search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
30 stars 26 forks source link

Implement annotations or labels for security controls on resources #301

Open davelanglois-ssc opened 1 year ago

davelanglois-ssc commented 1 year ago 
          For the controls do we want to list them as a metadata annotation or label so that they are more easily discovered in cluster and/or the GCP UI?

_Originally posted by @cartyc in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/283#discussion_r1124528035_

fmichaelobrien commented 1 year ago

Assist ongoing work to annotation/label/tag security controls both in comments and selectable/reportable labels as part of general compliance and the upcoming Compliance as Code integration

example comments AC-3(7) https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/landing-zone-v2/namespaces/policies.yaml#L29 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh258-feat-hub-perimeter-project/solutions/project/hub-env/securitycontrols.md#technical-controls---p1

Older ATO TB 31 controls subset incorporated in both LZ's https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#mandatory-security-controls-list

example labels (Guardrails) https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/guardrails/configs/org-policies/org-policies.yaml#L61

guardrail-enforced: guardrail-09
cartyc commented 1 year ago

Wanted to add an example and borrowed some code from PR #302 

# Logs Bucket writer IAM permissions for the platform and component log sink
# Binds the generated writer identity from the LoggingLogSink to the logging project
# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level)
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: platform-and-component-log-bucket-writer-permissions
  namespace: projects
  labels:
      security-controls: "AC-3(7)"
  annotations:
    config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-prj-id} # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-prj-id}
spec:
  resourceRef:
    kind: Project
    name: projects/logging-prj-id # kpt-set: ${logging-prj-id}
    namespace: projects
  # AC-3(7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
  bindings:
    - role: roles/logging.bucketWriter
      members:
        - memberFrom:
            logSinkRef:
              name: platform-and-component-log-sink
              namespace: logging

Having this label (or annotation) would allow for the easier discovery of resources that support a security control in the CLI or in the GCP UI.

ie kubectl get IAMPartialPolicy --show-labels | grep security-controls would return any the partialpolicies that have the target label.