Open davelanglois-ssc opened 1 year ago
Assist ongoing work to annotation/label/tag security controls both in comments and selectable/reportable labels as part of general compliance and the upcoming Compliance as Code integration
example comments AC-3(7) https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/landing-zone-v2/namespaces/policies.yaml#L29 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh258-feat-hub-perimeter-project/solutions/project/hub-env/securitycontrols.md#technical-controls---p1
Older ATO TB 31 controls subset incorporated in both LZ's https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#mandatory-security-controls-list
example labels (Guardrails) https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/guardrails/configs/org-policies/org-policies.yaml#L61
guardrail-enforced: guardrail-09
Wanted to add an example and borrowed some code from PR #302
# Logs Bucket writer IAM permissions for the platform and component log sink
# Binds the generated writer identity from the LoggingLogSink to the logging project
# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level)
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
name: platform-and-component-log-bucket-writer-permissions
namespace: projects
labels:
security-controls: "AC-3(7)"
annotations:
config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-prj-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-prj-id}
spec:
resourceRef:
kind: Project
name: projects/logging-prj-id # kpt-set: ${logging-prj-id}
namespace: projects
# AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
bindings:
- role: roles/logging.bucketWriter
members:
- memberFrom:
logSinkRef:
name: platform-and-component-log-sink
namespace: logging
Having this label (or annotation) would allow for the easier discovery of resources that support a security control in the CLI or in the GCP UI.
ie kubectl get IAMPartialPolicy --show-labels | grep security-controls
would return any the partialpolicies that have the target label.
_Originally posted by @cartyc in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/283#discussion_r1124528035_