search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
32 stars 28 forks source link

ITSG-33 Security controls - Implement yaml tagging/labelling for automatic reporting/generation of compliance #151

Open fmichaelobrien opened 2 years ago

fmichaelobrien commented 2 years ago

Implement security control tagging/labeling inside the kubernetes yaml files Add a control stub for the unknown case - If the developer is not able to figure out the exact security control from the list in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/google-cloud-security-controls.md then add a child issue to adjust the yaml in the next commit

Examples

To be filled out...

Work Item: Discussion with Dave, Aaron, Craig There may be an issue around security control tagging already in the queue Adding ITSG/NIST label into the yaml with git pre-commit readme section auto-generation on commits to extract out a report per commit

See for example the manually created Code to Controls mapping for one evidence around SC-7 in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/google-cloud-security-controls.md#05-data-location

It would be better if we maintained a tag in the yaml around the code https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/landing-zone/environments/common/guardrails-policies/05-data-location/constraint.yaml#L24

where we can run either a pre-commit and/or a automatic generation of our security control posture via either in-line github actions workflow https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/.github/workflows/landing-zone-validation.yaml or offline report generation - similar to what is generated in Security Command Center Premium (compliance and vulnerabilities) security/command-center/vulnerabilities?organizationId

September 26, 2022 at 8:59:04 AM GMT-4 | Open RDP port | Firewall rules should not allow connections from all IP addresses on TCP or UDP port 3389 | 179 |   | CIS 1.0 : 3.7CIS 1.1 : 3.7CIS 1.2 : 3.7PCI : 1.2.1NIST : SC-7ISO : A.13.1.1
-- | -- | -- | -- | -- | --

September 26, 2022 at 8:59:04 AM GMT-4  
[Open RDP port]()   [Firewall rules should not allow connections from all IP addresses on TCP or UDP port 3389]()   [179]()     
CIS 1.0 : 3.7CIS 1.1 : 3.7CIS 1.2 : 3.7PCI : 1.2.1NIST : SC-7ISO : A.13.1.1

see TF reference https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/180

fmichaelobrien commented 2 years ago

Answer question on GR 8 network segmentation

https://github.com/canada-ca/cloud-guardrails/issues/96

fmichaelobrien commented 1 year ago

refer to security control automation in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/301