fix: Removing securitycontrols.md and security control tags from experimentation

solutions/experimentation/admin-folder/folder-iam.yaml

@@ -13,7 +13,6 @@
 # limitations under the License.
 #########
 # Grant GCP role Folder Admin on Admin's folder to admin
-# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
@@ -30,7 +29,6 @@ spec:
   member: admin-owner # kpt-set: ${admin-owner}
 ---
 # Grant GCP role Project Creator on Admin's folder to admin
-# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
@@ -47,7 +45,6 @@ spec:
   member: admin-owner # kpt-set: ${admin-owner}
 ---
 # Grant GCP role Owner on Admin's folder to admin
-# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:

solutions/experimentation/client-landing-zone/client-folder/folder-iam.yaml

@@ -13,7 +13,6 @@
 # limitations under the License.
 #########
 # Grant GCP role Folder Viewer on client's folder to client's user group
-# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:

solutions/experimentation/client-landing-zone/client-folder/folder-sink.yaml

@@ -34,7 +34,6 @@ spec:
   description: Folder sink for client-name Platform and Component logs # kpt-set: Folder sink for ${client-name} Platform and Component logs
   # the log sink must be enabled (disabled: false) to meet the listed security controls
   disabled: false
-  # AU-2, AU-12(A), AU-12(C)
   # Includes the following types of logs:
   # Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, and HTTP(S) Load Balancer
   # These logs are not enabled by default. They are enabled inside the client-experimentation package:

solutions/experimentation/client-landing-zone/logging-project/cloud-logging-bucket.yaml

@@ -14,7 +14,6 @@
 ######
 # Cloud Logging bucket for client Platform and Component logs
 # Logs are routed using a log sink to a central logging project into a dedicated log bucket
-# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects
 apiVersion: logging.cnrm.cloud.google.com/v1beta1
 kind: LoggingLogBucket
 metadata:
@@ -29,6 +28,5 @@ spec:
   location: northamerica-northeast1
   description: Cloud Logging bucket for client-name Platform and Component logs # kpt-set: Cloud Logging bucket for ${client-name} Platform and Component logs
   # Implement retention policy and retention locking policy
-  # AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specificied number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability.
   locked: false # kpt-set: ${retention-locking-policy}
   retentionDays: 1 # kpt-set: ${retention-in-days}

solutions/experimentation/client-landing-zone/logging-project/project-iam.yaml

@@ -26,7 +26,6 @@ spec:
     kind: Project
     name: logging-project-id # kpt-set: ${logging-project-id}
     namespace: projects
-  # AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level)
   bindings:
     - role: roles/logging.bucketWriter
       members:

solutions/experimentation/client-landing-zone/setters.yaml

@@ -54,8 +54,6 @@ data:
   # Set the number of days to retain logs in Cloud Logging buckets
   # Set the lock mechanism on the bucket to: true or false
   # After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period
-  # AU-9 PROTECTION OF AUDIT INFORMATION
-  # AU-11 AUDIT RECORD RETENTION
   # The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls.
   retention-locking-policy: "false"
   retention-in-days: "1"

solutions/experimentation/client-project/network/dns.yaml

@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #########
-# AU-12 - Enable logging for DNS
 apiVersion: dns.cnrm.cloud.google.com/v1beta1
 kind: DNSPolicy
 metadata:
@@ -24,7 +23,6 @@ metadata:
 spec:
   resourceID: logging-dnspolicy
   description: "DNS policy to enable logging"
-  # AU-12
   enableLogging: true
   networks:
     - networkRef:

solutions/experimentation/client-project/network/nat.yaml

@@ -13,7 +13,6 @@
 # limitations under the License.
 #########
 # Cloud NAT northamerica-northeast1
-# # AU-12 - Enable Logging for Cloud Nat
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeRouterNAT
 metadata:
@@ -29,7 +28,6 @@ spec:
   routerRef:
     name: project-id-nane1-router # kpt-set: ${project-id}-nane1-router
   sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
-  # AU-12
   logConfig:
     enable: true
     filter: ALL
@@ -66,7 +64,6 @@ spec:
   routerRef:
     name: project-id-nane2-router # kpt-set: ${project-id}-nane2-router
   sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
-  # AU-12
   logConfig:
     enable: true
     filter: ALL

solutions/experimentation/client-project/network/route.yaml

@@ -14,7 +14,6 @@
 #########
 # A Route to the internet that requires that the resources attached to the network
 # specify it's tag to access the internet
-# SC-7(5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeRoute
 metadata:

