diff --git a/solutions/experimentation/admin-folder/folder-iam.yaml b/solutions/experimentation/admin-folder/folder-iam.yaml index 4c5862579..1b0096e59 100644 --- a/solutions/experimentation/admin-folder/folder-iam.yaml +++ b/solutions/experimentation/admin-folder/folder-iam.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # Grant GCP role Folder Admin on Admin's folder to admin -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -30,7 +29,6 @@ spec: member: admin-owner # kpt-set: ${admin-owner} --- # Grant GCP role Project Creator on Admin's folder to admin -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -47,7 +45,6 @@ spec: member: admin-owner # kpt-set: ${admin-owner} --- # Grant GCP role Owner on Admin's folder to admin -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/client-landing-zone/client-folder/folder-iam.yaml b/solutions/experimentation/client-landing-zone/client-folder/folder-iam.yaml index 69de191d2..48f59822e 100644 --- a/solutions/experimentation/client-landing-zone/client-folder/folder-iam.yaml +++ b/solutions/experimentation/client-landing-zone/client-folder/folder-iam.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # Grant GCP role Folder Viewer on client's folder to client's user group -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/client-landing-zone/client-folder/folder-sink.yaml b/solutions/experimentation/client-landing-zone/client-folder/folder-sink.yaml index 32978aba0..11a9c3370 100644 --- a/solutions/experimentation/client-landing-zone/client-folder/folder-sink.yaml +++ b/solutions/experimentation/client-landing-zone/client-folder/folder-sink.yaml @@ -34,7 +34,6 @@ spec: description: Folder sink for client-name Platform and Component logs # kpt-set: Folder sink for ${client-name} Platform and Component logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-2, AU-12(A), AU-12(C) # Includes the following types of logs: # Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, and HTTP(S) Load Balancer # These logs are not enabled by default. They are enabled inside the client-experimentation package: diff --git a/solutions/experimentation/client-landing-zone/logging-project/cloud-logging-bucket.yaml b/solutions/experimentation/client-landing-zone/logging-project/cloud-logging-bucket.yaml index fbaf018fb..d7b1d73b1 100644 --- a/solutions/experimentation/client-landing-zone/logging-project/cloud-logging-bucket.yaml +++ b/solutions/experimentation/client-landing-zone/logging-project/cloud-logging-bucket.yaml @@ -14,7 +14,6 @@ ###### # Cloud Logging bucket for client Platform and Component logs # Logs are routed using a log sink to a central logging project into a dedicated log bucket -# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogBucket metadata: @@ -29,6 +28,5 @@ spec: location: northamerica-northeast1 description: Cloud Logging bucket for client-name Platform and Component logs # kpt-set: Cloud Logging bucket for ${client-name} Platform and Component logs # Implement retention policy and retention locking policy - # AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specificied number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability. locked: false # kpt-set: ${retention-locking-policy} retentionDays: 1 # kpt-set: ${retention-in-days} diff --git a/solutions/experimentation/client-landing-zone/logging-project/project-iam.yaml b/solutions/experimentation/client-landing-zone/logging-project/project-iam.yaml index 5b5c5e70c..5b7aae847 100644 --- a/solutions/experimentation/client-landing-zone/logging-project/project-iam.yaml +++ b/solutions/experimentation/client-landing-zone/logging-project/project-iam.yaml @@ -26,7 +26,6 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level) bindings: - role: roles/logging.bucketWriter members: diff --git a/solutions/experimentation/client-landing-zone/logging-project/securitycontrols.md b/solutions/experimentation/client-landing-zone/logging-project/securitycontrols.md deleted file mode 100644 index ae41ba8a9..000000000 --- a/solutions/experimentation/client-landing-zone/logging-project/securitycontrols.md +++ /dev/null @@ -1,51 +0,0 @@ -# Security Controls -> -> TODO: This document requires refinement. - -## AC-3 ACCESS ENFORCEMENT - -## AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL - -AC-3(7) – Write access to the logs is constrained by IAM permissions to just the log sinks. -This control should be added to project-iam.yaml. Lines 15/16 already have a good explanation of -what’s happening so just add the AC-3(7) tag around there) - -## AU-2 AUDITABLE EVENTS - -AU-2 – Event families being audited are set here. This control should be added to the folder-sink.yaml, -gke-kcc-sink.yaml and org-sink.yaml with a brief explanation of what’s being audited. -Suggest putting the tag and explanation down around line 35 where the inclusions/exclusions are -This is an org control so the AU-2 tagging in the code is there to support