client-name-config-control-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-${management-namespace}-sa@${client-management-project-id}.iam.gserviceaccount.com diff --git a/solutions/client-project-setup/securitycontrols.md b/solutions/client-project-setup/securitycontrols.md index 990f8ae77..26ddc0e6e 100644 --- a/solutions/client-project-setup/securitycontrols.md +++ b/solutions/client-project-setup/securitycontrols.md @@ -3,6 +3,28 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-1|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3| +|AC-1|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3| +|AC-1|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3| +|AC-1|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3| +|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa| +|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-public-ip-admin-host-project-id-permissions| +|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-compute-security-admin-host-project-id-permissions| +|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-securityadmin-project-id-permissions| +|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-serviceaccountadmin-project-id-permissions| +|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-dnsrecord-admin-host-project-id-permissions| +|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-tier3-firewallrule-admin-app-infra-folder-permissions| +|AC-1|./namespaces/project-id-tier3.yaml|project-id-tier3-sa-workload-identity-binding| +|AC-1|./namespaces/project-id-tier3.yaml|syncs-repo| +|AC-1|./namespaces/project-id-tier4.yaml|cnrm-viewer-project-id-tier4| +|AC-1|./namespaces/project-id-tier4.yaml|cnrm-viewer-project-id-tier4| +|AC-1|./namespaces/project-id-tier4.yaml|project-id-tier4-sa| +|AC-1|./namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane1-main-subnet-permissions| +|AC-1|./namespaces/project-id-tier4.yaml|project-id-tier4-sa-networkuser-allowed-nane2-main-subnet-permissions| +|AC-1|./namespaces/project-id-tier4.yaml|project-id-tier4-sa-workload-identity-binding| +|AC-1|./namespaces/project-id-tier4.yaml|syncs-repo| +|AC-1|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| +|AC-1|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| |AC-16(2)|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3| |AC-16(2)|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3| |AC-16(2)|./namespaces/project-id-tier3.yaml|cnrm-viewer-project-id-tier3| @@ -80,6 +102,3 @@ |AC-3(7)|./project-iam.yaml|client-name-config-control-sa-iamserviceaccountadmin-project-id-permissions| -g-control-sa-iamserviceaccountadmin-project-id-permissions| - - diff --git a/solutions/client-setup/namespaces/client-name-admin.yaml b/solutions/client-setup/namespaces/client-name-admin.yaml index f799f81a3..4ad14f604 100644 --- a/solutions/client-setup/namespaces/client-name-admin.yaml +++ b/solutions/client-setup/namespaces/client-name-admin.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP SA, has no permissions defined by default, they will be granted on a case by case basis to limit scope +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2) - This service account possesses minimal privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the current namespace and is assigned minimal permissions to create resources in this namespace only. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -41,7 +42,7 @@ spec: name: client-name-admin-sa # kpt-set: ${client-name}-admin-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: @@ -78,7 +79,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -97,7 +98,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -116,7 +117,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -135,7 +136,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io diff --git a/solutions/client-setup/namespaces/client-name-hierarchy.yaml b/solutions/client-setup/namespaces/client-name-hierarchy.yaml index 4d3b0269d..3ad183fe4 100644 --- a/solutions/client-setup/namespaces/client-name-hierarchy.yaml +++ b/solutions/client-setup/namespaces/client-name-hierarchy.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP SA +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2) - This service account possesses minimal privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the current namespace and is assigned minimal permissions to create resources in this namespace only. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -41,7 +42,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/resourcemanager.folderAdmin member: "serviceAccount:client-name-hierarchy-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-hierarchy-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -59,7 +60,7 @@ spec: name: client-name-hierarchy-sa # kpt-set: ${client-name}-hierarchy-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: @@ -96,7 +97,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -115,7 +116,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -134,7 +135,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io diff --git a/solutions/client-setup/namespaces/client-name-logging.yaml b/solutions/client-setup/namespaces/client-name-logging.yaml index 404a07fd6..4740c19d6 100644 --- a/solutions/client-setup/namespaces/client-name-logging.yaml +++ b/solutions/client-setup/namespaces/client-name-logging.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP SA +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2) - This service account possesses minimal privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the current namespace and is assigned minimal permissions to create resources in this namespace only. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -41,7 +42,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/logging.admin member: "serviceAccount:client-name-logging-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-logging-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -59,7 +60,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/monitoring.admin member: "serviceAccount:client-name-logging-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-logging-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -77,7 +78,7 @@ spec: name: client-name-logging-sa # kpt-set: ${client-name}-logging-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: @@ -114,7 +115,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io diff --git a/solutions/client-setup/namespaces/client-name-management-namespace.yaml b/solutions/client-setup/namespaces/client-name-management-namespace.yaml index 0b087fbac..039c9ca39 100644 --- a/solutions/client-setup/namespaces/client-name-management-namespace.yaml +++ b/solutions/client-setup/namespaces/client-name-management-namespace.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # First, Grant GCP Role IAM service account admin on client management project to config-control SA a.k.a. yakima +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2) - This service account possesses minimal privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the current namespace and is assigned minimal permissions to create resources in this namespace only. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember @@ -27,7 +28,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: client-management-project-id # kpt-set: ${client-management-project-id} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/iam.serviceAccountAdmin member: "serviceAccount:service-management-project-number@gcp-sa-yakima.iam.gserviceaccount.com" # kpt-set: serviceAccount:service-${management-project-number}@gcp-sa-yakima.iam.gserviceaccount.com --- @@ -60,7 +61,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: client-management-project-id # kpt-set: ${client-management-project-id} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/resourcemanager.projectIamAdmin member: "serviceAccount:client-name-config-control-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-${management-namespace}-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -78,7 +79,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/iam.serviceAccountAdmin member: "serviceAccount:client-name-config-control-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-${management-namespace}-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -96,7 +97,7 @@ spec: name: client-name-config-control-sa # kpt-set: ${client-name}-${management-namespace}-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: diff --git a/solutions/client-setup/namespaces/client-name-networking.yaml b/solutions/client-setup/namespaces/client-name-networking.yaml index c8daa13c4..0001d2bef 100644 --- a/solutions/client-setup/namespaces/client-name-networking.yaml +++ b/solutions/client-setup/namespaces/client-name-networking.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP SA +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2) - This service account possesses minimal privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the current namespace and is assigned minimal permissions to create resources in this namespace only. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -41,7 +42,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/compute.networkAdmin member: "serviceAccount:client-name-networking-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-networking-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -59,7 +60,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/compute.securityAdmin member: "serviceAccount:client-name-networking-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-networking-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -77,7 +78,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/dns.admin member: "serviceAccount:client-name-networking-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-networking-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -95,7 +96,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: dns-project-id # kpt-set: ${dns-project-id} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: organizations/org-id/roles/tier2.dnsrecord.admin # kpt-set: organizations/${org-id}/roles/tier2.dnsrecord.admin member: "serviceAccount:client-name-networking-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-networking-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -113,7 +114,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/accesscontextmanager.policyAdmin member: "serviceAccount:client-name-networking-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-networking-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -132,7 +133,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: "123456789012" # kpt-set: ${org-id} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/compute.xpnAdmin member: "serviceAccount:client-name-networking-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-networking-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -150,7 +151,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/servicedirectory.editor member: "serviceAccount:client-name-networking-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-networking-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -168,7 +169,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/compute.orgSecurityResourceAdmin member: serviceAccount:client-name-networking-sa@client-management-project-id.iam.gserviceaccount.com # kpt-set: serviceAccount:${client-name}-networking-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -186,7 +187,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/ids.admin member: "serviceAccount:client-name-networking-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-networking-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -204,7 +205,7 @@ spec: name: client-name-networking-sa # kpt-set: ${client-name}-networking-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: @@ -241,7 +242,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -260,7 +261,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -279,7 +280,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -298,7 +299,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io diff --git a/solutions/client-setup/namespaces/client-name-projects.yaml b/solutions/client-setup/namespaces/client-name-projects.yaml index 52082dd7d..74cb0cb57 100644 --- a/solutions/client-setup/namespaces/client-name-projects.yaml +++ b/solutions/client-setup/namespaces/client-name-projects.