solutions/experimentation/client-project/network/subnet.yaml

@@ -13,15 +13,12 @@
 # limitations under the License.
 #########
 ##################################
-# AC-4 Information flow enforcement - Subnet creation to segregate and force through ZIP for access
 ##################################
 # All subnets have :
 # - logging enabled for flow logs https://cloud.google.com/vpc/docs/using-flow-logs
 # - private google access enabled https://cloud.google.com/vpc/docs/private-google-access
 ##################################
 # Subnet PAZ northamerica-northeast1
-# SC-7 BOUNDARY PROTECTION
-# AU-12 - Enable Logging for Subnet
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -38,14 +35,12 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
     metadata: INCLUDE_ALL_METADATA
 ---
 # Subnet APPRZ northamerica-northeast1
-# SC-7 BOUNDARY PROTECTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -62,14 +57,12 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
     metadata: INCLUDE_ALL_METADATA
 ---
 # Subnet DATARZ northamerica-northeast1
-# SC-7 BOUNDARY PROTECTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -86,14 +79,12 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
     metadata: INCLUDE_ALL_METADATA
 ---
 # Subnet PAZ northamerica-northeast2
-# SC-7 BOUNDARY PROTECTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -110,14 +101,12 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
     metadata: INCLUDE_ALL_METADATA
 ---
 # Subnet APPRZ northamerica-northeast2
-# SC-7 BOUNDARY PROTECTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -134,14 +123,12 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
     metadata: INCLUDE_ALL_METADATA
 ---
 # Subnet DATARZ northamerica-northeast2
-# SC-7 BOUNDARY PROTECTION
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -158,7 +145,6 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
-  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5

solutions/experimentation/client-project/network/vpc.yaml

@@ -25,5 +25,5 @@ spec:
   resourceID: global-vpc1-vpc
   description: experimentation VPC
   routingMode: REGIONAL
-  autoCreateSubnetworks: false # SC-7
-  deleteDefaultRoutesOnCreate: true # AC-4, SC-7(5)
+  autoCreateSubnetworks: false
+  deleteDefaultRoutesOnCreate: true

solutions/experimentation/client-project/project-iam.yaml

@@ -13,7 +13,6 @@
 # limitations under the License.
 #########
 # Grant GCP role Editor to project-editor
-# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
@@ -30,7 +29,6 @@ spec:
   member: project-editor # kpt-set: ${project-editor}
 ---
 # Grant GCP role IAM Security Admin to project-editor
-# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:

solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-logging-buckets.yaml

@@ -14,7 +14,6 @@
 ######
 # Cloud Logging bucket for Security logs: Cloud Audit, Access Transparency Logs, and Data Access Logs
 # Logs are routed using a log sink to a central logging project into a dedicated log bucket
-# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects
 apiVersion: logging.cnrm.cloud.google.com/v1beta1
 kind: LoggingLogBucket
 metadata:
@@ -29,7 +28,6 @@ spec:
   location: northamerica-northeast1
   description: Cloud Logging bucket for Security logs
   # Implement retention policy and retention locking policy
-  # AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specificied number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability.
   locked: false # kpt-set: ${retention-locking-policy}
   retentionDays: 1 # kpt-set: ${retention-in-days}
 ---
@@ -48,6 +46,5 @@ spec:
   location: northamerica-northeast1
   description: Cloud Logging bucket for Platform and Component logs
   # Implement retention policy and retention locking policy
-  # AU-9, AU-11
   locked: false # kpt-set: ${retention-locking-policy}
   retentionDays: 1 # kpt-set: ${retention-in-days}

solutions/experimentation/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml

@@ -13,7 +13,6 @@
 # limitations under the License.
 # Cloud Storage bucket to store logs related to security incidents
 # https://cloud.google.com/logging/docs/routing/copy-logs
-# AU-9, AU-11 - Storage bucket created to hold logs related to security incidents (AU-11). Log is protected from modification and deletion (AU-9)
 apiVersion: storage.cnrm.cloud.google.com/v1beta1
 kind: StorageBucket
 metadata:
@@ -30,7 +29,6 @@ spec:
   location: northamerica-northeast1
   publicAccessPrevention: "enforced"
   uniformBucketLevelAccess: true
-  # AU-9
   retentionPolicy:
     isLocked: false # kpt-set: ${security-incident-log-bucket-retention-locking-policy}
     retentionPeriod: 86400 # kpt-set: ${security-incident-log-bucket-retention-in-seconds}