the narrative Ops will write to demonstrate the org requirements - -## AU-4 AUDIT STORAGE CAPACITY - -## AU-4(1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE - -AU-4(1) – Logs are being sent to a logging project which is separate from the projects -performing actions which generate log entries. This control should be added to the -cloud-logging-buckets.yaml with a brief explanation that the logs are in a separate project. -Suggest putting around line 15 which describes buckets - -## AU-8 TIME STAMPS - -AU-8 – Time stamps for audit records use internal Google time. Statement to that effect should go into securitycontrols.md, will need a reference to some Google documentation (can be found later) - -## AU-9 PROTECTION OF AUDIT INFORMATION - -AU-9 – Retention policies and policy locks are implemented so log contents is immutable. Include in cloud-logging-buckets.yaml after lines 28 and 46 (i.e. just before the “locked” and “retentionDays” settings. Also add to setters.yaml. Also add notation to project-iam.yaml where roles are being assigned to the sinks (same as AC-3(7)) - -## AU-9(2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS - -AU-9(2) – Logs sent to separate project, same response as AU-4(1) - -## AU-11 AUDIT RECORD RETENTION - -AU-11 – Audit log retention, same response as AU-9 however no reference added to project-iam.yaml as AU-11 doesn’t deal with access - -## AU-12 AUDIT GENERATION - -## AU-12(A) - -## AU-12(C) - -AU-12(A), AU-12(C) – This is the implementation of AU-2, so same comments and code locations apply diff --git a/solutions/experimentation/client-landing-zone/setters.yaml b/solutions/experimentation/client-landing-zone/setters.yaml index d54364c2f..72b167bf0 100644 --- a/solutions/experimentation/client-landing-zone/setters.yaml +++ b/solutions/experimentation/client-landing-zone/setters.yaml @@ -54,8 +54,6 @@ data: # Set the number of days to retain logs in Cloud Logging buckets # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period - # AU-9 PROTECTION OF AUDIT INFORMATION - # AU-11 AUDIT RECORD RETENTION # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. retention-locking-policy: "false" retention-in-days: "1" diff --git a/solutions/experimentation/client-project/network/dns.yaml b/solutions/experimentation/client-project/network/dns.yaml index a4307e9c9..e8725ff7c 100644 --- a/solutions/experimentation/client-project/network/dns.yaml +++ b/solutions/experimentation/client-project/network/dns.yaml @@ -12,7 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. ######### -# AU-12 - Enable logging for DNS apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSPolicy metadata: @@ -24,7 +23,6 @@ metadata: spec: resourceID: logging-dnspolicy description: "DNS policy to enable logging" - # AU-12 enableLogging: true networks: - networkRef: diff --git a/solutions/experimentation/client-project/network/nat.yaml b/solutions/experimentation/client-project/network/nat.yaml index 7a7a17dc9..274cf4db0 100644 --- a/solutions/experimentation/client-project/network/nat.yaml +++ b/solutions/experimentation/client-project/network/nat.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # Cloud NAT northamerica-northeast1 -# # AU-12 - Enable Logging for Cloud Nat apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeRouterNAT metadata: @@ -29,7 +28,6 @@ spec: routerRef: name: project-id-nane1-router # kpt-set: ${project-id}-nane1-router sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES - # AU-12 logConfig: enable: true filter: ALL @@ -66,7 +64,6 @@ spec: routerRef: name: project-id-nane2-router # kpt-set: ${project-id}-nane2-router sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES - # AU-12 logConfig: enable: true filter: ALL diff --git a/solutions/experimentation/client-project/network/route.yaml b/solutions/experimentation/client-project/network/route.yaml index 7343b990f..6759f4340 100644 --- a/solutions/experimentation/client-project/network/route.yaml +++ b/solutions/experimentation/client-project/network/route.yaml @@ -14,7 +14,6 @@ ######### # A Route to the internet that requires that the resources attached to the network # specify it's tag to access the internet -# SC-7(5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeRoute metadata: diff --git a/solutions/experimentation/client-project/network/subnet.yaml b/solutions/experimentation/client-project/network/subnet.yaml index 0faac005b..01d43bc94 100644 --- a/solutions/experimentation/client-project/network/subnet.yaml +++ b/solutions/experimentation/client-project/network/subnet.yaml @@ -13,15 +13,12 @@ # limitations under the License. ######### ################################## -# AC-4 Information flow enforcement - Subnet creation to segregate and force through ZIP for access ################################## # All subnets have : # - logging enabled for flow logs https://cloud.google.com/vpc/docs/using-flow-logs # - private