Manage frameworks in Assured Workloads

Assured Workloads frameworks consist of cloud controls that help you meet the security and regulatory requirements for a folder or project in your cloud environments. Assured Workloads provides many built-in frameworks, such as data boundaries, but you can also modify existing frameworks or create your own. To create your own framework, you start by identifying or creating the cloud controls that align with your business' security and compliance obligations. Then, you deploy a framework that includes those cloud controls to the selected folder or project.

This page helps you complete the following steps:

  1. Assess which built-in framework best aligns with your regulatory and security requirements. You can create your own custom framework, but we recommend starting with a built-in framework.

  2. Determine which built-in cloud controls map to your business requirements. You can create custom cloud controls if required.

  3. Determine which folder or project to deploy the framework to. You can deploy frameworks in the following ways:

    • A single resource—whether a folder or a project—can only have one built-in preventative framework such as a data boundary deployed to it.
    • A single resource—whether a folder or a project—can have multiple detective frameworks deployed to it.
    • Multiple resources can have the same preventative or detective framework deployed to them. For example, a parent folder can have the same preventative or detective framework deployed to it as its child projects.
  4. Copy an existing framework and modify it to match your requirements. If required, you can create a custom framework.

  5. Deploy the framework on the selected folder or project.

Before you begin

View frameworks

Complete the following steps to view the configuration for built-in frameworks or other frameworks that you've already created.

  1. In the Google Cloud console, go to the Frameworks page.

    Go to Frameworks

  2. If prompted, select your organization.

  3. The dashboard shows the available frameworks, a brief description, supported platforms and tiers, and the resources that the framework has been assigned to.

  4. To view details about a specific framework, click the framework name.

Create a framework

After you determine which cloud controls apply to resources within your organization or a specific folder or project, you can create a framework. You can create a custom framework or copy an existing framework and modify it. When you copy a framework, it includes the latest releases of any built-in cloud controls.

  1. In the Google Cloud console, go to the Frameworks page.

    Go to Frameworks

  2. If prompted, select your organization.

  3. Click Create custom framework.

  4. Complete one of the following:

    • To use an existing framework, complete the following:

      1. Select Start from an existing framework.

      2. Select the framework that you want to copy.

    • To create a custom framework, select Start new.

  5. Enter a name, unique identifier, and description for your framework. Click Continue.

  6. In the step to Set a location for your framework, select a specific region or a multi-region. For more information about available regions, see Assured Workloads locations. Click Continue.

    If you're copying an existing framework, the list of cloud controls that were part of the existing framework displays.

  7. To add the cloud controls that you require, complete the following:

    • To add an existing cloud control, click Add Cloud Controls. Select all the cloud controls that you require and then click Add.

      When you add a control, verify the control type (detective, preventive, or audit) of the control. Don't include audit-only controls in a framework that you want to use to monitor your environment and detect violations. You can't deploy frameworks that include audit-only controls.

    • To create a custom cloud control, click Create custom cloud control. For instructions, see Create a custom cloud control.

  8. Click Continue.

  9. Add any additional parameters that the cloud controls require.

    For example, you can set your locations for Cloud Logging storage locations, resource locations, and modify allowed service endpoints.

  10. Click Create.

Deploy a framework

Deploy a framework to a folder or project so that you can control and monitor those resources using the framework's cloud controls. You can deploy frameworks in the following ways:

  • A single resource—whether a folder or a project—can only have one built-in preventative framework such as a data boundary deployed to it.
  • A single resource—whether a folder or a project—can have multiple detective frameworks deployed to it.
  • Multiple resources can have the same preventative or detective framework deployed to them. For example, a parent folder can have the same preventative or detective framework deployed to it as its child projects.

Folders and projects inherit frameworks through the Google Cloud resource hierarchy. Therefore, if you deploy frameworks at the folder level and at a project level, all the cloud controls within both frameworks apply to the resources in the project. If there are any differences in cloud control definitions, the lower-level cloud control is used by the resources in the project. For example, if a cloud control rule is set to Allow at the folder level and to Deny at the project level, the project-level setting of Deny is applied to the resources in the project.

As a best practice, we recommend that you deploy a framework at the folder level that includes the cloud controls that can apply to all of its projects. You can then deploy more stringent frameworks to individual projects that require them.

If you choose to nest your framework deployments, such as by deploying one framework to a parent folder and then different frameworks to its child projects, it's your responsibility to resolve any compliance violations that might occur on the parent and child resources.

  1. In the Google Cloud console, go to the Frameworks page.

    Go to Frameworks

  2. If prompted, select your organization.

  3. For the framework that you want to deploy, click More Actions > Apply to resources.

  4. Choose one of the following options:

    • To monitor for drift only, choose Monitor.

    • To monitor for drift and actively prevent violations, choose Monitor and prevent.

  5. Select the resource that you want to deploy the framework to. You can choose an existing folder or project. If you chose to actively prevent violations, you can create a new folder or project and deploy the framework to it. If the framework requires additional details, such as a CMEK project or other configuration details, you must provide them.

  6. Complete one of the following:

    • If you selected Monitor, complete the following:

      1. Verify the information.
      2. Click Monitor.
    • If you selected Monitor and prevent, complete the following:

      1. Click Next. Review the cloud controls and modes.
      2. Click Continue.
      3. If displayed, verify the additional information that's required for some cloud controls.
      4. Click Next.
      5. Review your selections and then click Enforce.

After you deploy the framework, you can monitor your environment for any drift from your defined cloud controls. Assured Workloads' Monitoring reports instances of drift as violations that you can review, filter, and resolve. It can take approximately six hours after you deploy a framework for any violations to appear.

Edit a custom framework

After you create a framework, you can change its name and description, add or remove cloud controls, and update any parameters. You can only edit frameworks that you create; you can't edit built-in frameworks.

  1. In the Google Cloud console, go to the Frameworks page.

    Go to Frameworks

  2. If prompted, select your organization.

  3. Click the framework that you want to edit.

  4. On the Framework details page, verify that the framework isn't assigned to a resource. If required, remove the assignments.

  5. Click Actions > Edit.

  6. In the Update framework details page, change the name and description as required. Click Continue.

  7. To change the cloud controls that are included in the framework, complete the following:

    • To add an existing cloud control, click Add Cloud Controls. Select all the cloud controls that you require and then click Add.

    • To create a custom cloud control, click Create custom cloud control. For instructions, see Create a custom cloud control.

    • To remove a cloud control, select the cloud control and click Remove.

  8. Click Continue.

  9. Add any additional parameters that the cloud controls require.

  10. Click Save.

Remove resources from a deployed framework

You can remove the folders or projects that you assigned to a deployed framework. Removing resources means that the framework no longer generates violations for that node of your resource hierarchy.

  1. In the Google Cloud console, go to the Frameworks page.

    Go to Frameworks

  2. If prompted, select your organization.

  3. Click the framework that you want to unassign resources from.

  4. On the Framework details page, click Actions > Manage resource assignments.

  5. In the Assigned resources table, find the resource that you want to remove and click Delete.

  6. Review the confirmation message and click Unassign.

Update a framework to a newer release

Google publishes regular updates to its built-in frameworks as services deploy new features or as new best practices emerge. You can view the releases of built-in frameworks in the frameworks dashboard in the Configure tab or in the framework details page.

Google notifies you in the console and release notes when the following updates occur:

  • Built-in cloud controls are added or removed from a framework
  • Built-in cloud controls are updated

To update a framework, complete the following:

  1. In the Google Cloud console, go to the Frameworks page.

    Go to Frameworks

  2. If prompted, select your organization.

  3. Click the framework that you want to update.

  4. On the Framework details page, in the Assigned resources table, review the Update status for any assignments that are identified as Update available.

  5. To apply the changes, complete the following:

    1. Remove the resource assignment.

    2. Redeploy the framework to your resource so that Assured Workloads frameworks can resume monitoring the resource and creating violations.

Delete a custom framework

Delete a framework when it's no longer required. You can only delete frameworks that you create; you can't delete built-in frameworks.

  1. In the Google Cloud console, go to the Frameworks page.

    Go to Frameworks

  2. If prompted, select your organization.

  3. Click the framework that you want to unassign resources from.

  4. On the Framework details page, verify that the framework isn't assigned to a resource. If required, remove the assignments.

  5. Click Actions > Delete.

  6. In the Delete window, review the message. Type Delete and click Confirm.

What's next