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP SA +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2) - This service account possesses minimal privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the current namespace and is assigned minimal permissions to create resources in this namespace only. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -41,7 +42,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/resourcemanager.projectIamAdmin member: "serviceAccount:client-name-projects-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-projects-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -59,7 +60,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/resourcemanager.projectCreator member: "serviceAccount:client-name-projects-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-projects-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -77,7 +78,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/resourcemanager.projectMover member: "serviceAccount:client-name-projects-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-projects-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -95,7 +96,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/resourcemanager.projectDeleter member: "serviceAccount:client-name-projects-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-projects-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -113,7 +114,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder name: clients.client-name # kpt-set: clients.${client-name} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/serviceusage.serviceUsageAdmin member: "serviceAccount:client-name-projects-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-projects-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -132,7 +133,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: "123456789012" # kpt-set: ${org-id} - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) role: roles/billing.user member: "serviceAccount:client-name-projects-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-projects-sa@${client-management-project-id}.iam.gserviceaccount.com --- @@ -150,7 +151,7 @@ spec: name: client-name-projects-sa # kpt-set: ${client-name}-projects-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: @@ -187,7 +188,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/client-management-project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${client-management-project-id} roleRef: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io diff --git a/solutions/client-setup/securitycontrols.md b/solutions/client-setup/securitycontrols.md index 4082ac1db..79cc152bd 100644 --- a/solutions/client-setup/securitycontrols.md +++ b/solutions/client-setup/securitycontrols.md @@ -3,6 +3,51 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-1|./namespaces/client-name-admin.yaml|allow-resource-reference-from-client-name-admin| +|AC-1|./namespaces/client-name-admin.yaml|allow-resource-reference-from-client-name-admin| +|AC-1|./namespaces/client-name-admin.yaml|allow-resource-reference-from-client-name-networking| +|AC-1|./namespaces/client-name-admin.yaml|allow-resource-reference-from-client-name-projects| +|AC-1|./namespaces/client-name-admin.yaml|client-name-admin-sa-workload-identity-binding| +|AC-1|./namespaces/client-name-hierarchy.yaml|allow-client-name-hierarchy-resource-reference-from-policies| +|AC-1|./namespaces/client-name-hierarchy.yaml|allow-resource-reference-from-client-name-hierarchy| +|AC-1|./namespaces/client-name-hierarchy.yaml|allow-resource-reference-from-projects| +|AC-1|./namespaces/client-name-hierarchy.yaml|client-name-hierarchy-sa| +|AC-1|./namespaces/client-name-hierarchy.yaml|client-name-hierarchy-sa-folderadmin-permissions| +|AC-1|./namespaces/client-name-hierarchy.yaml|client-name-hierarchy-sa-workload-identity-binding| +|AC-1|./namespaces/client-name-logging.yaml|allow-resource-reference-from-logging| +|AC-1|./namespaces/client-name-logging.yaml|client-name-logging-sa| +|AC-1|./namespaces/client-name-logging.yaml|client-name-logging-sa-logadmin-permissions| +|AC-1|./namespaces/client-name-logging.yaml|client-name-logging-sa-monitoringadmin-permissions| +|AC-1|./namespaces/client-name-logging.yaml|client-name-logging-sa-workload-identity-binding| +|AC-1|./namespaces/client-name-management-namespace.yaml|client-name-config-control-sa-iamserviceaccountadmin-client-folder-permissions| +|AC-1|./namespaces/client-name-management-namespace.yaml|client-name-config-control-sa-projectiamadmin-client-management-project-id-permissions| +|AC-1|./namespaces/client-name-management-namespace.yaml|client-name-config-control-sa-workload-identity-binding| +|AC-1|./namespaces/client-name-management-namespace.yaml|config-control-sa-iamserviceaccountadmin-client-management-project-id-permissions| +|AC-1|./namespaces/client-name-management-namespace.yaml|config-control-sa-iamserviceaccountadmin-client-management-project-id-permissions| +|AC-1|./namespaces/client-name-networking.yaml|allow-client-name-hierarchy-resource-reference-from-client-name-networking| +|AC-1|./namespaces/client-name-networking.yaml|allow-hierarchy-resource-reference-from-client-name-networking| +|AC-1|./namespaces/client-name-networking.yaml|allow-resource-reference-from-client-name-networking| +|AC-1|./namespaces/client-name-networking.yaml|allow-resource-reference-from-networking| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa-client-folder-org-resource-admin-permissions| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa-cloudids-admin-permissions| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa-dns-permissions| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa-networkadmin-permissions| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa-security-permissions| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa-service-control-permissions| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa-servicedirectoryeditor-permissions| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa-tier2-dns-record-admin-permission| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa-workload-identity-binding| +|AC-1|./namespaces/client-name-networking.yaml|client-name-networking-sa-xpnadmin-permissions| +|AC-1|./namespaces/client-name-projects.yaml|allow-resource-reference-from-projects| +|AC-1|./namespaces/client-name-projects.yaml|client-name-projects-sa| +|AC-1|./namespaces/client-name-projects.yaml|client-name-projects-sa-billinguser-permissions| +|AC-1|./namespaces/client-name-projects.yaml|client-name-projects-sa-projectcreator-permissions| +|AC-1|./namespaces/client-name-projects.yaml|client-name-projects-sa-projectdeleter-permissions| +|AC-1|./namespaces/client-name-projects.yaml|client-name-projects-sa-projectiamadmin-permissions| +|AC-1|./namespaces/client-name-projects.yaml|client-name-projects-sa-projectmover-permissions| +|AC-1|./namespaces/client-name-projects.yaml|client-name-projects-sa-serviceusageadmin-permissions| +|AC-1|./namespaces/client-name-projects.yaml|client-name-projects-sa-workload-identity-binding| |AC-16(2)|./namespaces/client-name-admin.yaml|allow-resource-reference-from-client-name-admin| |AC-16(2)|./namespaces/client-name-admin.yaml|allow-resource-reference-from-client-name-admin| |AC-16(2)|./namespaces/client-name-admin.yaml|allow-resource-reference-from-client-name-networking| diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml b/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml index b132919c9..e99279898 100644 --- a/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml +++ b/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml @@ -14,8 +14,10 @@ ###### # Cloud Logging bucket for Security logs: Cloud Audit, Access Transparency Logs, and Data Access Logs # Logs are routed using a log sink to a central logging project into a dedicated log bucket -# AU-7, AU-9 - The log buckets created within the Logging project are immutable (AU-7(B)). These buckets have a retention policy of 365 days and IAM Policy that defines who has access to the bucket (AU-9) +# AU-7, AU-9 - The log buckets created within the Logging project are immutable. These buckets have a retention policy of 365 days and IAM Policy that defines who has access to the bucket # AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket +# AU-9(4), SI-4 - The centralized logging solution has a configuration in place that defines all logging buckets to be locked +# AU-11 - Logging bucket retention configuration apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogBucket metadata: @@ -31,8 +33,9 @@ spec: location: northamerica-northeast1 description: Cloud Logging bucket for Security logs # Implement retention locking policy and number of retention days - # AU-7, AU-9 + # AU-7, AU-9, AU-9(4), SI-4 locked: false # kpt-set: ${retention-locking-policy} + # AU-11 retentionDays: 1 # kpt-set: ${retention-in-days} --- # Cloud Logging bucket for Platform and Component logs @@ -52,6 +55,7 @@ spec: location: northamerica-northeast1 description: Cloud Logging bucket for Platform and Component logs # Implement retention locking policy and number of retention days - # AU-7, AU-9 + # AU-7, AU-9, AU-9(4), SI-4 locked: false # kpt-set: ${retention-locking-policy} + # AU-11 retentionDays: 1 # kpt-set: ${retention-in-days} diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml b/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml index d0ad98eb1..326689629 100644 --- a/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml +++ b/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml @@ -13,7 +13,8 @@ # limitations under the License. # Cloud Storage bucket to store logs related to security incidents # https://cloud.google.com/logging/docs/routing/copy-logs -# AU-9, AU-11 - Storage bucket created to hold logs related to security incidents (AU-11). Log is protected from modification and deletion (AU-9) +# AU-9, AU-11 - Storage bucket created to hold logs related to security incidents with a retention period. Log is protected from modification and deletion +# AU-9(4), SI-4 - The centralized logging solution has a configuration in place that defines all logging and storage buckets to be locked apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: @@ -30,7 +31,8 @@ spec: location: northamerica-northeast1 publicAccessPrevention: "enforced" uniformBucketLevelAccess: true - # AU-9 + # AU-9, AU-11 retentionPolicy: + # AU-9(4), SI-4 isLocked: false # kpt-set: ${security-incident-log-bucket-retention-locking-policy} retentionPeriod: 86400 # kpt-set: ${security-incident-log-bucket-retention-in-seconds} diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml