search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
31 stars 28 forks source link

Add automation script to export security control annotations into a set of bidirectional code-control, services-control mappings - for compliance - example: ComputeFirewallPolicy maps to AC-3(9), AC-4... #560

Open fmichaelobrien opened 1 year ago

fmichaelobrien commented 1 year ago

see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/151

expanding... see for example ComputeFirewallPolicy mapping to AC-3(9)...

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/client-landing-zone/client-folder/firewall-policy/policy.yaml#L22

# Client Compute Firewall Policy to folder client-folder
# AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewallPolicy

and annotation based - thanks Dave https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dde8eb702b65b0a72866685529f42b3512897f68/solutions/guardrails-policies/09-network-security-services/template.yaml#L22

kind: ConstraintTemplate
metadata:
  name: limitegresstraffic
  annotations:
    description: Establish external and internal network perimeters and monitor network traffic.
    reference: https://github.com/canada-ca/cloud-guardrails/blob/master/EN/09_Network-Security-Services.md
    related-security-controls: AC-3, AC‑4, SC-5, SC‑7, SC‑7(5), SI-3, SI-3(7), SI-4

TODO: Dynamic version - integration as a KRM resource that keys off KCC/K8S deployment changes TODO: offline version - parse the code/annotations using a yaml parser TODO: online hosted version - d3js.org based or mermaid in-line-repo markup (generated) in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Security_Controls

davelanglois-ssc commented 1 year ago

just so you know, we have a script underwork. we will include you in the demo when it's ready

fmichaelobrien commented 1 year ago

Thanks Dave as usual. I'll look for the work item in the issue list.

We will need automated security control mappings on top of screencap evidence for at least 2 other ATOs - ideally we inherit from the first

obriensystems commented 1 year ago

Example visuals for extract and/or live compliance dashboard

d3js.org based or mermaid in-line-repo markup (generated) in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Security_Controls

https://observablehq.com/@kerryrodden/sequences-sunburst https://d3js.org/ https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#controls-coverage https://mermaid.js.org/#/flowchart?id=graph

See exercise at compliance dashboard and automated security control mapping extract - so we don't have to manually create one of these

Screenshot 2023-11-12 at 19 21 57

or the wiki based editing of

Screenshot 2023-11-12 at 19 24 11
obriensystems commented 11 months ago

Input

Output dynamic

Method

obriensystems commented 11 months ago

Review of generated * securitycontrols.md Some are missing

Controls to Code Mappings

(From generated source)

(From yaml comments)

(From KRM tagging)

fmichaelobrien commented 9 months ago

received internal inventory*.py script - running some reverse engineering on the k8s yaml and will advise - thank you