In diesem Dokument werden die Asset-Typen und Richtlinien beschrieben, die in der Funktion zur IaC-Validierung (Infrastructure as Code) in Security Command Center unterstützt werden.
Unterstützte Asset-Typen
Im Folgenden finden Sie eine Liste der unterstützten Google Cloud Asset-Typen:
artifactregistry.googleapis.com/Repositorybigquery.googleapis.com/Datasetbigquery.googleapis.com/Tablecloudfunctions.googleapis.com/CloudFunctioncloudkms.googleapis.com/ImportJobcloudkms.googleapis.com/KeyRingcloudresourcemanager.googleapis.com/Foldercloudresourcemanager.googleapis.com/Projectcomposer.googleapis.com/Environmentcompute.googleapis.com/Autoscalercompute.googleapis.com/BackendServicecompute.googleapis.com/Diskcompute.googleapis.com/Firewallcompute.googleapis.com/ForwardingRulecompute.googleapis.com/GlobalForwardingRulecompute.googleapis.com/HealthCheckcompute.googleapis.com/Instancecompute.googleapis.com/InstanceGroupcompute.googleapis.com/Networkcompute.googleapis.com/NodeGroupcompute.googleapis.com/NodeTemplatecompute.googleapis.com/ResourcePolicycompute.googleapis.com/Routecompute.googleapis.com/Routercompute.googleapis.com/Snapshotcompute.googleapis.com/SslCertificatecompute.googleapis.com/SslPolicycompute.googleapis.com/Subnetworkcompute.googleapis.com/TargetHttpProxycompute.googleapis.com/TargetHttpsProxycompute.googleapis.com/TargetPoolcompute.googleapis.com/TargetSslProxycompute.googleapis.com/UrlMapcompute.googleapis.com/VpnTunnelcontainer.googleapis.com/Clustercontainer.googleapis.com/NodePooldataflow.googleapis.com/Jobdatastream.googleapis.com/ConnectionProfiledatastream.googleapis.com/PrivateConnectiondatastream.googleapis.com/Streamdns.googleapis.com/ManagedZonedns.googleapis.com/Policyfile.googleapis.com/Instancegkehub.googleapis.com/Membershippubsub.googleapis.com/Subscriptionpubsub.googleapis.com/Topicrun.googleapis.com/DomainMappingrun.googleapis.com/Jobrun.googleapis.com/Serviceserviceusage.googleapis.com/Servicespanner.googleapis.com/Databasespanner.googleapis.com/Instancesqladmin.googleapis.com/Instancestorage.googleapis.com/Bucketvpcaccess.googleapis.com/Connector
Validierungen für das Feld disks[].initializeParams.sourceImage von compute.googleapis.com/Instance werden nicht unterstützt.
Unterstützte Richtlinien
In diesem Abschnitt werden die Richtlinien beschrieben, die von der IaC-Validierung unterstützt werden.
Organisationsrichtlinien
Im Folgenden finden Sie eine Liste der unterstützten Organisationsrichtlinien:
Allowed VPC egress settings(constraints/run.allowedVPCEgress)Disable Guest Attributes of Compute Engine metadata(constraints/compute.disableGuestAttributesAccess)Disable VM serial port access(constraints/compute.disableSerialPortAccess)Disable VM serial port logging to Stackdriver(constraints/compute.disableSerialPortLogging)Disable VPC External IPv6 usage(constraints/compute.disableVpcExternalIpv6)Require OS Login(constraints/compute.requireOsLogin)Restrict Authorized Networks on Cloud SQL instances(constraints/sql.restrictAuthorizedNetworks)Require VPC Connector (Cloud Functions)(constraints/cloudfunctions.requireVPCConnector)Disable VPC Internal IPv6 usage(constraints/compute.disableVpcInternalIpv6)Allowed ingress settings (Cloud Run)(constraints/run.allowedIngress)Enforce uniform bucket-level access(constraints/storage.uniformBucketLevelAccess)Skip creation of default Compute Network(constraints/compute.skipDefaultNetworkCreation)
Benutzerdefinierte Einschränkung der Organisationsrichtlinie
Alle benutzerdefinierten Einschränkungen der Organisationsrichtlinie werden unterstützt. Organisationsrichtlinien, die Tagsenthalten, können jedoch nicht validiert werden.
Benutzerdefinierte Module von Security Health Analytics
Alle benutzerdefinierten Module von Security Health Analytics werden unterstützt.