b/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml index 3d261afb4..6b0f01950 100644 --- a/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml +++ b/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml @@ -14,7 +14,8 @@ ###### # Logs Bucket writer IAM permissions for security log sink # Binds the service account dynamically created with the LoggingLogSink to the required role to write to the bucket -# AU-9, AC-3 - IAM Policies that assign the dynamically created service account with the LoggingLogSink to the logging bucket writer role and storage admin role on the storage bucket +# AC-1 - Implementation of access control +# AC-3, AU-9 - IAM Policies that assign the dynamically created service account with the LoggingLogSink to the logging bucket writer role and storage admin role on the storage bucket apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: @@ -27,7 +28,7 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AU-9, AC-3 + # AC-1, AC-3, AU-9 bindings: - role: roles/logging.bucketWriter members: @@ -50,7 +51,7 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AU-9, AC-3 + # AC-1, AC-3, AU-9 bindings: - role: roles/logging.bucketWriter members: @@ -73,7 +74,7 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AU-9, AC-3 + # AC-1, AC-3, AU-9 bindings: - role: roles/logging.bucketWriter members: @@ -96,7 +97,7 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AU-9, AC-3 + # AC-1, AC-3, AU-9 bindings: - role: roles/logging.bucketWriter members: diff --git a/solutions/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml b/solutions/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml index 2817ac04d..22794ba12 100644 --- a/solutions/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml +++ b/solutions/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml @@ -14,6 +14,7 @@ ###### # Logging project sink for Data Access logs # Destination: Cloud Logging bucket hosted inside logging project +# AU-2 - Organization-defined auditable events # AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the organization to send the logs to the logging bucket in the logging project # AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket # AC-2(4) - Includes Security logs: Data Access @@ -38,7 +39,7 @@ spec: description: Project sink for Data Access Logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AC-2(4), AU-12, AU-12(1) + # AC-2(4), AU-2, AU-12, AU-12(1) # Includes Security logs: Data Access # Security logs help you answer "who did what, where, and when" # diff --git a/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml b/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml index 84ff08253..9bc633c0e 100644 --- a/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml +++ b/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml @@ -14,6 +14,7 @@ ###### # Folder sink for Platform and Component logs of Services Resources # Destination: Cloud Logging bucket hosted inside logging project +# AU-2 - Organization-defined auditable events # AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project # AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket # AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to @@ -38,7 +39,7 @@ spec: description: Folder sink for Platform and Component logs of services Resources # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-12, AU-12(1) + # AU-2, AU-12, AU-12(1) # No inclusion filter. Includes all Platform and Component logs # Google Cloud platform logs are service-specific logs # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs diff --git a/solutions/core-landing-zone/lz-folder/services/folder-sink.yaml b/solutions/core-landing-zone/lz-folder/services/folder-sink.yaml index 04d72f24e..7b06218a4 100644 --- a/solutions/core-landing-zone/lz-folder/services/folder-sink.yaml +++ b/solutions/core-landing-zone/lz-folder/services/folder-sink.yaml @@ -14,6 +14,7 @@ ###### # Folder sink for Platform and Component logs of Services Resources # Destination: Cloud Logging bucket hosted inside logging project +# AU-2 - Organization-defined auditable events # AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project # AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket # AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to @@ -38,7 +39,7 @@ spec: description: Folder sink for Platform and Component logs of services Resources # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-12, AU-12(1) + # AU-2, AU-12, AU-12(1) # No inclusion filter. Includes all Platform and Component logs # Google Cloud platform logs are service-specific logs # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs diff --git a/solutions/core-landing-zone/mgmt-project/project-sink.yaml b/solutions/core-landing-zone/mgmt-project/project-sink.yaml index bea473022..e03c04c40 100644 --- a/solutions/core-landing-zone/mgmt-project/project-sink.yaml +++ b/solutions/core-landing-zone/mgmt-project/project-sink.yaml @@ -14,6 +14,7 @@ ###### # Project sink for the Platform and Component logs of the Landing Zone Management Cluster # Destination: Cloud Logging bucket hosted inside logging project +# AU-2 - Organization-defined auditable events # AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project # AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket # AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to @@ -37,7 +38,7 @@ spec: description: Project sink for Platform and Component logs of the Landing Zone Management Cluster # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-12, AU-12(1) + # AU-2, AU-12, AU-12(1) # No inclusion filter. Includes all Platform and Component logs # Google Cloud platform logs are service-specific logs # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs diff --git a/solutions/core-landing-zone/namespaces/config-management-monitoring.yaml b/solutions/core-landing-zone/namespaces/config-management-monitoring.yaml index 406dfe6af..4728a3351 100644 --- a/solutions/core-landing-zone/namespaces/config-management-monitoring.yaml +++ b/solutions/core-landing-zone/namespaces/config-management-monitoring.yaml @@ -18,6 +18,7 @@ # https://cloud.google.com/anthos-config-management/docs/how-to/monitor-config-sync-cloud-monitoring ######### # GCP SA +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -45,7 +46,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/monitoring.metricWriter member: "serviceAccount:config-mgmt-mon-default-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:config-mgmt-mon-default-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -63,7 +64,7 @@ spec: name: config-mgmt-mon-default-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: diff --git a/solutions/core-landing-zone/namespaces/gatekeeper-system.yaml b/solutions/core-landing-zone/namespaces/gatekeeper-system.yaml index d76f291a4..957745aad 100644 --- a/solutions/core-landing-zone/namespaces/gatekeeper-system.yaml +++ b/solutions/core-landing-zone/namespaces/gatekeeper-system.yaml @@ -17,6 +17,7 @@ # to implement Policy Controller Metrics and avoid numerous IAM errors on the Config Controller instance. ######### # GCP SA +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -44,7 +45,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/monitoring.metricWriter member: "serviceAccount:gatekeeper-admin-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:gatekeeper-admin-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -61,7 +62,7 @@ spec: name: gatekeeper-admin-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: diff --git a/solutions/core-landing-zone/namespaces/hierarchy.yaml b/solutions/core-landing-zone/namespaces/hierarchy.yaml index c75e1eff6..a41bb8902 100644 --- a/solutions/core-landing-zone/namespaces/hierarchy.yaml +++ b/solutions/core-landing-zone/namespaces/hierarchy.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP SA +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -40,7 +41,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder external: "123456789012" # kpt-set: ${lz-folder-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/resourcemanager.folderAdmin member: "serviceAccount:hierarchy-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:hierarchy-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -57,7 +58,7 @@ spec: name: hierarchy-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: @@ -91,7 +92,7 @@ metadata: namespace: hierarchy annotations: cnrm.cloud.google.com/ignore-clusterless: "true" -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -109,7 +110,7 @@ metadata: namespace: hierarchy annotations: cnrm.cloud.google.com/ignore-clusterless: "true" -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -128,7 +129,7 @@ metadata: namespace: hierarchy annotations: cnrm.cloud.google.com/ignore-clusterless: "true" -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole @@ -146,7 +147,7 @@ metadata: namespace: hierarchy annotations: cnrm.cloud.google.com/ignore-clusterless: "true" -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole diff --git a/solutions/core-landing-zone/namespaces/logging.yaml b/solutions/core-landing-zone/namespaces/logging.yaml index b0e1db042..9445326a5 100644 --- a/solutions/core-landing-zone/namespaces/logging.yaml +++ b/solutions/core-landing-zone/namespaces/logging.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP SA +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -40,7 +41,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: "0000000000" # kpt-set: ${org-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/logging.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -57,7 +58,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/monitoring.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -75,7 +76,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: logging-project-id # kpt-set: ${logging-project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/monitoring.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -93,7 +94,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: logging-project-id # kpt-set: ${logging-project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/storage.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -111,7 +112,7 @@ spec: name: logging-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: @@ -146,7 +147,7 @@ metadata: namespace: logging annotations: cnrm.cloud.google.com/ignore-clusterless: "true" -# AC-3(7), AC-3, AC-16(2) +# AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole diff --git a/solutions/core-landing-zone/namespaces/management-namespace.yaml b/solutions/core-landing-zone/namespaces/management-namespace.yaml index e04fb70e5..af446fc3e 100644 --- a/solutions/core-landing-zone/namespaces/management-namespace.yaml +++ b/solutions/core-landing-zone/namespaces/management-namespace.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Grant GCP role Organization Role Admin to GCP config-control-sa a.k.a yakima +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember @@ -27,7 +28,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: "123456789012" # kpt-set: ${org-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/iam.organizationRoleAdmin member: "serviceAccount:service-management-project-number@gcp-sa-yakima.iam.gserviceaccount.com" # kpt-set: serviceAccount:service-${management-project-number}@gcp-sa-yakima.iam.gserviceaccount.com --- @@ -45,7 +46,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/editor member: "serviceAccount:service-management-project-number@gcp-sa-yakima.iam.gserviceaccount.com" # kpt-set: serviceAccount:service-${management-project-number}@gcp-sa-yakima.iam.gserviceaccount.com --- @@ -63,6 +64,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/iam.serviceAccountAdmin member: "serviceAccount:service-management-project-number@gcp-sa-yakima.iam.gserviceaccount.com" # kpt-set: serviceAccount:service-${management-project-number}@gcp-sa-yakima.iam.gserviceaccount.com diff --git a/solutions/core-landing-zone/namespaces/networking.yaml b/solutions/core-landing-zone/namespaces/networking.yaml index dcfd94bb5..f7faf8fd5 100644 --- a/solutions/core-landing-zone/namespaces/networking.yaml +++ b/solutions/core-landing-zone/namespaces/networking.