google access enabled https://cloud.google.com/vpc/docs/private-google-access ################################## # Subnet PAZ northamerica-northeast1 -# SC-7 BOUNDARY PROTECTION -# AU-12 - Enable Logging for Subnet apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -38,14 +35,12 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA --- # Subnet APPRZ northamerica-northeast1 -# SC-7 BOUNDARY PROTECTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -62,14 +57,12 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA --- # Subnet DATARZ northamerica-northeast1 -# SC-7 BOUNDARY PROTECTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -86,14 +79,12 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA --- # Subnet PAZ northamerica-northeast2 -# SC-7 BOUNDARY PROTECTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -110,14 +101,12 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA --- # Subnet APPRZ northamerica-northeast2 -# SC-7 BOUNDARY PROTECTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -134,14 +123,12 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 metadata: INCLUDE_ALL_METADATA --- # Subnet DATARZ northamerica-northeast2 -# SC-7 BOUNDARY PROTECTION apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: @@ -158,7 +145,6 @@ spec: privateIpGoogleAccess: true networkRef: name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc - # AU-12 logConfig: aggregationInterval: INTERVAL_5_SEC flowSampling: 0.5 diff --git a/solutions/experimentation/client-project/network/vpc.yaml b/solutions/experimentation/client-project/network/vpc.yaml index 58fd14eb0..f55b380cd 100644 --- a/solutions/experimentation/client-project/network/vpc.yaml +++ b/solutions/experimentation/client-project/network/vpc.yaml @@ -25,5 +25,5 @@ spec: resourceID: global-vpc1-vpc description: experimentation VPC routingMode: REGIONAL - autoCreateSubnetworks: false # SC-7 - deleteDefaultRoutesOnCreate: true # AC-4, SC-7(5) + autoCreateSubnetworks: false + deleteDefaultRoutesOnCreate: true diff --git a/solutions/experimentation/client-project/project-iam.yaml b/solutions/experimentation/client-project/project-iam.yaml index a34ba3b02..52b0c5b8d 100644 --- a/solutions/experimentation/client-project/project-iam.yaml +++ b/solutions/experimentation/client-project/project-iam.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # Grant GCP role Editor to project-editor -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -30,7 +29,6 @@ spec: member: project-editor # kpt-set: ${project-editor} --- # Grant GCP role IAM Security Admin to project-editor -# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/client-project/securitycontrols.md b/solutions/experimentation/client-project/securitycontrols.md deleted file mode 100644 index 2a82a1b72..000000000 --- a/solutions/experimentation/client-project/securitycontrols.md +++ /dev/null @@ -1,34 +0,0 @@ -# 30 days Guardrail - - - -## Guardrail 1 - Master account should be secured - -* n/a to this package - -## Guardrail 2 - Global Admins should be secured - -* AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL : - Role policies for accounts are being set in this package. The "Editor" and "IAM Security Admin" roles are granted at the project scope to a customizable user, group or service account through `setters.yaml`. - -## Guardrail 4 - CBS access to billing should be granted - -* n/a to this package - -## Guardrail 8 - Network segmentation should be configured - -* AC‑4 - INFORMATION FLOW ENFORCEMENT - - Default route to the Internet is removed, and replaced with one requiring specific tagging to pass traffic (no unintentional access to the Internet). Implements 3 zones as per ITSG-22, no default communications are enabled between them (specific firewall rules will need to be created based on need). Logging enabled. - -* SC‑7 - BOUNDARY PROTECTION: - - This package implements ITSG-22 zoning with a PAZ, an APPRZ and a DATARZ subnet. It enables workload placement as per ITSG-38. - -* SC‑7(5) -BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION: - - GCP VPC comes with default ingress deny all rule and a default egress allow all rule. This package replaces the default route to access the internet with a default route that requires that resources configure a network tag "internet-egress-route" to be able to access the internet. This implements "deny by default" for internet access. - -## Guardrail 12 - Marketplace should be locked down to only approved software - -* n/a to this package diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml index 16fbd7468..c1075b455 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml @@ -14,7 +14,6 @@ ###### # Cloud Logging bucket for Security logs: Cloud Audit, Access Transparency Logs, and Data Access Logs # Logs are routed using a log sink to a central logging project into a dedicated log bucket -# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogBucket metadata: @@ -29,7 +28,6 @@ spec: location: northamerica-northeast1 description: Cloud Logging bucket for Security logs # Implement retention policy and retention locking policy - # AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specificied number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability. locked: false # kpt-set: ${retention-locking-policy} retentionDays: 1 # kpt-set: ${retention-in-days} --- @@ -48,6 +46,5 @@ spec: location: northamerica-northeast1 description: Cloud Logging bucket for Platform and Component logs # Implement retention policy and retention locking policy - # AU-9, AU-11 locked: false # kpt-set: ${retention-locking-policy} retentionDays: 1 # kpt-set: ${retention-in-days} diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml index d0ad98eb1..40b4cfacf 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml @@ -13,7 +13,6 @@ # limitations under the License. # Cloud Storage bucket to store logs related to security incidents # https://cloud.google.com/logging/docs/routing/copy-logs -# AU-9, AU-11 - Storage bucket created to hold logs related to security incidents (AU-11). Log is protected from modification and deletion (AU-9) apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: @@ -30,7 +29,6 @@ spec: location: northamerica-northeast1 publicAccessPrevention: "enforced" uniformBucketLevelAccess: true - # AU-9 retentionPolicy: isLocked: false # kpt-set: ${security-incident-log-bucket-retention-locking-policy} retentionPeriod: 86400 # kpt-set: ${security-incident-log-bucket-retention-in-seconds} diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml index c0ec1c4a7..f8554fd05 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml @@ -30,7 +30,6 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL bindings: - role: roles/logging.bucketWriter members: @@ -41,7 +40,6 @@ spec: --- # Logs Bucket writer IAM permissions for the platform and component log sink # Binds the generated writer identity from the LoggingLogSink to the logging project -# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level) apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: @@ -54,7 +52,6 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL bindings: - role: roles/logging.bucketWriter members: @@ -77,7 +74,6 @@ spec: kind: Project name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects - # AC-3(7) bindings: - role: roles/logging.bucketWriter members: diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml index 2817ac04d..aa35b51c8 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project-sink.yaml @@ -14,10 +14,6 @@ ###### # Logging project sink for Data Access logs # Destination: Cloud Logging bucket hosted inside logging project -# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the organization to send the logs to the logging bucket in the logging project -# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket -# AC-2(4) - Includes Security logs: Data Access -# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -30,7 +26,6 @@ spec: name: logging-project-id # kpt-set: ${logging-project-id} namespace: projects destination: - # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) loggingLogBucketRef: # destination.loggingLogBucketRef # Only `external` field is supported to configure the reference. @@ -38,7 +33,6 @@ spec: description: Project sink for Data Access Logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AC-2(4), AU-12, AU-12(1) # Includes Security logs: Data Access # Security logs help you answer "who did what, where, and when" # diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project.yaml b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project.yaml index 91dc2dec8..fc614a49a 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/project.yaml @@ -16,7 +16,6 @@ # Security logs (Cloud Audit, Data Access, and Access Transparency Logs) # Platform and Component logs # Data Access Logs -# AU-4(1), AU-9(2) - Separate project created for logging buckets, isolating them from the source of the log entries in other projects apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project metadata: diff --git a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md b/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md deleted file mode 100644 index b93fff8ef..000000000 --- a/solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md +++ /dev/null @@ -1,52 +0,0 @@ -# Security Controls -> -> TODO: This document requires refinement - -## AC-3 ACCESS ENFORCEMENT - -## AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL - -- Write access to the logs is constrained by IAM permissions to just the log sinks. - -This control should be added to project-iam.yaml. Lines 15/16 already have a good explanation of -what’s happening so just add the AC-3(7) tag around there) - -## AU-2 AUDITABLE EVENTS - -AU-2 – Event families being audited are set here. This control should be added to the