Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: adding security control tags #810

Merged
merged 3 commits into from
Feb 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#########
# AC-1 - Implementation of access control
# AC-3, AC-3(7), AC-16(2) - IAM Partial Policy that binds tier4 namespace service account to the required minimum project scoped roles to deploy allowed resources
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
Expand All @@ -23,7 +24,7 @@ spec:
resourceRef:
kind: Project
external: projects/project-id # kpt-set: projects/${project-id}
# AC-3, AC-3(7), AC-16(2)
# AC-1, AC-3, AC-3(7), AC-16(2)
bindings:
# edit / add roles to tier4-sa as required
#
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#########
# AC-1 - Implementation of access control
# AC-2(7) - Organize privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles
# AC-3, AC-3(7), AC-16(2) - IAM Partial Policy that binds users to the required minimum project scoped roles to perform duties
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
Expand All @@ -23,7 +25,7 @@ spec:
resourceRef:
kind: Project
external: projects/project-id # kpt-set: projects/${project-id}
# AC-3, AC-3(7), AC-16(2)
# AC-1, AC-2(7), AC-3, AC-3(7), AC-16(2)
bindings:
# edit / add roles to users as required
#
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
# creates a cloud armor policy with rules
# the target load balancer is attached from its ComputeBackendService resource
# SC-5, SC-5(2) - Deploy Web Application Firewall in front of public facing web applications for additional inspection of incoming traffic using Cloud armor policy
# SI-4(4) - Cloud Armor is configured to monitor for potentially malicious behaviour
# Cloud armor policy is made up of rules that filter traffic based on conditions such as incoming request ip address before it reaches target load balancer backend services.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSecurityPolicy
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
# https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062
#########
# SC-8, SC-13 - SSL policy with minimum TLS 1.2
# SC-23 - SSL policy in place enforcing TLS 1.2+ and strong/approved ciphers only.
# AC-17(2) - An SSL policy is deployed to ensure Google front end (GFE) load balancers use TLS 1.2 or later
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSSLPolicy
metadata:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
# Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
# AU-12 - Enable Logging for firewall
# SI-4 - Logging denied traffic
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyRule
metadata:
Expand Down Expand Up @@ -84,7 +85,7 @@ spec:
description: "Deny TOR exit nodes ingress traffic"
direction: "INGRESS"
disabled: false
# AU-12
# AU-12, SI-4
enableLogging: true
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
Expand Down Expand Up @@ -113,7 +114,7 @@ spec:
description: "Deny sanctioned countries ingress traffic"
direction: "INGRESS"
disabled: false
# AU-12
# AU-12, SI-4
enableLogging: true
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
#########
# Allow os updates
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
# SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5) - Access is restricted to the corresponding OS package repository on the Internet. It does not prevent the downloading and execution of mobile code from this source.
# AU-12 - Enable Logging for firewall
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyRule
Expand All @@ -40,6 +41,7 @@ spec:
- "443"
srcIPRanges: # kpt-set: ${allowed-os-update-source-ip-ranges}
- "n.n.n.n/n"
# SC-18, SC-18(1), SC-18(2), SC-18(4), SC-18(5)
destFqdns: # kpt-set: ${allowed-os-update-domains}
- "example.com"
priority: 5000
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# limitations under the License.
######
# Grant GCP role Folder Viewer on client's folder to client's user group
# AC-1 - Implementation of access control
# AC-3, AC-3(7), AC-16(2) - This IAM policy binding grants GCP Folder Viewer role on client's folder to client's user group based on least-privilege principle
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
Expand All @@ -27,6 +28,6 @@ spec:
kind: Folder
name: clients.client-name # kpt-set: clients.${client-name}
namespace: hierarchy
# AC-3, AC-3(7), AC-16(2)
# AC-1, AC-3, AC-3(7), AC-16(2)
role: roles/resourcemanager.folderViewer
member: client-folderviewer # kpt-set: ${client-folderviewer}
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
# TODO: investigate using client ns, move functionality to client-setup and/or create new client logging project. Will be required if a config-controller is deployed per client OR we need to give permissions to the client service account into the core logging project.