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP SA +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -39,7 +40,7 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder external: "123456789012" # kpt-set: ${lz-folder-id} - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/compute.networkAdmin member: "serviceAccount:networking-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:networking-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -53,7 +54,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -71,7 +72,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -89,7 +90,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization @@ -109,7 +110,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization @@ -127,7 +128,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -145,7 +146,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: name: networking-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 diff --git a/solutions/core-landing-zone/namespaces/policies.yaml b/solutions/core-landing-zone/namespaces/policies.yaml index c95b510e3..797881111 100644 --- a/solutions/core-landing-zone/namespaces/policies.yaml +++ b/solutions/core-landing-zone/namespaces/policies.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP SA +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -36,7 +37,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization @@ -54,7 +55,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: name: policies-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 diff --git a/solutions/core-landing-zone/namespaces/projects.yaml b/solutions/core-landing-zone/namespaces/projects.yaml index ca1ccf780..22ef1ab70 100644 --- a/solutions/core-landing-zone/namespaces/projects.yaml +++ b/solutions/core-landing-zone/namespaces/projects.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # GCP SA +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -36,7 +37,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -54,7 +55,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -72,7 +73,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -90,7 +91,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -108,7 +109,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder @@ -127,7 +128,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization @@ -145,7 +146,7 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: name: projects-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 @@ -184,7 +185,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" roleRef: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -202,7 +203,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" roleRef: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io @@ -220,7 +221,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" roleRef: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io diff --git a/solutions/core-landing-zone/org/org-policies/essentialcontacts-allowed-contact-domains.yaml b/solutions/core-landing-zone/org/org-policies/essentialcontacts-allowed-contact-domains.yaml index b0dad23b3..df6741b23 100644 --- a/solutions/core-landing-zone/org/org-policies/essentialcontacts-allowed-contact-domains.yaml +++ b/solutions/core-landing-zone/org/org-policies/essentialcontacts-allowed-contact-domains.yaml @@ -27,6 +27,7 @@ # list of allowed domains can be added in Essential Contacts. # ######### +# AC-3(9) - Only accounts with these domain suffixes can be defined as essential contacts. apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: @@ -39,6 +40,7 @@ spec: constraint: "constraints/essentialcontacts.allowedContactDomains" listPolicy: allow: + # AC-3(9) values: # kpt-set: ${allowed-contact-domains} - "@example.com" organizationRef: diff --git a/solutions/core-landing-zone/org/org-policies/iam-allowed-policy-member-domains.yaml b/solutions/core-landing-zone/org/org-policies/iam-allowed-policy-member-domains.yaml index d20dcd62b..a5dbc6663 100644 --- a/solutions/core-landing-zone/org/org-policies/iam-allowed-policy-member-domains.yaml +++ b/solutions/core-landing-zone/org/org-policies/iam-allowed-policy-member-domains.yaml @@ -33,6 +33,7 @@ # https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains # ######### +# AC-3(9) - only accounts from these Cloud Identity directory are allowed in the system boundary apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: @@ -45,6 +46,7 @@ spec: constraint: "constraints/iam.allowedPolicyMemberDomains" listPolicy: allow: + # AC-3(9) values: # kpt-set: ${allowed-policy-domain-members} - "DIRECTORY_CUSTOMER_ID" organizationRef: diff --git a/solutions/core-landing-zone/org/org-policies/iam-disable-service-account-key-creation.yaml b/solutions/core-landing-zone/org/org-policies/iam-disable-service-account-key-creation.yaml index 89f5ab482..d43127ea3 100644 --- a/solutions/core-landing-zone/org/org-policies/iam-disable-service-account-key-creation.yaml +++ b/solutions/core-landing-zone/org/org-policies/iam-disable-service-account-key-creation.yaml @@ -22,6 +22,7 @@ # This boolean constraint disables the creation of service account external keys where this constraint is set to `True`. # ######### +# IA-1 - GCP service accounts are controlled by GCP Organization Policies. Key Creation is disabled ensuring it remains managed by Google. apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: diff --git a/solutions/core-landing-zone/org/org-policies/iam-disable-service-account-key-upload.yaml b/solutions/core-landing-zone/org/org-policies/iam-disable-service-account-key-upload.yaml index 515d485f1..65becea32 100644 --- a/solutions/core-landing-zone/org/org-policies/iam-disable-service-account-key-upload.yaml +++ b/solutions/core-landing-zone/org/org-policies/iam-disable-service-account-key-upload.yaml @@ -22,6 +22,7 @@ # This boolean constraint disables the feature that allows uploading public keys to service accounts where this constraint is set to `True`. # ######### +# IA-1 - GCP service accounts are controlled by GCP Organization Policies. Key Upload is disabled ensuring it remains managed by Google. apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: diff --git a/solutions/core-landing-zone/org/org-sink.yaml b/solutions/core-landing-zone/org/org-sink.yaml index a185a6c6f..071167d0d 100644 --- a/solutions/core-landing-zone/org/org-sink.yaml +++ b/solutions/core-landing-zone/org/org-sink.yaml @@ -14,6 +14,7 @@ ###### # Organization sink for Security logs: Cloud Audit and Access Transparency # Destination: Cloud Logging bucket hosted inside logging project +# AU-2 - Organization-defined auditable events # AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the organization to send the logs to the logging bucket in the logging project # AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket # AC-2(4) - Includes Security logs: Cloud Audit and Access Transparency @@ -38,7 +39,7 @@ spec: description: Organization sink for Security Logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AC-2(4), AU-12, AU-12(1) + # AC-2(4), AU-2, AU-12, AU-12(1) # Includes Security logs: Cloud Audit and Access Transparency # Security logs help you answer "who did what, where, and when" # @@ -59,6 +60,7 @@ spec: # Organization sink for Data Access logs related to Google Workspace Login Audit # https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login # Destination: Cloud Logging bucket hosted inside logging project +# AU-2 - Organization-defined auditable events # AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the organization to send the logs to the logging bucket in the logging project # AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket # AC-2(4) - Includes Security logs: Data Access @@ -84,7 +86,7 @@ spec: description: Organization sink for Data Access Logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AC-2(4), AU-12, AU-12(1) + # AC-2(4), AU-2, AU-12, AU-12(1) # Includes Security logs: Data Access # Security logs help you answer "who did what, where, and when" # diff --git a/solutions/core-landing-zone/securitycontrols.md b/solutions/core-landing-zone/securitycontrols.md index 2a50d155c..e405768ae 100644 --- a/solutions/core-landing-zone/securitycontrols.md +++ b/solutions/core-landing-zone/securitycontrols.md @@ -3,6 +3,57 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-1|./lz-folder/audits/logging-project/project-iam.yaml|mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions| +|AC-1|./lz-folder/audits/logging-project/project-iam.yaml|platform-and-component-services-infra-log-bucket-writer-permissions| +|AC-1|./lz-folder/audits/logging-project/project-iam.yaml|platform-and-component-services-log-bucket-writer-permissions| +|AC-1|./lz-folder/audits/logging-project/project-iam.yaml|security-log-bucket-writer-permissions| +|AC-1|./lz-folder/audits/logging-project/project-iam.yaml|security-log-bucket-writer-permissions| +|AC-1|./namespaces/config-management-monitoring.yaml|config-mgmt-mon-default-sa| +|AC-1|./namespaces/config-management-monitoring.yaml|config-mgmt-mon-default-sa-metric-writer-permissions| +|AC-1|./namespaces/config-management-monitoring.yaml|config-mgmt-mon-default-sa-workload-identity-binding| +|AC-1|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa| +|AC-1|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa-metric-writer-permissions| +|AC-1|./namespaces/gatekeeper-system.yaml|gatekeeper-admin-sa-workload-identity-binding| +|AC-1|./namespaces/hierarchy.yaml|allow-folders-resource-reference-to-logging| +|AC-1|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-config-control| +|AC-1|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-policies| +|AC-1|./namespaces/hierarchy.yaml|allow-hierarchy-resource-reference-from-projects| +|AC-1|./namespaces/hierarchy.yaml|hierarchy-sa| +|AC-1|./namespaces/hierarchy.yaml|hierarchy-sa-folderadmin-permissions| +|AC-1|./namespaces/hierarchy.yaml|hierarchy-sa-workload-identity-binding| +|AC-1|./namespaces/logging.yaml|allow-logging-resource-reference-from-projects| +|AC-1|./namespaces/logging.yaml|logging-sa| +|AC-1|./namespaces/logging.yaml|logging-sa-logadmin-permissions| +|AC-1|./namespaces/logging.yaml|logging-sa-monitoring-admin-logging-project-id-permissions| +|AC-1|./namespaces/logging.yaml|logging-sa-monitoring-admin-management-project-id-permissions| +|AC-1|./namespaces/logging.yaml|logging-sa-storageadmin-logging-project-id-permissions| +|AC-1|./namespaces/logging.yaml|logging-sa-workload-identity-binding| +|AC-1|./namespaces/management-namespace.yaml|config-control-sa-management-project-editor-permissions| +|AC-1|./namespaces/management-namespace.yaml|config-control-sa-management-project-serviceaccountadmin-permissions| +|AC-1|./namespaces/management-namespace.yaml|config-control-sa-orgroleadmin-permissions| +|AC-1|./namespaces/management-namespace.yaml|config-control-sa-orgroleadmin-permissions| +|AC-1|./namespaces/networking.yaml|networking-sa| +|AC-1|./namespaces/networking.yaml|networking-sa-dns-permissions| +|AC-1|./namespaces/networking.yaml|networking-sa-networkadmin-permissions| +|AC-1|./namespaces/networking.yaml|networking-sa-security-permissions| +|AC-1|./namespaces/networking.yaml|networking-sa-service-control-org-permissions| +|AC-1|./namespaces/networking.yaml|networking-sa-servicedirectoryeditor-permissions| +|AC-1|./namespaces/networking.yaml|networking-sa-workload-identity-binding| +|AC-1|./namespaces/networking.yaml|networking-sa-xpnadmin-permissions| +|AC-1|./namespaces/policies.yaml|policies-sa| +|AC-1|./namespaces/policies.yaml|policies-sa-orgpolicyadmin-permissions| +|AC-1|./namespaces/policies.yaml|policies-sa-workload-identity-binding| +|AC-1|./namespaces/projects.yaml|allow-projects-resource-reference-from-logging| +|AC-1|./namespaces/projects.yaml|allow-projects-resource-reference-from-networking| +|AC-1|./namespaces/projects.yaml|allow-projects-resource-reference-from-policies| +|AC-1|./namespaces/projects.yaml|projects-sa| +|AC-1|./namespaces/projects.yaml|projects-sa-billinguser-permissions| +|AC-1|./namespaces/projects.yaml|projects-sa-projectcreator-permissions| +|AC-1|./namespaces/projects.yaml|projects-sa-projectdeleter-permissions| +|AC-1|./namespaces/projects.yaml|projects-sa-projectiamadmin-permissions| +|AC-1|./namespaces/projects.yaml|projects-sa-projectmover-permissions| +|AC-1|./namespaces/projects.yaml|projects-sa-serviceusageadmin-permissions| +|AC-1|./namespaces/projects.yaml|projects-sa-workload-identity-binding| |AC-16(2)|./namespaces/config-management-monitoring.yaml|config-mgmt-mon-default-sa| |AC-16(2)|./namespaces/config-management-monitoring.yaml|config-mgmt-mon-default-sa| |AC-16(2)|./namespaces/config-management-monitoring.yaml|config-mgmt-mon-default-sa-metric-writer-permissions| @@ -240,10 +291,17 @@ |AC-3(7)|./org/custom-roles/tier3-vpcsc-admin.yaml|tier3-vpcsc-admin| |AC-3(7)|./org/custom-roles/tier4-secretmanager-admin.yaml|tier4-secretmanager-admin| |AC-3(7)|./org/custom-roles/tier4-secretmanager-admin.yaml|tier4-secretmanager-admin| +|AC-3(9)|./org/org-policies/essentialcontacts-allowed-contact-domains.yaml|essentialcontacts-allowed-contact-domains| +|AC-3(9)|./org/org-policies/essentialcontacts-allowed-contact-domains.yaml|essentialcontacts-allowed-contact-domains| +|AC-3(9)|./org/org-policies/iam-allowed-policy-member-domains.yaml|iam-allowed-policy-member-domains| +|AC-3(9)|./org/org-policies/iam-allowed-policy-member-domains.yaml|iam-allowed-policy-member-domains| +|AU-11|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| +|AU-11|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-11|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-11|./lz-folder/audits/logging-project/cloud-storage-buckets.yaml|security-incident-log-bucket| |AU-11|./lz-folder/audits/logging-project/cloud-storage-buckets.yaml|security-incident-log-bucket| |AU-11|./setters.yaml|setters| |AU-11|./setters.yaml|setters| -|AU-11).|./lz-folder/audits/logging-project/cloud-storage-buckets.yaml|security-incident-log-bucket| |AU-12|./lz-folder/audits/logging-project/project-sink.yaml|logging-project-id-data-access-sink| |AU-12|./lz-folder/audits/logging-project/project-sink.yaml|logging-project-id-data-access-sink| |AU-12|./lz-folder/services-infrastructure/dns-project/dns.yaml|dns-project-id-standard-core-public-dns| @@ -270,6 +328,18 @@ |AU-12(1)|./org/org-sink.yaml|org-log-sink-data-access-logging-project-id| |AU-12(1)|./org/org-sink.yaml|org-log-sink-security-logging-project-id| |AU-12(1)|./org/org-sink.yaml|org-log-sink-security-logging-project-id| +|AU-2|./lz-folder/audits/logging-project/project-sink.yaml|logging-project-id-data-access-sink| +|AU-2|./lz-folder/audits/logging-project/project-sink.yaml|logging-project-id-data-access-sink| +|AU-2|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-2|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| +|AU-2|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-2|./lz-folder/services/folder-sink.yaml|platform-and-component-services-log-sink| +|AU-2|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-2|./mgmt-project/project-sink.yaml|mgmt-project-cluster-platform-and-component-log-sink| +|AU-2|./org/org-sink.yaml|org-log-sink-data-access-logging-project-id| +|AU-2|./org/org-sink.yaml|org-log-sink-data-access-logging-project-id| +|AU-2|./org/org-sink.yaml|org-log-sink-security-logging-project-id| +|AU-2|./org/org-sink.yaml|org-log-sink-security-logging-project-id| |AU-3|./lz-folder/audits/logging-project/project-sink.yaml|logging-project-id-data-access-sink| |AU-3|./lz-folder/audits/logging-project/project-sink.yaml|logging-project-id-data-access-sink| |AU-3|./lz-folder/services-infrastructure/folder-sink.yaml|platform-and-component-services-infra-log-sink| @@ -329,7 +399,6 @@ |AU-7|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| |AU-7|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| |AU-7|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| -|AU-7(B)).|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| |AU-9|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| |AU-9|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| |AU-9|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| @@ -360,8 +429,19 @@ |AU-9(2)|./org/org-sink.yaml|org-log-sink-data-access-logging-project-id| |AU-9(2)|./org/org-sink.yaml|org-log-sink-security-logging-project-id| |AU-9(2)|./org/org-sink.yaml|org-log-sink-security-logging-project-id| -|AU-9)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| -|AU-9)|./lz-folder/audits/logging-project/cloud-storage-buckets.yaml|security-incident-log-bucket| +|AU-9(4)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| +|AU-9(4)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-9(4)|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|AU-9(4)|./lz-folder/audits/logging-project/cloud-storage-buckets.yaml|security-incident-log-bucket| +|AU-9(4)|./lz-folder/audits/logging-project/cloud-storage-buckets.yaml|security-incident-log-bucket| +|IA-1|./org/org-policies/iam-disable-service-account-key-creation.yaml|iam-disable-service-account-key-creation| +|IA-1|./org/org-policies/iam-disable-service-account-key-upload.yaml|iam-disable-service-account-key-upload| |SC-20|./lz-folder/services-infrastructure/dns-project/dns.yaml|dns-project-id-standard-core-public-dns| |SC-20|./lz-folder/services-infrastructure/dns-project/dns.yaml|dns-project-id-standard-core-public-dns| +|SI-4|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|platform-and-component-log-bucket| +|SI-4|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|SI-4|./lz-folder/audits/logging-project/cloud-logging-buckets.yaml|security-log-bucket| +|SI-4|./lz-folder/audits/logging-project/cloud-storage-buckets.yaml|security-incident-log-bucket| +|SI-4|./lz-folder/audits/logging-project/cloud-storage-buckets.yaml|security-incident-log-bucket| + diff --git a/solutions/gke/configconnector/gke-admin-proxy/instance-resources/iam.yaml b/solutions/gke/configconnector/gke-admin-proxy/instance-resources/iam.yaml index 5b579ab09..45b22675d 100644 --- a/solutions/gke/configconnector/gke-admin-proxy/instance-resources/iam.yaml +++ b/solutions/gke/configconnector/gke-admin-proxy/instance-resources/iam.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2) - Create the Service Account for the compute engine instance apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -37,7 +38,7 @@ metadata: annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/client-name-admin/IAMServiceAccount/project-id--instance-name-sa # kpt-set: iam.cnrm.cloud.google.com/namespaces/${client-name}-admin/IAMServiceAccount/${project-id}--${instance-name}-sa spec: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -59,7 +60,7 @@ metadata: annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-admin/ComputeInstance/project-id--instance-name # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-admin/ComputeInstance/${project-id}--${instance-name} spec: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) resourceRef: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeInstance diff --git a/solutions/gke/configconnector/gke-admin-proxy/instance-resources/instance.yaml b/solutions/gke/configconnector/gke-admin-proxy/instance-resources/instance.yaml index 735e63eb8..8df5782ba 100644 --- a/solutions/gke/configconnector/gke-admin-proxy/instance-resources/instance.yaml +++ b/solutions/gke/configconnector/gke-admin-proxy/instance-resources/instance.yaml @@ -15,6 +15,7 @@ # Create a compute instance to manage private GKE clusters # https://cloud.google.com/kubernetes-engine/docs/tutorials/private-cluster-bastion # SI-3(2), SI-3(4), SI-3(7) - The compute instance is created using supported linux distributions on GCP +# SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5) - Minimal linux OS with no browser or other applications capable of executing mobile code is installed # SC-18(1) - Integrity monitoring provides protection and notification of unacceptable code/malware present at boot time by comparing current state against the baseline of when the VMs are created apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeInstance @@ -37,7 +38,7 @@ spec: initializeParams: size: 20 type: pd-balanced - # SI-3(2), SI-3(4), SI-3(7) + # SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5), SI-3(2), SI-3(4), SI-3(7) sourceImageRef: external: instance-os-image # kpt-set: ${instance-os-image} networkInterface: @@ -63,6 +64,7 @@ spec: metadata: - key: enable-oslogin value: "TRUE" + # SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5) - key: startup-script value: | #! /bin/bash diff --git a/solutions/gke/configconnector/gke-admin-proxy/project-iam.yaml b/solutions/gke/configconnector/gke-admin-proxy/project-iam.yaml index fc46b8b92..35b8c844a 100644 --- a/solutions/gke/configconnector/gke-admin-proxy/project-iam.yaml +++ b/solutions/gke/configconnector/gke-admin-proxy/project-iam.