folder-sink.yaml, -mgmt-project/project-sink.yaml and org-sink.yaml with a brief explanation of what’s being audited. -Suggest putting the tag and explanation down around line 35 where the inclusions/exclusions are -This is an org control so the AU-2 tagging in the code is there to support the narrative Ops will write to demonstrate the org requirements - -## AU-4 AUDIT STORAGE CAPACITY - -## AU-4(1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE - -AU-4(1) – Logs are being sent to a logging project which is separate from the projects -performing actions which generate log entries. This control should be added to the -cloud-logging-buckets.yaml with a brief explanation that the logs are in a separate project. -Suggest putting around line 15 which describes buckets - -## AU-8 TIME STAMPS - -AU-8 – Time stamps for audit records use internal Google time. Statement to that effect should go into securitycontrols.md, will need a reference to some Google documentation (can be found later) - -## AU-9 PROTECTION OF AUDIT INFORMATION - -AU-9 – Retention policies and policy locks are implemented so log contents is immutable. Include in cloud-logging-buckets.yaml after lines 28 and 46 (i.e. just before the “locked” and “retentionDays” settings. Also add to setters.yaml. Also add notation to project-iam.yaml where roles are being assigned to the sinks (same as AC-3(7)) - -### AU-9(2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS - -AU-9(2) – Logs sent to separate project, same response as AU-4(1) - -## AU-11 AUDIT RECORD RETENTION - -AU-11 – Audit log retention, same response as AU-9 however no reference added to project-iam.yaml as AU-11 doesn’t deal with access - -## AU-12 AUDIT GENERATION - -## AU-12(A) - -## AU-12(C) - -AU-12(A), AU-12(C) – This is the implementation of AU-2, so same comments and code locations apply diff --git a/solutions/experimentation/core-landing-zone/lz-folder/tests/folder-sink.yaml b/solutions/experimentation/core-landing-zone/lz-folder/tests/folder-sink.yaml index 7a0d4d5f2..33991ff16 100644 --- a/solutions/experimentation/core-landing-zone/lz-folder/tests/folder-sink.yaml +++ b/solutions/experimentation/core-landing-zone/lz-folder/tests/folder-sink.yaml @@ -34,7 +34,6 @@ spec: description: Folder sink for Platform and Component logs of Tests Resources # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-2, AU-12(A), AU-12(C) # No inclusion filter. Includes all Platform and Component logs # Google Cloud platform logs are service-specific logs # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs diff --git a/solutions/experimentation/core-landing-zone/mgmt-project/project-sink.yaml b/solutions/experimentation/core-landing-zone/mgmt-project/project-sink.yaml index 846e653ce..eeb7d0030 100644 --- a/solutions/experimentation/core-landing-zone/mgmt-project/project-sink.yaml +++ b/solutions/experimentation/core-landing-zone/mgmt-project/project-sink.yaml @@ -33,7 +33,6 @@ spec: description: Project sink for Platform and Component logs of the Landing Zone Management Cluster # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-2, AU-12(A), AU-12(C) # No inclusion filter. Includes all Platform and Component logs # Google Cloud platform logs are service-specific logs # For a list of all supported Google Cloud Logging API Services visit https://cloud.google.com/logging/docs/api/platform-logs diff --git a/solutions/experimentation/core-landing-zone/namespaces/config-management-monitoring.yaml b/solutions/experimentation/core-landing-zone/namespaces/config-management-monitoring.yaml index 406dfe6af..6f80faf4c 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/config-management-monitoring.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/config-management-monitoring.yaml @@ -18,7 +18,6 @@ # https://cloud.google.com/anthos-config-management/docs/how-to/monitor-config-sync-cloud-monitoring ######### # GCP SA -# AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -28,7 +27,6 @@ metadata: cnrm.cloud.google.com/project-id: management-project-id # kpt-set: ${management-project-id} cnrm.cloud.google.com/ignore-clusterless: "true" spec: - # AC-3(7), AC-3, AC-16(2) displayName: config-mgmt-mon-default-sa --- # Grant GCP role Metrics Writer to config-mgmt-mon-default-sa on Management Project @@ -45,7 +43,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} - # AC-3(7), AC-3, AC-16(2) role: roles/monitoring.metricWriter member: "serviceAccount:config-mgmt-mon-default-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:config-mgmt-mon-default-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -63,7 +60,6 @@ spec: name: config-mgmt-mon-default-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - # AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: diff --git a/solutions/experimentation/core-landing-zone/namespaces/gatekeeper-system.yaml b/solutions/experimentation/core-landing-zone/namespaces/gatekeeper-system.yaml index efd4ed7a8..04405404d 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/gatekeeper-system.