# Folder sink for Platform and Component logs of Client Resources
# Destination: cloud logging bucket inside logging project
# AU-2 - Organization-defined auditable events
# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the folder to send the logs to the logging bucket in the logging project
# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket
# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to
Expand All @@ -39,7 +40,7 @@ spec:
description: Folder sink for client-name Platform and Component logs # kpt-set: Folder sink for ${client-name} Platform and Component logs
# the log sink must be enabled (disabled: false) to meet the listed security controls
disabled: false
# AU-12, AU-12(1)
# AU-2, AU-12, AU-12(1)
# Includes the following types of logs:
# Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, HTTP(S) Load Balancer and Intrusion Detection System (IDS)
# Logs for such resources must be enabled on the respective resource as they are not enabled by default.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
# Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
# AU-12 - Enable Logging for firewall policies
# SI-4 - Logging denied traffic
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyRule
metadata:
Expand Down Expand Up @@ -84,7 +85,7 @@ spec:
description: "Deny known malicious IPs ingress traffic"
direction: "INGRESS"
disabled: false
# AU-12
# AU-12, SI-4
enableLogging: true
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
Expand Down Expand Up @@ -112,7 +113,7 @@ spec:
description: "Deny known malicious IPs egress traffic"
direction: "EGRESS"
disabled: false
# AU-12
# AU-12, SI-4
enableLogging: true
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
# Allow all egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network within host project
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
# AU-12 - Enable Logging for firewall
# SI-4 - Logging denied traffic
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewall
metadata:
Expand Down Expand Up @@ -65,7 +66,7 @@ spec:
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
networkRef:
name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
# AU-12
# AU-12, SI-4
logConfig:
metadata: "INCLUDE_ALL_METADATA"
---
Expand Down Expand Up @@ -93,6 +94,6 @@ spec:
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
networkRef:
name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
# AU-12
# AU-12, SI-4
logConfig:
metadata: "INCLUDE_ALL_METADATA"
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
#########
# Subnet nonp-main northamerica-northeast1
# AU-12 - Enable Logging for Subnet
# IA-3(3) - IP space is assigned for dynamic allocation
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSubnetwork
metadata:
Expand All @@ -29,6 +30,7 @@ metadata:
config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc
spec:
resourceID: nane1-standard-nonp-main-snet
# IA-3(3)
ipCidrRange: 10.1.0.0/21 # kpt-set: ${standard-nane1-nonp-main-snet}
region: northamerica-northeast1
description: northamerica-northeast1 nonp-main subnet
Expand All @@ -52,6 +54,7 @@ metadata:
config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc
spec:
resourceID: nane1-standard-pbmm-main-snet
# IA-3(3)
ipCidrRange: 10.1.128.0/21 # kpt-set: ${standard-nane1-pbmm-main-snet}
region: northamerica-northeast1
description: northamerica-northeast1 pbmm-main subnet
Expand All @@ -75,6 +78,7 @@ metadata:
config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc
spec:
resourceID: nane2-standard-nonp-main-snet
# IA-3(3)
ipCidrRange: 10.1.8.0/21 # kpt-set: ${standard-nane2-nonp-main-snet}
region: northamerica-northeast2
description: northamerica-northeast2 nonp-main subnet
Expand All @@ -98,6 +102,7 @@ metadata:
config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeNetwork/host-project-id-global-standard-vpc # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeNetwork/${host-project-id}-global-standard-vpc
spec:
resourceID: nane2-standard-pbmm-main-snet
# IA-3(3)
ipCidrRange: 10.1.136.0/21 # kpt-set: ${standard-nane2-pbmm-main-snet}
region: northamerica-northeast2
description: northamerica-northeast2 pbmm-main subnet
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
# Isolate non-protected subnet so it denies ingress traffic from pbmm subnet
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
# AU-12 - Enable Logging for firewall
# SI-4 - Logging denied traffic
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicyRule
metadata:
Expand All @@ -27,7 +28,7 @@ spec:
description: "Isolate non-protected subnet so it denies ingress traffic from pbmm subnet"
direction: "INGRESS"
disabled: false
# AU-12
# AU-12, SI-4
enableLogging: true
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
firewallPolicyRef:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@
# Logs are routed using a log sink to a central logging project into a dedicated log bucket
# AU-7, AU-9 - The log buckets created within the Logging project are immutable (AU-7(B)). These buckets have a retention policy of xxx days and IAM Policy that defines who has access to the bucket (AU-9)
# AU-4(1), AU-6(4), AU-9(2), AU-12, AU-12(1) Log sinks sending the logs to same project in same region having a logging bucket
# AU-9(4), SI-4 - The centralized logging solution has a configuration in place that defines all logging buckets to be locked
# AU-11 - Logging bucket retention configuration
apiVersion: logging.cnrm.cloud.google.com/v1beta1
kind: LoggingLogBucket
metadata:
Expand All @@ -30,6 +32,7 @@ spec:
location: northamerica-northeast1
description: Cloud Logging bucket for client-name Platform and Component logs # kpt-set: Cloud Logging bucket for ${client-name} Platform and Component logs
# RetentionDays sets the policy where existing log content cannot be changed/deleted for the specified number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability
# AU-7, AU-9
# AU-7, AU-9, AU-9(4), SI-4
locked: false # kpt-set: ${retention-locking-policy}
# AU-11
retentionDays: 1 # kpt-set: ${retention-in-days}
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
# TODO: investigate using client ns, move functionality to client-setup and/or create new client logging project. Will be required if a config-controller is deployed per client OR we need to give permissions to the client service account into the core logging project.
# Logs Bucket writer IAM permissions
# Binds the generated Writer identity from the LoggingLogSink to the logging project
# AC-1 - Implementation of access control
# AC-3, AC-3(7), AC-16(2), AU-9 - This IAM policy binding grants bucketwriter role to the identity of the log sink configured on the bucket in the logging project
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
Expand All @@ -26,7 +27,7 @@ spec:
kind: Project
name: logging-project-id # kpt-set: ${logging-project-id}
namespace: projects
# AC-3, AC-3(7), AC-16(2), AU-9
# AC-1, AC-3, AC-3(7), AC-16(2), AU-9
bindings:
- role: roles/logging.bucketWriter
members:
Expand Down
Loading