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Grant roles to client-name-admin-sa to manage required resources in this project +# AC-1 - Implementation of access control # AC-3, AC-3(7), AC-16(2) - Grant GCP role Service Account Admin to GCP SA to manage service accounts apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember @@ -23,7 +24,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -41,7 +42,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -59,7 +60,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -70,6 +71,7 @@ spec: # Add required roles for IAP administration # https://cloud.google.com/iap/docs/using-tcp-forwarding#grant-permission # AC-3, AC-3(7), AC-16(2) - Grant Tunnel User and Viewer roles to gke-admins on the project +# AC-17(3) - Connections to GKE admin proxy are controlled by IAM permissions on the Identity Aware Proxy service. # moving this on the instance requires IAP service enabled and currently doesn't appear possible to grant with config connector apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy @@ -80,7 +82,7 @@ metadata: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: - # AC-3, AC-3(7), AC-16(2) + # AC-1, AC-3, AC-3(7), AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project diff --git a/solutions/gke/configconnector/gke-admin-proxy/securitycontrols.md b/solutions/gke/configconnector/gke-admin-proxy/securitycontrols.md index 67f3440ab..43b4ef731 100644 --- a/solutions/gke/configconnector/gke-admin-proxy/securitycontrols.md +++ b/solutions/gke/configconnector/gke-admin-proxy/securitycontrols.md @@ -3,6 +3,14 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-1|./instance-resources/iam.yaml|project-id--instance-name-gke-admins-permissions| +|AC-1|./instance-resources/iam.yaml|project-id--instance-name-sa| +|AC-1|./instance-resources/iam.yaml|project-id--instance-name-sa-gke-admins-permissions| +|AC-1|./project-iam.yaml|project-id-client-name-admin-sa-compute-instance-admin-permissions| +|AC-1|./project-iam.yaml|project-id-client-name-admin-sa-service-account-admin-permissions| +|AC-1|./project-iam.yaml|project-id-client-name-admin-sa-service-account-admin-permissions| +|AC-1|./project-iam.yaml|project-id-client-name-admin-sa-service-account-user-permissions| +|AC-1|./project-iam.yaml|project-id-gke-admins-permissions| |AC-16(2)|./instance-resources/iam.yaml|project-id--instance-name-gke-admins-permissions| |AC-16(2)|./instance-resources/iam.yaml|project-id--instance-name-gke-admins-permissions| |AC-16(2)|./instance-resources/iam.yaml|project-id--instance-name-sa| @@ -16,6 +24,7 @@ |AC-16(2)|./project-iam.yaml|project-id-client-name-admin-sa-service-account-user-permissions| |AC-16(2)|./project-iam.yaml|project-id-gke-admins-permissions| |AC-16(2)|./project-iam.yaml|project-id-gke-admins-permissions| +|AC-17(3)|./project-iam.yaml|project-id-gke-admins-permissions| |AC-3|./instance-resources/iam.yaml|project-id--instance-name-gke-admins-permissions| |AC-3|./instance-resources/iam.yaml|project-id--instance-name-gke-admins-permissions| |AC-3|./instance-resources/iam.yaml|project-id--instance-name-sa| @@ -50,8 +59,23 @@ |AC-4(21)|./instance-resources/firewall-iap.yaml|project-id--instance-name-sa-iap-ssh-fwr| |AU-12|./instance-resources/firewall-iap.yaml|project-id--instance-name-sa-iap-ssh-fwr| |AU-12|./instance-resources/firewall-iap.yaml|project-id--instance-name-sa-iap-ssh-fwr| +|SC-18|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18|./instance-resources/instance.yaml|project-id--instance-name| |SC-18(1)|./instance-resources/instance.yaml|project-id--instance-name| |SC-18(1)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(1)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(1)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(1)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(2)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(2)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(2)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(4)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(4)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(4)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(5)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(5)|./instance-resources/instance.yaml|project-id--instance-name| +|SC-18(5)|./instance-resources/instance.yaml|project-id--instance-name| |SC-7(11)|./instance-resources/firewall-iap.yaml|project-id--instance-name-sa-iap-ssh-fwr| |SC-7(11)|./instance-resources/firewall-iap.yaml|project-id--instance-name-sa-iap-ssh-fwr| |SC-7(5)|./instance-resources/firewall-iap.yaml|project-id--instance-name-sa-iap-ssh-fwr| @@ -60,5 +84,11 @@ |SC-7(8)|./instance-resources/firewall-iap.yaml|project-id--instance-name-sa-iap-ssh-fwr| |SC-7(9)|./instance-resources/firewall-iap.yaml|project-id--instance-name-sa-iap-ssh-fwr| |SC-7(9)|./instance-resources/firewall-iap.yaml|project-id--instance-name-sa-iap-ssh-fwr| +|SI-3(2)|./instance-resources/instance.yaml|project-id--instance-name| +|SI-3(2)|./instance-resources/instance.yaml|project-id--instance-name| +|SI-3(4)|./instance-resources/instance.yaml|project-id--instance-name| +|SI-3(4)|./instance-resources/instance.yaml|project-id--instance-name| +|SI-3(7)|./instance-resources/instance.yaml|project-id--instance-name| +|SI-3(7)|./instance-resources/instance.yaml|project-id--instance-name| diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/application-infrastructure-folder/firewall.yaml b/solutions/gke/configconnector/gke-cluster-autopilot/application-infrastructure-folder/firewall.yaml index 8a8dc0913..5c250cbd8 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/application-infrastructure-folder/firewall.yaml +++ b/solutions/gke/configconnector/gke-cluster-autopilot/application-infrastructure-folder/firewall.yaml @@ -13,8 +13,9 @@ # limitations under the License. ######## # GKE egress Allow GKE nodes to AzDO -# TODO: validate if service account can be used instead of podipv4range +# TODO: validate if service account can be used instead of primaryIpv4Range # AU-12 - Enable Logging for firewall +# SC-7(9) - Exception to allow access to repositories in Github and AZDO and to allow access to docker registry apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: @@ -39,6 +40,7 @@ spec: - ipProtocol: "tcp" ports: - "443" + # SC-7(9) destFqdns: - "dev.azure.com" priority: 2000 # kpt-set: ${gke-to-azdo-priority} @@ -70,6 +72,7 @@ spec: - ipProtocol: "tcp" ports: - "443" + # SC-7(9) destFqdns: - "github.com" priority: 2001 # kpt-set: ${gke-to-github-priority} @@ -101,6 +104,7 @@ spec: - ipProtocol: "tcp" ports: - "443" + # SC-7(9) destFqdns: - "northamerica-northeast1-docker.pkg.dev" - "northamerica-northeast2-docker.pkg.dev" diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/gke.yaml b/solutions/gke/configconnector/gke-cluster-autopilot/gke.yaml index 0c6747a2c..d228611da 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/gke.yaml +++ b/solutions/gke/configconnector/gke-cluster-autopilot/gke.yaml @@ -13,7 +13,8 @@ # limitations under the License. ###### # GKE Autopilot Cluster -# AC-4, SC-7, SC-7(3) - Authorized IP ranges are defined on Kubernetes services +# AC-4, SC-7 - Authorized IP ranges are defined on Kubernetes services +# SC-12(2) - The GCP key management is used to generate a symmetric key. This symemetric key is used to encrypt the kubernetes managed instance etcd database. # SC-28, SC-28(1) - Protection of ETCD database at rest # AU-12 - Enable Logging for GKE # https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc @@ -34,7 +35,7 @@ spec: autoProvisioningDefaults: serviceAccountRef: name: cluster-name-sa # kpt-set: ${cluster-name}-sa - # SC-28, SC-28(1) + # SC-12(2), SC-28, SC-28(1) databaseEncryption: keyName: projects/project-id/locations/northamerica-northeast1/keyRings/cluster-name-kmskeyring/cryptoKeys/cluster-name-etcd-key # kpt-set: projects/${project-id}/locations/${location}/keyRings/${cluster-name}-kmskeyring/cryptoKeys/${cluster-name}-etcd-key state: ENCRYPTED @@ -65,7 +66,7 @@ spec: dailyMaintenanceWindow: startTime: 05:00 duration: 04:00 - # AC-4, SC-7, SC-7(3) + # AC-4, SC-7 masterAuthorizedNetworksConfig: cidrBlocks: # kpt-set: ${master-authorized-networks-cidr} - cidrBlock: 10.1.1.5/32 diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/host-project/subnet.yaml b/solutions/gke/configconnector/gke-cluster-autopilot/host-project/subnet.yaml index c61278c63..305243f5b 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/host-project/subnet.yaml +++ b/solutions/gke/configconnector/gke-cluster-autopilot/host-project/subnet.yaml @@ -18,6 +18,7 @@ ######### # AC-4, AC-4(21) - GKE Subnet that has private google access enabled and flow logs enabled # AU-12 - Enable Logging for subnet +# IA-3(3) - IP space is assigned for dynamic allocation # Private Google Access allows to access external IP address of Google apis and services in a secured way # Flow logs on subnet captures all traffic for a subnet and publishes to cloud logging apiVersion: compute.cnrm.cloud.google.com/v1beta1 @@ -28,11 +29,13 @@ metadata: cnrm.cloud.google.com/project-id: host-project-id # kpt-set: ${host-project-id} spec: resourceID: project-id-cluster-name-snet # kpt-set: ${project-id}-${cluster-name}-snet + # IA-3(3) ipCidrRange: 10.1.32.0/24 # kpt-set: ${subnet-primary-cidr} # Notes about secondary ranges # You can create 30 secondary ranges in a given subnet. For each cluster, you need two secondary ranges: one for Pods and one for Services. # Note: The primary range and the Pod secondary range can be shared between clusters, but this is not a recommended configuration # https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#notes_about_secondary_ranges + # IA-3(3) secondaryIpRange: - ipCidrRange: 10.1.33.0/24 # kpt-set: ${subnet-services-cidr} rangeName: servicesrange diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/kms.yaml b/solutions/gke/configconnector/gke-cluster-autopilot/kms.yaml index 2bb193093..e21836542 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/kms.yaml +++ b/solutions/gke/configconnector/gke-cluster-autopilot/kms.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Cloud KMS Key Ring and Key for GKE ETCD Encryption +# SC-12(2) - The GCP key management is used to generate a symmetric key. This symemetric key is used to encrypt the kubernetes managed instance etcd database. apiVersion: kms.cnrm.cloud.google.com/v1beta1 kind: KMSKeyRing metadata: @@ -23,6 +24,7 @@ metadata: spec: location: northamerica-northeast1 # kpt-set: ${location} --- +# SC-12(2) apiVersion: kms.cnrm.cloud.google.com/v1beta1 kind: KMSCryptoKey metadata: diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/securitycontrols.md b/solutions/gke/configconnector/gke-cluster-autopilot/securitycontrols.md index 02bb2ff7f..3afcb7933 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/securitycontrols.md +++ b/solutions/gke/configconnector/gke-cluster-autopilot/securitycontrols.md @@ -3,6 +3,15 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-1|./service-account.yaml|cluster-name-sa| +|AC-1|./service-account.yaml|cluster-name-sa-artifactregistry-reader-permissions| +|AC-1|./service-account.yaml|cluster-name-sa-logwriter-permissions| +|AC-1|./service-account.yaml|cluster-name-sa-metricwriter-permissions| +|AC-1|./service-account.yaml|cluster-name-sa-monitoring-viewer-permissions| +|AC-1|./service-account.yaml|cluster-name-sa-secretmanager-secretaccessor-permissions| +|AC-1|./service-account.yaml|cluster-name-sa-stackdriver-metadata-writer-permissions| +|AC-1|./service-account.yaml|cluster-name-sa-storage-object-viewer-permissions| +|AC-1|./service-account.yaml|project-id-tier3-sa-serviceaccount-user-cluster-name-sa-permissions| |AC-3|./service-account.yaml|cluster-name-sa| |AC-3|./service-account.yaml|cluster-name-sa-artifactregistry-reader-permissions| |AC-3|./service-account.yaml|cluster-name-sa-artifactregistry-reader-permissions| @@ -53,13 +62,22 @@ |AU-12|./host-project/firewall.yaml|project-id-cluster-name-lb-health-check| |AU-12|./host-project/subnet.yaml|project-id-cluster-name-snet| |AU-12|./host-project/subnet.yaml|project-id-cluster-name-snet| +|IA-3(3)|./host-project/subnet.yaml|project-id-cluster-name-snet| +|IA-3(3)|./host-project/subnet.yaml|project-id-cluster-name-snet| +|IA-3(3)|./host-project/subnet.yaml|project-id-cluster-name-snet| +|SC-12(2)|./gke.yaml|cluster-name| +|SC-12(2)|./gke.yaml|cluster-name| +|SC-12(2)|./kms.yaml|cluster-name-etcd-key| +|SC-12(2)|./kms.yaml|cluster-name-kmskeyring| |SC-28|./gke.yaml|cluster-name| |SC-28|./gke.yaml|cluster-name| |SC-28(1)|./gke.yaml|cluster-name| |SC-28(1)|./gke.yaml|cluster-name| |SC-7|./gke.yaml|cluster-name| |SC-7|./gke.yaml|cluster-name| -|SC-7(3)|./gke.yaml|cluster-name| -|SC-7(3)|./gke.yaml|cluster-name| +|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo| +|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo| +|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-docker| +|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-github| diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/service-account.yaml b/solutions/gke/configconnector/gke-cluster-autopilot/service-account.yaml index 702b2b7f5..5110d1199 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/service-account.yaml +++ b/solutions/gke/configconnector/gke-cluster-autopilot/service-account.