If you enable Compliance Manager within a VPC Service Controls service perimeter, you must configure egress and ingress rules.
You can adjust the following sample ingress and egress rules to meet your business requirements.
For information about limitations, see Supported products and limitations.
Before you begin
Make sure that you have the required roles to configure VPC Service Controls at the organization level.
To ensure access to resources that exist in the organization or folders, grant the Compliance Manager Admin (
roles/cloudsecuritycompliance.admin) role at the organization level.Make sure that you know the following:
The email address for the Cloud Security Compliance service agent (
service-org-ORGANIZATION_ID@gcp-sa-csc-hpsa.iam.gserviceaccount.com).If you also use Audit Manager, the email address for the Audit Manager service agent (
service-org-RESOURCE_ID@gcp-sa-audit-manager.iam.gserviceaccount.com), where RESOURCE_ID is your organization ID, folder ID, or project ID.The email addresses of Compliance Manager and Audit Manager users. These users administer Compliance Manager and Audit Managerand perform activities such as audits.
Verify that the Cloud Security Compliance service agent has the required permissions within the perimeter to complete an audit. For more information, see Audit your environment with Compliance Manager.
Add ingress and egress rules
Add the following ingress rule:
- ingressFrom: identities: - user: USER_EMAIL_ADDRESS sources: - accessLevel: "*" ingressTo: operations: - serviceName: securitycenter.googleapis.com methodSelectors: - method: "*" resources: "*"Replace USER_EMAIL_ADDRESS with the email address of the Compliance Manager or Audit Manager user.
Add the following ingress rule to permit Compliance Manager to monitor and audit the resources in your Google Cloud organization:
- ingressFrom: identities: - user: USER_EMAIL_ADDRESS sources: - accessLevel: "*" ingressTo: operations: - serviceName: cloudsecuritycompliance.googleapis.com methodSelectors: - method: "*" - serviceName: auditmanager.googleapis.com methodSelectors: - method: "*" resources: "*"Replace USER_EMAIL_ADDRESS with the email address of the Compliance Manager or Audit Manager user.
Configure the following ingress rule to run audits for a project:
- ingressFrom: identities: - serviceAccount: COMPLIANCE_MANAGER_SERVICE_ACCOUNT_OR_AUDIT_MANAGER_SERVICE_ACCOUNT - user: USER_EMAIL_ADDRESS sources: - accessLevel: "*" ingressTo: operations: - serviceName: cloudasset.googleapis.com methodSelectors: - method: "*" resources: "*"Replace the following:
USER_EMAIL_ADDRESS: the email address of the Compliance Manager user.
COMPLIANCE_MANAGER_SERVICE_ACCOUNT_OR_AUDIT_MANAGER_SERVICE_ACCOUNT: the email address of the Cloud Security Compliance service agent or the Audit Manager service agent. If Audit Manager is enabled, use the Audit Manager service agent.
Configure the following ingress rule to run audits for a folder:
- ingressFrom: identities: - serviceAccount: COMPLIANCE_MANAGER_SERVICE_ACCOUNT_OR_AUDIT_MANAGER_SERVICE_ACCOUNT - user: USER_EMAIL_ADDRESS sources: - accessLevel: "*" ingressTo: operations: - serviceName: "*" resources: "*"Replace the following:
USER_EMAIL_ADDRESS: the email address of the Compliance Manager user.
COMPLIANCE_MANAGER_SERVICE_ACCOUNT_OR_AUDIT_MANAGER_SERVICE_ACCOUNT: the email address of the Cloud Security Compliance service agent or the Audit Manager service agent. If Audit Manager is enabled, use the Audit Manager service agent.
Broad access is required to permit auditing of all the resources in the projects within the folder.
Configure the following ingress rule to run an audit when the enrolled Cloud Storage bucket is inside the perimeter:
- ingressFrom: identities: - serviceAccount: COMPLIANCE_MANAGER_SERVICE_ACCOUNT_OR_AUDIT_MANAGER_SERVICE_ACCOUNT - user: USER_EMAIL_ADDRESS sources: - accessLevel: "*" ingressTo: operations: - serviceName: storage.googleapis.com methodSelectors: - method: google.storage.buckets.getIamPolicy - method: google.storage.buckets.testIamPermissions - method: google.storage.objects.getIamPolicy - method: google.storage.buckets.setIamPolicy - method: google.storage.objects.setIamPolicy - method: google.storage.objects.create - method: google.storage.objects.get resources: "*"Replace the following:
USER_EMAIL_ADDRESS: the email address of the Compliance Manager user.
COMPLIANCE_MANAGER_SERVICE_ACCOUNT_OR_AUDIT_MANAGER_SERVICE_ACCOUNT: the email address of the Cloud Security Compliance service agent or the Audit Manager service agent. If Audit Manager is enabled, use the Audit Manager service agent.
Configure the following egress rule to run an audit when the enrolled Cloud Storage bucket is inside the perimeter:
- egressFrom: identities: - serviceAccount: COMPLIANCE_MANAGER_SERVICE_ACCOUNT_OR_AUDIT_MANAGER_SERVICE_ACCOUNT - user: USER_EMAIL_ADDRESS sources: - accessLevel: "*" egressTo: operations: - serviceName: storage.googleapis.com methodSelectors: - method: google.storage.buckets.getIamPolicy - method: google.storage.buckets.testIamPermissions - method: google.storage.objects.getIamPolicy - method: google.storage.buckets.setIamPolicy - method: google.storage.objects.setIamPolicy - method: google.storage.objects.create - method: google.storage.objects.get resources: "*"Replace the following:
USER_EMAIL_ADDRESS: the email address of the Compliance Manager user.
COMPLIANCE_MANAGER_SERVICE_ACCOUNT_OR_AUDIT_MANAGER_SERVICE_ACCOUNT: the email address of the Cloud Security Compliance service agent or the Audit Manager service agent. If Audit Manager is enabled, use the Audit Manager service agent.
What's next
- Diagnose issues by using the VPC Service Controls troubleshooter or the VPC Service Controls violation analyzer.