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/gatekeeper-system.yaml @@ -17,7 +17,6 @@ # to implement Policy Controller Metrics and avoid numerous IAM errors on the Config Controller instance. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for Policy Controller metrics apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -30,7 +29,6 @@ spec: displayName: gatekeeper-admin-sa --- # Grant GCP role Metrics Writer to gatekeeper-admin SA on KCC Project -# AC-3(7) - RBAC role to account with required permissions for Policy Controller metrics apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/core-landing-zone/namespaces/hierarchy.yaml b/solutions/experimentation/core-landing-zone/namespaces/hierarchy.yaml index d333d18c0..90197c591 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/hierarchy.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/hierarchy.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for folder hierarchy administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -26,7 +25,6 @@ spec: displayName: hierarchy-sa --- # Grant GCP role Folder Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/core-landing-zone/namespaces/logging.yaml b/solutions/experimentation/core-landing-zone/namespaces/logging.yaml index 942743efa..eb369b97a 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/logging.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/logging.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for logging administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -26,7 +25,6 @@ spec: displayName: logging-sa --- # Grant GCP role Logging Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions for logging administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: @@ -56,7 +54,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: management-project-id # kpt-set: ${management-project-id} - # AC-3(7), AC-3, AC-16(2) role: roles/monitoring.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -74,7 +71,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: logging-project-id # kpt-set: ${logging-project-id} - # AC-3(7), AC-3, AC-16(2) role: roles/monitoring.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- @@ -92,7 +88,6 @@ spec: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: logging-project-id # kpt-set: ${logging-project-id} - # AC-3(7), AC-3, AC-16(2) role: roles/storage.admin member: "serviceAccount:logging-sa@management-project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:logging-sa@${management-project-id}.iam.gserviceaccount.com --- diff --git a/solutions/experimentation/core-landing-zone/namespaces/networking.yaml b/solutions/experimentation/core-landing-zone/namespaces/networking.yaml index 9f5207182..e83cc0320 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/networking.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/networking.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for networking administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -26,7 +25,6 @@ spec: displayName: networking-sa --- # Grant GCP role Network Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions for networking administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/core-landing-zone/namespaces/policies.yaml b/solutions/experimentation/core-landing-zone/namespaces/policies.yaml index 793868e10..7cc551685 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/policies.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/policies.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for policy administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -26,7 +25,6 @@ spec: displayName: policies-sa --- # Grant GCP role Organization Policy Administrator to GCP SA -# AC-3(7) - RBAC role to account with required permissions for policy administration apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/core-landing-zone/namespaces/projects.yaml b/solutions/experimentation/core-landing-zone/namespaces/projects.yaml index 6105b3402..455ad91a8 100644 --- a/solutions/experimentation/core-landing-zone/namespaces/projects.yaml +++ b/solutions/experimentation/core-landing-zone/namespaces/projects.yaml @@ -13,7 +13,6 @@ # limitations under the License. ######### # GCP SA -# AC-3(7) - Creates lower priv service account for administration of projects apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: @@ -26,7 +25,6 @@ spec: displayName: projects-sa --- # Grant GCP role Project IAM Admin to GCP SA -# AC-3(7) - RBAC role to account with required permissions for administration of projects apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: diff --git a/solutions/experimentation/core-landing-zone/namespaces/securitycontrols.md b/solutions/experimentation/core-landing-zone/namespaces/securitycontrols.md deleted file mode 100644 index 6819d3456..000000000 --- a/solutions/experimentation/core-landing-zone/namespaces/securitycontrols.md +++ /dev/null @@ -1,24 +0,0 @@ -# Organizational Controls - -## Organization Controls - P1 - -* AC-2(A) - These types of service accounts in this package should be included in the refinement of this control -* AC-2(D) - These accounts are getting assigned to roles so its part of the evidence for this control -* AC-2(1) - These accounts are created as part of automation so its part of the evidence for this control -* AC-2(7)(a) - These accounts are getting assigned to roles so its part of the evidence for this control -* AC-6 (A) - These accounts are created to have least privilege via the roles assigned so its part of the evidence -* AC-6 (2) - These accounts in aggregate demonstrate that non-priv accounts are used when accessing non-security functions - -## Organization Controls - P2 - -## Organization Controls - P3 - -## Technical Controls - P1 - -* AC-3(7) - Role policies for accounts are being set in this package - -## Technical Controls - P2 - -## Technical Controls - P3 - -* SA-17 - Needs a design spec or a piece in a design spec. This whole section needs discussion on an approach before moving forward diff --git a/solutions/experimentation/core-landing-zone/org/org-sink.yaml b/solutions/experimentation/core-landing-zone/org/org-sink.yaml index fef7662a4..b709c26ef 100644 --- a/solutions/experimentation/core-landing-zone/org/org-sink.yaml +++ b/solutions/experimentation/core-landing-zone/org/org-sink.yaml @@ -14,10 +14,6 @@ ###### # Organization sink for Security logs: Cloud Audit and Access Transparency # Destination: Cloud Logging bucket hosted inside logging project -# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the organization to send the logs to the logging bucket in the logging project -# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket -# AC-2(4) - Includes Security logs: Cloud Audit and Access Transparency -# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -37,7 +33,6 @@ spec: description: Organization sink for Security Logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AU-2, AU-12(A), AU-12(C) # Includes Security logs: Cloud Audit and Access Transparency # Security logs help you answer "who did what, where, and when" # @@ -55,10 +50,6 @@ spec: # Organization sink for Data Access logs related to Google Workspace Login Audit # https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login # Destination: Cloud Logging bucket hosted inside logging project -# AU-3, AU-3(1) - Sink defined at folder that will allow all the projects underneath the organization to send the logs to the logging bucket in the logging project -# AU-4(1), AU-6(4), AU-9(2) - Log sinks sending the logs to same project in same region having a logging bucket -# AC-2(4) - Includes Security logs: Data Access -# AU-12, AU-12(1) - Log Sinks defined in Log Router check each log entry against the inclusion filter and exclusion filter that determine which destinations that the log entry is sent to apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: @@ -72,7 +63,6 @@ spec: # Set includeChildren to False to prevent routing data access logs from other sources than the organization includeChildren: False destination: - # AU-3, AU-3(1), AU-4(1), AU-6(4), AU-9(2) loggingLogBucketRef: # destination.loggingLogBucketRef # Only `external` field is supported to configure the reference. @@ -80,7 +70,6 @@ spec: description: Organization sink for Data Access Logs # the log sink must be enabled (disabled: false) to meet the listed security controls disabled: false - # AC-2(4), AU-12, AU-12(1) # Includes Security logs: Data Access # Security logs help you answer "who did what, where, and when" # diff --git a/solutions/experimentation/core-landing-zone/setters.yaml b/solutions/experimentation/core-landing-zone/setters.yaml index db6dbad51..7f137f484 100644 --- a/solutions/experimentation/core-landing-zone/setters.yaml +++ b/solutions/experimentation/core-landing-zone/setters.yaml @@ -86,8 +86,6 @@ data: # Set the number of days to retain logs in Cloud Logging buckets # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period - # AU-9 PROTECTION OF AUDIT INFORMATION - # AU-11 AUDIT RECORD RETENTION # # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls. retention-locking-policy: "false" @@ -97,8 +95,6 @@ data: # Events and logs associated with a security incident must be kept for at least 2 years # Set the lock mechanism on the bucket to: true or false # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period - # AU-9 PROTECTION OF AUDIT INFORMATION - # AU-11 AUDIT RECORD RETENTION # customization: The values below must be modified to locked: true and retentionSeconds: 63072000 (730 days) in a Production setting to implement above mentioned security controls. security-incident-log-bucket-retention-locking-policy: "false" security-incident-log-bucket-retention-in-seconds: "86400"