In Security Health Analytics integrierte Detektoren
Im Folgenden finden Sie eine Liste der unterstützten integrierten Detektoren:
ALPHA_CLUSTER_ENABLEDAUTO_BACKUP_DISABLEDAUTO_REPAIR_DISABLEDAUTO_UPGRADE_DISABLEDBIGQUERY_TABLE_CMEK_DISABLEDBUCKET_CMEK_DISABLEDBUCKET_LOGGING_DISABLEDBUCKET_POLICY_ONLY_DISABLEDCLUSTER_LOGGING_DISABLEDCLUSTER_MONITORING_DISABLEDCLUSTER_SECRETS_ENCRYPTION_DISABLEDCLUSTER_SHIELDED_NODES_DISABLEDCOMPUTE_SECURE_BOOT_DISABLEDCOMPUTE_SERIAL_PORTS_ENABLEDCONFIDENTIAL_COMPUTING_DISABLEDCOS_NOT_USEDDATAPROC_CMEK_DISABLEDDATAPROC_IMAGE_OUTDATEDDEFAULT_SERVICE_ACCOUNT_USEDDISK_CMEK_DISABLEDDISK_CSEK_DISABLEDFIREWALL_RULE_LOGGING_DISABLEDFLOW_LOGS_DISABLEDFULL_API_ACCESSVPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDEDINTEGRITY_MONITORING_DISABLEDINTRANODE_VISIBILITY_DISABLEDIP_ALIAS_DISABLEDIP_FORWARDING_ENABLEDKMS_KEY_NOT_ROTATEDKMS_PUBLIC_KEYLEGACY_AUTHORIZATION_ENABLEDLEGACY_METADATA_ENABLEDLOAD_BALANCER_LOGGING_DISABLEDMASTER_AUTHORIZED_NETWORKS_DISABLEDNETWORK_POLICY_DISABLEDNODEPOOL_BOOT_CMEK_DISABLEDNODEPOOL_SECURE_BOOT_DISABLEDOPEN_CASSANDRA_PORTOPEN_CISCOSECURE_WEBSM_PORTOPEN_DIRECTORY_SERVICES_PORTOPEN_DNS_PORTOPEN_ELASTICSEARCH_PORTOPEN_FIREWALLOPEN_FTP_PORTOPEN_HTTP_PORTOPEN_LDAP_PORTOPEN_MEMCACHED_PORTOPEN_MONGODB_PORTOPEN_MYSQL_PORTOPEN_NETBIOS_PORTOPEN_ORACLEDB_PORTOPEN_POP3_PORTOPEN_POSTGRESQL_PORTOPEN_RDP_PORTOPEN_REDIS_PORTOPEN_SMTP_PORTOPEN_SSH_PORTOPEN_TELNET_PORTOVER_PRIVILEGED_ACCOUNTOVER_PRIVILEGED_SCOPESOVER_PRIVILEGED_SERVICE_ACCOUNT_USERPRIMITIVE_ROLES_USEDPRIVATE_CLUSTER_DISABLEDPRIVATE_GOOGLE_ACCESS_DISABLEDPUBLIC_BUCKET_ACLPUBLIC_COMPUTE_IMAGEPUBLIC_DATASETPUBLIC_IP_ADDRESSPUBLIC_SQL_INSTANCEPUBSUB_CMEK_DISABLEDREDIS_ROLE_USED_ON_ORGRELEASE_CHANNEL_DISABLEDRSASHA1_FOR_SIGNINGSERVICE_ACCOUNT_KEY_NOT_ROTATEDSHIELDED_VM_DISABLEDSSL_NOT_ENFORCEDSQL_CMEK_DISABLEDSQL_CONTAINED_DATABASE_AUTHENTICATIONSQL_CROSS_DB_OWNERSHIP_CHAININGSQL_EXTERNAL_SCRIPTS_ENABLEDSQL_LOCAL_INFILESQL_LOG_CHECKPOINTS_DISABLEDSQL_LOG_CONNECTIONS_DISABLEDSQL_LOG_DISCONNECTIONS_DISABLEDSQL_LOG_DURATION_DISABLEDSQL_LOG_ERROR_VERBOSITYSQL_LOG_EXECUTOR_STATS_ENABLEDSQL_LOG_HOSTNAME_ENABLEDSQL_LOG_LOCK_WAITS_DISABLEDSQL_LOG_MIN_DURATION_STATEMENT_ENABLEDSQL_LOG_MIN_ERROR_STATEMENTSQL_LOG_MIN_ERROR_STATEMENT_SEVERITYSQL_LOG_MIN_MESSAGESSQL_LOG_PARSER_STATS_ENABLEDSQL_LOG_PLANNER_STATS_ENABLEDSQL_LOG_STATEMENTSQL_LOG_STATEMENT_STATS_ENABLEDSQL_LOG_TEMP_FILESSQL_PUBLIC_IPSQL_REMOTE_ACCESS_ENABLEDSQL_SKIP_SHOW_DATABASE_DISABLEDSQL_TRACE_FLAG_3625SQL_USER_CONNECTIONS_CONFIGUREDSQL_USER_OPTIONS_CONFIGUREDUSER_MANAGED_SERVICE_ACCOUNT_KEYWEB_UI_ENABLEDWORKLOAD_IDENTITY_DISABLED