Enumerate Network Traffic Flows

[fmichaelobrien]

Table with details on all possible flows in and out of the GCP Landing Zone. Flow ID	Direction	Source	Location	Target	Protocols	Notes	Code/Evidence
1	in	public	CA	public LB	https	with/without IP inspection appliance

• add Authentication flows (saml) (rbac, demo context awareness (geo, +, user pattern(armor checks ip/))

• user classes

• cl 1: priv users

• cl 2: bus (auth flow)

• cl 3: ext bus users (auth flow) - IE: foreign location (limited view/timed creds)

• verify ip whitelisting -show local IAM (secondary use for very minimal breakglass accounts (title only-not-actual-name) for now) for now until federation comes in (spin off IAM flows - check PAM - Access Context Manager (check IBM cyber arc) https://console.cloud.google.com/security/access-level

• Service account user id/password (use and management), TF and any additional roles that imply new SA creation

Document in https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/architecture.md

However we need an example for all flow types

• PaaS (shared VPC) - current prod
• IaaS/SaaS (shared VPC - inherit service endpoints
• IaaS/SaaS (VPC peering - client handles their infrastructure)
• Pure SaaS (static side behind the LB or cloud run/functions sites - with/without presigned urls)

[fmichaelobrien]

20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days