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. ###### +# AC-1 - Implementation of access control # AC-3(7), AC-3 - GCP Service Account # CIS GKE Benchmark Recommendation: 6.2.1. Prefer not running GKE clusters using the Compute Engine default service account # https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa @@ -34,7 +35,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -52,7 +53,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -70,7 +71,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -88,7 +89,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -106,7 +107,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -124,7 +125,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -142,7 +143,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -178,7 +179,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount diff --git a/solutions/gke/configconnector/gke-defaults/README.md b/solutions/gke/configconnector/gke-defaults/README.md index 7464cdc31..eece2039d 100755 --- a/solutions/gke/configconnector/gke-defaults/README.md +++ b/solutions/gke/configconnector/gke-defaults/README.md @@ -22,7 +22,6 @@ loaded in the config controller. | Name | Value | Type | Count | |------------------|---------------------------|-------|-------| -| certificate-id | 12345678 | int | 1 | | certificate-name | certificate-name | str | 3 | | client-name | client1 | str | 8 | | dns-project-id | dns-project-id | str | 1 | diff --git a/solutions/gke/configconnector/gke-defaults/gateway-setup/ssl-certificate/ssl.yaml b/solutions/gke/configconnector/gke-defaults/gateway-setup/ssl-certificate/ssl.yaml index 6546d6dc8..87196e320 100644 --- a/solutions/gke/configconnector/gke-defaults/gateway-setup/ssl-certificate/ssl.yaml +++ b/solutions/gke/configconnector/gke-defaults/gateway-setup/ssl-certificate/ssl.yaml @@ -13,9 +13,9 @@ # limitations under the License. ######### # SC-8 - Google Managed Classic SSL certificate that would be used by Gateway controller that would target external public load balancer +# SC-12(3) - The GCP Certificate Manager (classic certificates) is used to generate asymmetric keys (SSL certificate). This certificate is used to encrypt load balancer traffic. # Warning! requires the alpha resource loaded in the config controller # https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/master/crds/compute_v1alpha1_computemanagedsslcertificate.yaml -# TODO: fix error message : Update call failed: error applying desired state: summary: doesn't support update apiVersion: compute.cnrm.cloud.google.com/v1alpha1 kind: ComputeManagedSSLCertificate metadata: @@ -24,7 +24,7 @@ metadata: annotations: cnrm.cloud.google.com/state-into-spec: absent spec: - # SC-8 + # SC-8, SC-12(3) description: certificate-name Managed SSL Certificate # kpt-set: ${certificate-name} Managed SSL Certificate managed: domains: # kpt-set: ${domains} diff --git a/solutions/gke/configconnector/gke-defaults/project-iam.yaml b/solutions/gke/configconnector/gke-defaults/project-iam.yaml index ce3282235..a95ac031c 100644 --- a/solutions/gke/configconnector/gke-defaults/project-iam.yaml +++ b/solutions/gke/configconnector/gke-defaults/project-iam.yaml @@ -14,6 +14,7 @@ ######### # Client viewer permissions for GKE, logging, and monitoring ######### +# AC-1 - Implementation of access control # AC-3(7), AC-3 - Grant role: roles/container.clusterViewer on the GKE Cluster project to client group apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember @@ -22,7 +23,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -39,7 +40,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -56,7 +57,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -73,7 +74,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -90,7 +91,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -107,7 +108,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project diff --git a/solutions/gke/configconnector/gke-defaults/securitycontrols.md b/solutions/gke/configconnector/gke-defaults/securitycontrols.md index 80e0b7da7..2e27c93e0 100644 --- a/solutions/gke/configconnector/gke-defaults/securitycontrols.md +++ b/solutions/gke/configconnector/gke-defaults/securitycontrols.md @@ -3,6 +3,13 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-1|./project-iam.yaml|containerclusterviewer-permissions| +|AC-1|./project-iam.yaml|containerclusterviewer-permissions| +|AC-1|./project-iam.yaml|loggingviewer-permissions| +|AC-1|./project-iam.yaml|monitoringdashboardeditor-permissions| +|AC-1|./project-iam.yaml|monitoringviewer-permissions| +|AC-1|./project-iam.yaml|pubsubsubscriber-permissions| +|AC-1|./project-iam.yaml|pubsubviewer-permissions| |AC-3|./project-iam.yaml|containerclusterviewer-permissions| |AC-3|./project-iam.yaml|containerclusterviewer-permissions| |AC-3|./project-iam.yaml|loggingviewer-permissions| @@ -27,6 +34,8 @@ |AC-3(7)|./project-iam.yaml|pubsubsubscriber-permissions| |AC-3(7)|./project-iam.yaml|pubsubviewer-permissions| |AC-3(7)|./project-iam.yaml|pubsubviewer-permissions| +|SC-12(3)|./gateway-setup/ssl-certificate/ssl.yaml|certificate-name-compute-sslcertificate| +|SC-12(3)|./gateway-setup/ssl-certificate/ssl.yaml|certificate-name-compute-sslcertificate| |SC-22|./gateway-setup/dns/dns.yaml|metadata-name| |SC-8|./gateway-setup/ssl-certificate/ssl.yaml|certificate-name-compute-sslcertificate| |SC-8|./gateway-setup/ssl-certificate/ssl.yaml|certificate-name-compute-sslcertificate| diff --git a/solutions/gke/configconnector/gke-setup/host-project/project-iam.yaml b/solutions/gke/configconnector/gke-setup/host-project/project-iam.yaml index 3db1e81a2..e78964307 100644 --- a/solutions/gke/configconnector/gke-setup/host-project/project-iam.yaml +++ b/solutions/gke/configconnector/gke-setup/host-project/project-iam.yaml @@ -19,6 +19,7 @@ ################## # Grant role: roles/compute.networkUser on the host project to SERVICE_PROJECT_1_NUM@cloudservices.gserviceaccount.com # https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#enabling_and_granting_roles +# AC-1 - Implementation of access control # AC-3(7), AC-3 - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember @@ -28,7 +29,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -47,7 +48,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -68,7 +69,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -86,7 +87,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -106,7 +107,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project diff --git a/solutions/gke/configconnector/gke-setup/project-iam.yaml b/solutions/gke/configconnector/gke-setup/project-iam.yaml index aecb6e912..e901fd973 100644 --- a/solutions/gke/configconnector/gke-setup/project-iam.yaml +++ b/solutions/gke/configconnector/gke-setup/project-iam.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # Grant GCP role GKE Hub admin to Tier3 SA on Service Project +# AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. # IAM permissions required to register cluster to anthos fleet and workload identity apiVersion: iam.cnrm.cloud.google.com/v1beta1 @@ -23,7 +24,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -42,7 +43,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -61,7 +62,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -79,7 +80,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -97,7 +98,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -115,7 +116,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -133,7 +134,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -152,11 +153,10 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) + # AC-1, AC-3(7), AC-3, AC-16(2) resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} role: roles/pubsub.admin member: "serviceAccount:client-name-logging-sa@client-management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:${client-name}-logging-sa@${client-management-project-id}.iam.gserviceaccount.com - diff --git a/solutions/gke/configconnector/gke-setup/securitycontrols.md b/solutions/gke/configconnector/gke-setup/securitycontrols.md index d3e241979..d1d63a1da 100644 --- a/solutions/gke/configconnector/gke-setup/securitycontrols.md +++ b/solutions/gke/configconnector/gke-setup/securitycontrols.md @@ -3,6 +3,21 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-1|./host-project/project-iam.yaml|project-id-cloudservices-sa-networkuser-host-project-id-permissions| +|AC-1|./host-project/project-iam.yaml|project-id-cloudservices-sa-networkuser-host-project-id-permissions| +|AC-1|./host-project/project-iam.yaml|project-id-container-engine-robot-sa-gkefirewall-admin-host-project-id-permissions| +|AC-1|./host-project/project-iam.yaml|project-id-container-engine-robot-sa-host-servce-agent-host-project-id-permissions| +|AC-1|./host-project/project-iam.yaml|project-id-container-engine-robot-sa-networkuser-host-project-id-permissions| +|AC-1|./host-project/project-iam.yaml|project-id-tier3-sa-tier3-subnetwork-admin-host-project-id-permissions| +|AC-1|./project-iam.yaml|client-name-logging-sa-pubsub-admin-project-id-permissions| +|AC-1|./project-iam.yaml|project-id-container-engine-robot-sa-kms-encrypt-decrypt-project-id-permissions| +|AC-1|./project-iam.yaml|project-id-tier3-sa-container-admin-project-id-permissions| +|AC-1|./project-iam.yaml|project-id-tier3-sa-gke-hub-admin-project-id-permissions| +|AC-1|./project-iam.yaml|project-id-tier3-sa-gke-hub-admin-project-id-permissions| +|AC-1|./project-iam.yaml|project-id-tier3-sa-kms-admin-project-id-permissions| +|AC-1|./project-iam.yaml|project-id-tier3-sa-service-agent-project-id-permissions| +|AC-1|./project-iam.yaml|project-id-tier4-sa-artifactregistry-admin-project-id-permissions| +|AC-1|./project-iam.yaml|project-id-tier4-sa-tier4-secret-manager-admin-project-id-permissions| |AC-16(2)|./project-iam.yaml|client-name-logging-sa-pubsub-admin-project-id-permissions| |AC-16(2)|./project-iam.yaml|client-name-logging-sa-pubsub-admin-project-id-permissions| |AC-16(2)|./project-iam.yaml|project-id-container-engine-robot-sa-kms-encrypt-decrypt-project-id-permissions| @@ -71,5 +86,21 @@ |AC-3(7)|./project-iam.yaml|project-id-tier4-sa-artifactregistry-admin-project-id-permissions| |AC-3(7)|./project-iam.yaml|project-id-tier4-sa-tier4-secret-manager-admin-project-id-permissions| |AC-3(7)|./project-iam.yaml|project-id-tier4-sa-tier4-secret-manager-admin-project-id-permissions| +|RA-5(5)|./services.yaml|project-id-containerscanning| +|RA-5(5)|./services.yaml|project-id-containerscanning| +|RA-5(5)|./services.yaml|project-id-containersecurity| +|RA-5(5)|./services.yaml|project-id-containersecurity| +|SI-4(5)|./logging-monitoring/alerts.yaml|project-id-gke-cluster-event-notification-alert| +|SI-4(5)|./logging-monitoring/alerts.yaml|project-id-gke-cluster-upgrade-alert| +|SI-4(5)|./logging-monitoring/alerts.yaml|project-id-gke-security-posture-critical-severity-alert| +|SI-4(5)|./logging-monitoring/alerts.yaml|project-id-gke-security-posture-critical-severity-alert| +|SI-4(5)|./logging-monitoring/alerts.yaml|project-id-gke-security-posture-high-severity-alert| +|SI-4(5)|./logging-monitoring/alerts.yaml|project-id-gke-security-posture-low-severity-alert| +|SI-4(5)|./logging-monitoring/alerts.yaml|project-id-gke-security-posture-medium-severity-alert| +|SI-4(5)|./logging-monitoring/notificationchannel.yaml|project-id-gke-monitoring-group-notify| +|SI-4(5)|./logging-monitoring/notificationchannel.yaml|project-id-gke-monitoring-group-notify| +|SI-4(5)|./logging-monitoring/pubsub.yaml|project-id-gke-cluster-notification-pubsub-subscription| +|SI-4(5)|./logging-monitoring/pubsub.yaml|project-id-gke-cluster-notification-pubsub-topic| +|SI-4(5)|./logging-monitoring/pubsub.yaml|project-id-gke-cluster-notification-pubsub-topic| diff --git a/solutions/gke/configconnector/gke-workload-identity/securitycontrols.md b/solutions/gke/configconnector/gke-workload-identity/securitycontrols.md index d4e37ccfb..16a4c4c7d 100644 --- a/solutions/gke/configconnector/gke-workload-identity/securitycontrols.md +++ b/solutions/gke/configconnector/gke-workload-identity/securitycontrols.md @@ -3,6 +3,9 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-1|./workload-identity.yaml|workload-name-sa| +|AC-1|./workload-identity.yaml|workload-name-sa-secretaccessor-permissions| +|AC-1|./workload-identity.yaml|workload-name-sa-secretmanager-secretaccessor-permissions| |AC-3|./workload-identity.yaml|workload-name-sa| |AC-3|./workload-identity.yaml|workload-name-sa| |AC-3|./workload-identity.yaml|workload-name-sa-secretaccessor-permissions| diff --git a/solutions/gke/configconnector/gke-workload-identity/workload-identity.yaml b/solutions/gke/configconnector/gke-workload-identity/workload-identity.yaml index fa12a74f3..36a2c5d8d 100644 --- a/solutions/gke/configconnector/gke-workload-identity/workload-identity.yaml +++ b/solutions/gke/configconnector/gke-workload-identity/workload-identity.yaml @@ -20,6 +20,7 @@ # Additional roles can be granted to this service account to provide applications access to other Google services. ######### # GCP SA that will access Google services. +# AC-1 - Implementation of access control # AC-3(7), AC-3 - This GCP SA is bound to a Kubernetes SA apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount @@ -42,7 +43,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project @@ -61,7 +62,7 @@ metadata: annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3 + # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount diff --git a/solutions/gke/kubernetes/cluster-defaults/gateway/gateway-global.yaml b/solutions/gke/kubernetes/cluster-defaults/gateway/gateway-global.yaml index e2ac850fb..acec60b84 100644 --- a/solutions/gke/kubernetes/cluster-defaults/gateway/gateway-global.yaml +++ b/solutions/gke/kubernetes/cluster-defaults/gateway/gateway-global.yaml @@ -13,6 +13,8 @@ # limitations under the License. ######### # SC-5, SC-5(2), SC-8 - Deploy public external load balancer in front of public facing web applications for additional inspection of incoming traffic and enforcing additional security policies such as ssl etc. +# SC-12(3) - The GCP Certificate Manager - classic certificates - is used to generate asymmetric keys - SSL certificate-. This certificate is used to encrypt load balancer traffic. +# SI-4(10) - Client to load balancer traffic is encrypted, at which point it is deccrypted allowing inspection by Cloud IDS and other tools. # Gateway using an external global load balancer and a SSL certificate apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway @@ -31,8 +33,10 @@ spec: port: 443 # SC-8 tls: + # SI-4(10) mode: Terminate options: + # SC-12(3) networking.gke.io/pre-shared-certs: sample-cert # kpt-set: ${ssl-cert} allowedRoutes: namespaces: diff --git a/solutions/gke/kubernetes/cluster-defaults/network-logging.yaml b/solutions/gke/kubernetes/cluster-defaults/network-logging.yaml index 35a99cc20..fc73336e0 100644 --- a/solutions/gke/kubernetes/cluster-defaults/network-logging.yaml +++ b/solutions/gke/kubernetes/cluster-defaults/network-logging.yaml @@ -1,5 +1,6 @@ # Per Cluster resource # AU-12, AU-3, AU-3(1) - Enables logging for traffic allowed / blocked by Network Policies +# SI-4 - Logging denied traffic # More info: https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy-logging # In future we may want to enable delegate and only log traffic allowed / blocked by specific rules kind: NetworkLogging @@ -7,7 +8,7 @@ apiVersion: networking.gke.io/v1alpha1 metadata: name: default spec: - # AU-12, AU-3, AU-3(1) + # AU-12, AU-3, AU-3(1), SI-4 cluster: allow: log: true diff --git a/solutions/gke/kubernetes/cluster-defaults/securitycontrols.md b/solutions/gke/kubernetes/cluster-defaults/securitycontrols.md index 9b09ac9d7..6027e2c5a 100644 --- a/solutions/gke/kubernetes/cluster-defaults/securitycontrols.md +++ b/solutions/gke/kubernetes/cluster-defaults/securitycontrols.md @@ -11,6 +11,8 @@ |AU-3|./network-logging.yaml|default| |AU-3(1)|./network-logging.yaml|default| |AU-3(1)|./network-logging.yaml|default| +|SC-12(3)|./gateway/gateway-global.yaml|external-gateway-name| +|SC-12(3)|./gateway/gateway-global.yaml|external-gateway-name| |SC-5|./gateway/gateway-global.yaml|external-gateway-name| |SC-5|./gateway/gateway-global.yaml|external-gateway-name| |SC-5|./gateway/gcpgatewaypolicy.yaml|external-gateway-name-policy| @@ -23,5 +25,9 @@ |SC-8|./gateway/gateway-global.yaml|external-gateway-name| |SC-8|./gateway/gcpgatewaypolicy.yaml|external-gateway-name-policy| |SC-8|./gateway/gcpgatewaypolicy.yaml|external-gateway-name-policy| +|SI-4|./network-logging.yaml|default| +|SI-4|./network-logging.yaml|default| +|SI-4(10)|./gateway/gateway-global.yaml|external-gateway-name| +|SI-4(10)|./gateway/gateway-global.yaml|external-gateway-name| diff --git a/solutions/gke/kubernetes/namespace-defaults/rolebinding-httproute-admin.yaml b/solutions/gke/kubernetes/namespace-defaults/rolebinding-httproute-admin.yaml index 7fbdfe027..fc3baa260 100644 --- a/solutions/gke/kubernetes/namespace-defaults/rolebinding-httproute-admin.yaml +++ b/solutions/gke/kubernetes/namespace-defaults/rolebinding-httproute-admin.yaml @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### +# AC-1 - Implementation of access control # AC-3(7) - Role to manage routes in the workload namespace apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -39,7 +40,7 @@ kind: RoleBinding metadata: name: httproute-admin-rolebinding namespace: workload-name # kpt-set: ${workload-name} -# AC-3(7) +# AC-1, AC-3(7) roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/solutions/gke/kubernetes/namespace-defaults/rolebinding-team-view.yaml b/solutions/gke/kubernetes/namespace-defaults/rolebinding-team-view.yaml index 068db20a2..76275d0bb 100644 --- a/solutions/gke/kubernetes/namespace-defaults/rolebinding-team-view.yaml +++ b/solutions/gke/kubernetes/namespace-defaults/rolebinding-team-view.yaml @@ -12,13 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### +# AC-1 - Implementation of access control # AC-3(7) - Grant view access to user or group apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: team-view-rolebinding namespace: workload-name # kpt-set: ${workload-name} -# AC-3(7) +# AC-1, AC-3(7) roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/solutions/gke/kubernetes/namespace-defaults/securitycontrols.md b/solutions/gke/kubernetes/namespace-defaults/securitycontrols.md index d4128ce9f..4a4ce15dd 100644 --- a/solutions/gke/kubernetes/namespace-defaults/securitycontrols.md +++ b/solutions/gke/kubernetes/namespace-defaults/securitycontrols.md @@ -3,6 +3,10 @@ |Security Control|File Name|Resource Name| |---|---|---| +|AC-1|./rolebinding-httproute-admin.yaml|httproute-admin-role| +|AC-1|./rolebinding-httproute-admin.yaml|httproute-admin-rolebinding| +|AC-1|./rolebinding-team-view.yaml|team-view-rolebinding| +|AC-1|./rolebinding-team-view.yaml|team-view-rolebinding| |AC-3|./namespace-sa.yaml|workload-name-sa| |AC-3(7)|./namespace-sa.yaml|workload-name-sa| |AC-3(7)|./rolebinding-httproute-admin.yaml|httproute-admin-role| @@ -24,6 +28,7 @@ |AC-4(21)|./networkpolicy.yaml|allow-ingress-from-lb-health-check| |AC-4(21)|./networkpolicy.yaml|allow-ingress-within-namespace| |AC-4(21)|./networkpolicy.yaml|allow-ingress-within-namespace| +|CM-5(1)|./cd/gitops-config-sync.yaml|workload-name-t4-csync| |SC-7(11)|./networkpolicy.yaml|allow-egrees-to-gcp-api| |SC-7(11)|./networkpolicy.yaml|allow-egress-to-metadata-server| |SC-7(11)|./networkpolicy.yaml|allow-egress-within-namespace| diff --git a/solutions/ids/endpoint/endpoint.yaml b/solutions/ids/endpoint/endpoint.yaml index cb971d829..05fc5928b 100644 --- a/solutions/ids/endpoint/endpoint.yaml +++ b/solutions/ids/endpoint/endpoint.yaml @@ -13,6 +13,7 @@ # limitations under the License. ######### # AC-17(1), SC-7(9), SC-18(1), SI-3(2), SI-3(4), SI-3(7), SI-4(4), SI-4(5), SI-4(7) - Defining Cloud IDS endpoint to receive mirrored traffic that performs threat detection and analysis +# SI-4(11) - Cloud IDS is configured to inspect all traffic to/from client applications and log anomalies to be reported/alerted on by Cloud Monitoring # Warning! requires the alpha resource loaded in the config controller # https://github.com/GoogleCloudPlatform/k8s-config-connector/blob/master/crds/cloudids_v1alpha1_cloudidsendpoint.yaml apiVersion: cloudids.cnrm.cloud.google.com/v1alpha1 diff --git a/solutions/ids/securitycontrols.md b/solutions/ids/securitycontrols.md index cce578c99..8862d6cbb 100644 --- a/solutions/ids/securitycontrols.md +++ b/solutions/ids/securitycontrols.md @@ -32,5 +32,36 @@ |SC-7(9)|./firewall.yaml|host-project-id-standard-egress-allow-psa-fwr| |SC-7(9)|./peering.yaml|host-project-id-standard-to-googlemanaged-peer| |SC-7(9)|./services.yaml|host-project-id-ids| +|SI-3(2)|./address.yaml|host-project-id-standard-google-managed-services-ip| +|SI-3(2)|./endpoint/endpoint.yaml|host-project-id--endpoint-name-ids| +|SI-3(2)|./endpoint/mirroring.yaml|host-project-id--endpoint-name-mirror| +|SI-3(2)|./peering.yaml|host-project-id-standard-to-googlemanaged-peer| +|SI-3(2)|./services.yaml|host-project-id-ids| +|SI-3(4)|./address.yaml|host-project-id-standard-google-managed-services-ip| +|SI-3(4)|./endpoint/endpoint.yaml|host-project-id--endpoint-name-ids| +|SI-3(4)|./endpoint/mirroring.yaml|host-project-id--endpoint-name-mirror| +|SI-3(4)|./peering.yaml|host-project-id-standard-to-googlemanaged-peer| +|SI-3(4)|./services.yaml|host-project-id-ids| +|SI-3(7)|./address.yaml|host-project-id-standard-google-managed-services-ip| +|SI-3(7)|./endpoint/endpoint.yaml|host-project-id--endpoint-name-ids| +|SI-3(7)|./endpoint/mirroring.yaml|host-project-id--endpoint-name-mirror| +|SI-3(7)|./peering.yaml|host-project-id-standard-to-googlemanaged-peer| +|SI-3(7)|./services.yaml|host-project-id-ids| +|SI-4(11)|./endpoint/endpoint.yaml|host-project-id--endpoint-name-ids| +|SI-4(4)|./address.yaml|host-project-id-standard-google-managed-services-ip| +|SI-4(4)|./endpoint/endpoint.yaml|host-project-id--endpoint-name-ids| +|SI-4(4)|./endpoint/mirroring.yaml|host-project-id--endpoint-name-mirror| +|SI-4(4)|./peering.yaml|host-project-id-standard-to-googlemanaged-peer| +|SI-4(4)|./services.yaml|host-project-id-ids| +|SI-4(5)|./address.yaml|host-project-id-standard-google-managed-services-ip| +|SI-4(5)|./endpoint/endpoint.yaml|host-project-id--endpoint-name-ids| +|SI-4(5)|./endpoint/mirroring.yaml|host-project-id--endpoint-name-mirror| +|SI-4(5)|./peering.yaml|host-project-id-standard-to-googlemanaged-peer| +|SI-4(5)|./services.yaml|host-project-id-ids| +|SI-4(7)|./address.yaml|host-project-id-standard-google-managed-services-ip| +|SI-4(7)|./endpoint/endpoint.yaml|host-project-id--endpoint-name-ids| +|SI-4(7)|./endpoint/mirroring.yaml|host-project-id--endpoint-name-mirror| +|SI-4(7)|./peering.yaml|host-project-id-standard-to-googlemanaged-peer| +|SI-4(7)|./services.yaml|host-project-id-ids|