本頁面由 Cloud Translation API 翻譯而成。

支援的 IaC 驗證素材資源類型和政策

本文說明 Security Command Center 的基礎架構即程式碼 (IaC) 驗證功能支援的資產類型和政策。

支援的資產類型

以下是支援的 Google Cloud 資產類型清單：

artifactregistry.googleapis.com/Repository
bigquery.googleapis.com/Dataset
bigquery.googleapis.com/Table
cloudfunctions.googleapis.com/CloudFunction
cloudkms.googleapis.com/ImportJob
cloudkms.googleapis.com/KeyRing
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project
composer.googleapis.com/Environment
compute.googleapis.com/Autoscaler
compute.googleapis.com/BackendService
compute.googleapis.com/Disk
compute.googleapis.com/Firewall
compute.googleapis.com/ForwardingRule
compute.googleapis.com/GlobalForwardingRule
compute.googleapis.com/HealthCheck
compute.googleapis.com/Instance
compute.googleapis.com/InstanceGroup
compute.googleapis.com/Network
compute.googleapis.com/NodeGroup
compute.googleapis.com/NodeTemplate
compute.googleapis.com/ResourcePolicy
compute.googleapis.com/Route
compute.googleapis.com/Router
compute.googleapis.com/Snapshot
compute.googleapis.com/SslCertificate
compute.googleapis.com/SslPolicy
compute.googleapis.com/Subnetwork
compute.googleapis.com/TargetHttpProxy
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetPool
compute.googleapis.com/TargetSslProxy
compute.googleapis.com/UrlMap
compute.googleapis.com/VpnTunnel
container.googleapis.com/Cluster
container.googleapis.com/NodePool
dataflow.googleapis.com/Job
datastream.googleapis.com/ConnectionProfile
datastream.googleapis.com/PrivateConnection
datastream.googleapis.com/Stream
dns.googleapis.com/ManagedZone
dns.googleapis.com/Policy
file.googleapis.com/Instance
gkehub.googleapis.com/Membership
pubsub.googleapis.com/Subscription
pubsub.googleapis.com/Topic
run.googleapis.com/DomainMapping
run.googleapis.com/Job
run.googleapis.com/Service
serviceusage.googleapis.com/Service
spanner.googleapis.com/Database
spanner.googleapis.com/Instance
sqladmin.googleapis.com/Instance
storage.googleapis.com/Bucket
vpcaccess.googleapis.com/Connector

系統不支援對 compute.googleapis.com/Instance 的 disks[].initializeParams.sourceImage 欄位進行驗證。

支援的原則

本節說明 IaC 驗證支援的政策。

機構政策

以下列出支援的機構政策：

Allowed VPC egress settings (constraints/run.allowedVPCEgress)
Disable Guest Attributes of Compute Engine metadata (constraints/compute.disableGuestAttributesAccess)
Disable VM serial port access (constraints/compute.disableSerialPortAccess)
Disable VM serial port logging to Stackdriver (constraints/compute.disableSerialPortLogging)
Disable VPC External IPv6 usage (constraints/compute.disableVpcExternalIpv6)
Require OS Login (constraints/compute.requireOsLogin)
Restrict Authorized Networks on Cloud SQL instances (constraints/sql.restrictAuthorizedNetworks)
Require VPC Connector (Cloud Functions) (constraints/cloudfunctions.requireVPCConnector)
Disable VPC Internal IPv6 usage (constraints/compute.disableVpcInternalIpv6)
Allowed ingress settings (Cloud Run) (constraints/run.allowedIngress)
Enforce uniform bucket-level access (constraints/storage.uniformBucketLevelAccess)
Skip creation of default Compute Network (constraints/compute.skipDefaultNetworkCreation)

