This implementation automates reporting to verify compliance with GC Cloud Guardrails. SSC and TBS review the results. Cette mise en œuvre automatise la production de rapports afin de vérifier la conformité aux mesures de sécurité infonuagique du GC. SPC et SCT examinent les résultats.
Other
7
stars
4
forks
source link
Multi-Cloud Usage Profile Integration into Azure Compliance as Code #136
Is your feature request related to a problem? Please describe.
Current solution takes the config.json input for "cloudUsageProfiles" as a string and does not incorporate this value into Compliance as Code analysis/ compliance status. It selects the default value which is the highest i.e., "cloudUsageProfiles" = 1.4.5 the default value would be 5.
Describe the solution you'd like
The solution evaluates the resources according to the profile identified by the client and assigns an appropriate compliance status. Applicable Cloud Usage Profile Information Section 4.2 https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32787
For example:
Dashboard Result
The solutions dashboard now has a dynamic CloudUsage Profile Column, and evaluates controls accordingly.
Describe alternatives you've considered
<html xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882"
xmlns="http://www.w3.org/TR/REC-html40">
Aspect | Option 1 | Option 2
-- | -- | --
Description | The client specifies non-default Cloud Usage Profile resources in a .txt file uploaded to the storage account (or provided during the installation procedure). The solution checks for the existence of the specified file/information, identifies resources based on their profile, and evaluates them accordingly. Tenant profile information will be collected and reported as needed. | Clients don’t need to tag resources before installation. If they have resources with a different profile than the default, they can add a tag to those resources. This allows the code to identify which resources need compliance checks. Tags function similarly to the gr8-exemption: If a tag exists, it indicates the resource’s profile, allowing for appropriate assessment instead of skipping or ignoring it. The CaC dashboard will display tag information for resources, indicating either the default or the specific tag associated with each resource.
Resource Identification | Based on information in the specified attestation.txt file. OR Based on information in another json file. Cloud.json | Based on tags added by clients.
Assessment Approach | File-based assessment. | Tag-based assessment.
Reporting | Tag information displayed in the CaC dashboard. | Tag information displayed in the CaC dashboard.
Is your feature request related to a problem? Please describe. Current solution takes the config.json input for "cloudUsageProfiles" as a string and does not incorporate this value into Compliance as Code analysis/ compliance status. It selects the default value which is the highest i.e., "cloudUsageProfiles" = 1.4.5 the default value would be 5.
Describe the solution you'd like The solution evaluates the resources according to the profile identified by the client and assigns an appropriate compliance status. Applicable Cloud Usage Profile Information Section 4.2 https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32787
For example:
Dashboard Result The solutions dashboard now has a dynamic CloudUsage Profile Column, and evaluates controls accordingly.
Describe alternatives you've considered <html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns="http://www.w3.org/TR/REC-html40">