This repository will provide the tools required to validate the minimum guardrails for the GC Cloud Operationalization Framework for Google Cloud Platform
The following tables contains the list of Cloud Guardrails that will be by followed by the accelerator templates and validated by the GC Guardrails tool.
Guardrail | Description | Enforcement | Link |
---|---|---|---|
01 Protect Root / Global Admins Account | Protect root or master account used to establish the cloud service. | Doc | link |
02 Management of Administrative Privileges | Establish access control policies and procedures for management of administrative privileges | Doc | link |
03 Cloud Console Access | Limit access to GC managed devices and authorized users. | Doc | link |
04 Enterprise Monitoring Accounts | Create role-based account to enable enterprise monitoring and visibility. | Rego | link |
05 Data Location | Establish policies to restrict GC sensitive workloads to approved geographic locations. | Rego | link |
06 Protection of Data-At-Rest | Protect data at rest by default (e.g. storage) for cloud-based workloads. | Doc | link |
07 Protection of Data-In-Transit | Protect data transiting networks through the use of appropriate encryption and network safeguards. | Doc | link |
08 Segment and Separate | Segment and separate information based on sensitivity of information. | Rego | link |
09 Network Security Services | Establish external and internal network perimeters and monitor network traffic. | Rego | Link |
10 Cyber Defence Services | Establish MOU for defensive services and threat monitoring protection services. | MOU | |
11 Logging and Monitoring | Enable logging for the cloud environment and for cloud-based workloads. | Rego | Link |
12 Configuration of Cloud Marketplaces | Configuration of Cloud Market Places | Rego | Link |
Accellerator templates to be used with bootstrapping new environments to comply with the above guardrails can be found in the following repository: gc guardrails accelerator gcp
Makes use of Open Policy Agent and GCP's Asset Invetory API to validate compliance of deployed resources.
See documentation