機構政策自訂限制

支援所有機構政策自訂限制。不過，您無法驗證包含標記的機構政策。

Security Health Analytics 自訂模組

系統支援所有 Security Health Analytics 自訂模組。

安全狀態分析內建偵測工具

以下是支援的內建偵測器清單：

ALPHA_CLUSTER_ENABLED
AUTO_BACKUP_DISABLED
AUTO_REPAIR_DISABLED
AUTO_UPGRADE_DISABLED
BIGQUERY_TABLE_CMEK_DISABLED
BUCKET_CMEK_DISABLED
BUCKET_LOGGING_DISABLED
BUCKET_POLICY_ONLY_DISABLED
CLUSTER_LOGGING_DISABLED
CLUSTER_MONITORING_DISABLED
CLUSTER_SECRETS_ENCRYPTION_DISABLED
CLUSTER_SHIELDED_NODES_DISABLED
COMPUTE_SECURE_BOOT_DISABLED
COMPUTE_SERIAL_PORTS_ENABLED
CONFIDENTIAL_COMPUTING_DISABLED
COS_NOT_USED
DATAPROC_CMEK_DISABLED
DATAPROC_IMAGE_OUTDATED
DEFAULT_SERVICE_ACCOUNT_USED
DISK_CMEK_DISABLED
DISK_CSEK_DISABLED
FIREWALL_RULE_LOGGING_DISABLED
FLOW_LOGS_DISABLED
FULL_API_ACCESS
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
INTEGRITY_MONITORING_DISABLED
INTRANODE_VISIBILITY_DISABLED
IP_ALIAS_DISABLED
IP_FORWARDING_ENABLED
KMS_KEY_NOT_ROTATED
KMS_PUBLIC_KEY
LEGACY_AUTHORIZATION_ENABLED
LEGACY_METADATA_ENABLED
LOAD_BALANCER_LOGGING_DISABLED
MASTER_AUTHORIZED_NETWORKS_DISABLED
NETWORK_POLICY_DISABLED
NODEPOOL_BOOT_CMEK_DISABLED
NODEPOOL_SECURE_BOOT_DISABLED
OPEN_CASSANDRA_PORT
OPEN_CISCOSECURE_WEBSM_PORT
OPEN_DIRECTORY_SERVICES_PORT
OPEN_DNS_PORT
OPEN_ELASTICSEARCH_PORT
OPEN_FIREWALL
OPEN_FTP_PORT
OPEN_HTTP_PORT
OPEN_LDAP_PORT
OPEN_MEMCACHED_PORT
OPEN_MONGODB_PORT
OPEN_MYSQL_PORT
OPEN_NETBIOS_PORT
OPEN_ORACLEDB_PORT
OPEN_POP3_PORT
OPEN_POSTGRESQL_PORT
OPEN_RDP_PORT
OPEN_REDIS_PORT
OPEN_SMTP_PORT
OPEN_SSH_PORT
OPEN_TELNET_PORT
OVER_PRIVILEGED_ACCOUNT
OVER_PRIVILEGED_SCOPES
OVER_PRIVILEGED_SERVICE_ACCOUNT_USER
PRIMITIVE_ROLES_USED
PRIVATE_CLUSTER_DISABLED
PRIVATE_GOOGLE_ACCESS_DISABLED
PUBLIC_BUCKET_ACL
PUBLIC_COMPUTE_IMAGE
PUBLIC_DATASET
PUBLIC_IP_ADDRESS
PUBLIC_SQL_INSTANCE
PUBSUB_CMEK_DISABLED
REDIS_ROLE_USED_ON_ORG
RELEASE_CHANNEL_DISABLED
RSASHA1_FOR_SIGNING
SERVICE_ACCOUNT_KEY_NOT_ROTATED
SHIELDED_VM_DISABLED
SSL_NOT_ENFORCED
SQL_CMEK_DISABLED
SQL_CONTAINED_DATABASE_AUTHENTICATION
SQL_CROSS_DB_OWNERSHIP_CHAINING
SQL_EXTERNAL_SCRIPTS_ENABLED
SQL_LOCAL_INFILE
SQL_LOG_CHECKPOINTS_DISABLED
SQL_LOG_CONNECTIONS_DISABLED
SQL_LOG_DISCONNECTIONS_DISABLED
SQL_LOG_DURATION_DISABLED
SQL_LOG_ERROR_VERBOSITY
SQL_LOG_EXECUTOR_STATS_ENABLED
SQL_LOG_HOSTNAME_ENABLED
SQL_LOG_LOCK_WAITS_DISABLED
SQL_LOG_MIN_DURATION_STATEMENT_ENABLED
SQL_LOG_MIN_ERROR_STATEMENT
SQL_LOG_MIN_ERROR_STATEMENT_SEVERITY
SQL_LOG_MIN_MESSAGES
SQL_LOG_PARSER_STATS_ENABLED
SQL_LOG_PLANNER_STATS_ENABLED
SQL_LOG_STATEMENT
SQL_LOG_STATEMENT_STATS_ENABLED
SQL_LOG_TEMP_FILES
SQL_PUBLIC_IP
SQL_REMOTE_ACCESS_ENABLED
SQL_SKIP_SHOW_DATABASE_DISABLED
SQL_TRACE_FLAG_3625
SQL_USER_CONNECTIONS_CONFIGURED
SQL_USER_OPTIONS_CONFIGURED
USER_MANAGED_SERVICE_ACCOUNT_KEY
WEB_UI_ENABLED
WORKLOAD_IDENTITY_DISABLED

後續步驟

根據安全狀況驗證 IaC。