canada-ca / cloud-guardrails-gcp

Recommended configuration guidance for Google Cloud Platform / Conseils de configuration recommandés pour Platforme infonuagique de Google
Other
22 stars 14 forks source link

GC Cloud Guardrails Checks for Google Cloud Platform

This repository will provide the tools required to validate the minimum guardrails for the GC Cloud Operationalization Framework for Google Cloud Platform

GC Guardrails

The following tables contains the list of Cloud Guardrails that will be by followed by the accelerator templates and validated by the GC Guardrails tool.

Guardrail Description Enforcement Link
01 Protect Root / Global Admins Account Protect root or master account used to establish the cloud service. Doc link
02 Management of Administrative Privileges Establish access control policies and procedures for management of administrative privileges Doc link
03 Cloud Console Access Limit access to GC managed devices and authorized users. Doc link
04 Enterprise Monitoring Accounts Create role-based account to enable enterprise monitoring and visibility. Rego link
05 Data Location Establish policies to restrict GC sensitive workloads to approved geographic locations. Rego link
06 Protection of Data-At-Rest Protect data at rest by default (e.g. storage) for cloud-based workloads. Doc link
07 Protection of Data-In-Transit Protect data transiting networks through the use of appropriate encryption and network safeguards. Doc link
08 Segment and Separate Segment and separate information based on sensitivity of information. Rego link
09 Network Security Services Establish external and internal network perimeters and monitor network traffic. Rego Link
10 Cyber Defence Services Establish MOU for defensive services and threat monitoring protection services. MOU
11 Logging and Monitoring Enable logging for the cloud environment and for cloud-based workloads. Rego Link
12 Configuration of Cloud Marketplaces Configuration of Cloud Market Places Rego Link

GC Guardrails Accelerator Templates

Accellerator templates to be used with bootstrapping new environments to comply with the above guardrails can be found in the following repository: gc guardrails accelerator gcp

GC Guardrails Validation

Makes use of Open Policy Agent and GCP's Asset Invetory API to validate compliance of deployed resources.

See documentation