Monitor Assured Workloads frameworks

Assured Workloads actively monitors your framework deployments for compliance violations by comparing a deployed data boundary's requirements to the folder or project to which it's assigned. When your folder or project drifts from one or more of the data boundary's cloud control requirements, a violation occurs. Violation types include the following:

  • Location: When a child resource in an assigned folder or project is deployed to a non-compliant location, a violation occurs. This violation can occur by modifying a default value for the Restrict Resource Locations cloud control for a given framework, which is mapped to the gcp.resourceLocations organization policy constraint.
  • Service usage: When a non-compliant service endpoint (such as compute.googleapis.com) is enabled on an assigned folder or project, a violation will occur. This violation can occur if you modify the default value for the Restrict Service Usage cloud control for a given framework, which is mapped to the gcp.restrictServiceUsage organization policy constraint.
  • Encryption: Some data boundaries require Customer-managed encryption keys set to a specific set of service endpoints. To enforce this requirement, the Enforce CMEK for Supported Services cloud control is applied. If you add non-compliant services or remove existing or required services from this cloud control, a violation will occur. This violation is mapped to the gcp.restrictNonCmekServices organization policy constraint.
  • Access: Some data boundaries require Access Approval or Access Transparency, which together help you authorize requests from Google personnel to access Customer Data and determine when and why such data was accessed. When you modify these cloud controls, for example, by changing the default values for the Enable Access Transparency cloud control, you can cause a violation to occur.
  • Configuration: Changing a cloud control value to a non-compliant value can cause a violation to occur.

When a violation occurs, you can resolve it or create exceptions for it where appropriate. A violation can have one of three statuses:

  • Unresolved: The violation hasn't been addressed, or was previously granted an exception before non-compliant changes were made on the folder or resource.
  • Resolved: The violation has been addressed by following steps to remediate the issue.
  • Exception: The violation has been granted an exception, and a business justification has been provided.

Monitoring is automatically enabled when you apply an Assured Workloads framework to a resource.

View violations in your organization

To view specific compliance violations and their details, complete the following steps:

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. If prompted, select your organization.

  3. Click the Assured Workloads Violations tab. Two tabs are shown: Organization Policy Violations and Resource Violations. If more than one unresolved violation exists, the icon is active on the tab.

    The Organization Policy Violations tab is selected by default. This tab displays all unresolved organization policy violations across Assured Workloads frameworks folders or projects in the organization.

    The Resource Violations tab displays all unresolved violations associated with the resource across all Assured Workloads frameworks folders or projects in the organization.

  4. For either tab, use the Quick filters options to filter by violation status, violation type, assignment, affected frameworks, organization policy control, or specific resource types.

  5. For either tab, if there are existing violations, click a violation ID to see more detailed information.

From the Violation details page, you can perform the following tasks:

  • Copy the violation ID.

  • View the Assured Workloads framework's resource where the violation occurred and when it first occurred.

  • View the audit log, which includes the following:

    • When the violation happened.

    • Which policy was modified to cause the violation and which user made that modification.

    • If an exception was granted, which user granted it.

    • Where applicable, view the specific resource that the violation occurred on.

  • View the affected organization policy.

  • View and add compliance violation exceptions. Previous exceptions for the resource are listed. These exceptions include the user that granted the exception, its user-provided justification, and the time it was granted.

  • Follow the remediation steps to resolve the exception.

For organization policy violations, you can also see the following:

  • Affected organization policy: To view the policy associated with the compliance violation, click View Policy.
  • Child resource violations: Resource-based organization policy violations can cause child resource violations. To view or resolve child resource violations, click the Violation ID.

For resource violations, you can also see the following:

  • Parent organization policy violations: When parent organization policy violations are the cause of a child resource violation, they need to be addressed first at the child level. Once the child resource violation has been resolved, then resolve the parent organization policy violation. To see the violation details, click View Violation.
  • Any other violations on the specific resource that is causing the resource violation are also visible.

Resolve violations

To remediate a violation, complete the following steps:

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. If prompted, select your organization.

  3. Click the Assured Workloads Violations tab. Two tabs are shown: Organization Policy Violations and Resource Violations. If more than one unresolved violation exists, the icon is active on the tab. Click the tab for which you want to view violations.

  4. Click the Violation ID to see more detailed information.

  5. In the Remediation section, follow the instructions to address the issue.

Add violation exceptions

Sometimes a violation might be valid for a particular situation. You can add one or more exceptions for a violation by completing the following steps.

  1. In the Google Cloud console, go to the Monitoring page.

    Go to Monitoring

  2. If prompted, select your organization.

  3. Click the Assured Workloads Violations tab. Two tabs are shown: Organization Policy Violations and Resource Violations. If more than one unresolved violation exists, the icon is active on the tab.

    The Organization Policy Violations tab is selected by default. This tab displays all unresolved organization policy violations across Assured Workloads frameworks folders or projects in the organization.

    The Resource Violations tab displays all unresolved violations associated with the resource across all Assured Workloads frameworks folders or projects in the organization.

    Click the tab for which you want to view violations.

  4. In the Violation ID column, click the violation you want to add the exception to.

  5. In the Exceptions section, click Add New.

  6. Enter a business justification for the exception. If you want the exception to apply to all child resources, select the Apply to all existing child resource violations checkbox and click Submit.

  7. To add more exceptions, repeat these steps.

The violation status is now set to Exception.

What's next