Resource Type: GCP > Project > Policy

Resource Context

Policy is a part of the Project service.

Each Policy lives under a Project.

Controls

The primary controls for GCP > Project > Policy are:

• CMDB
• Discovery
• ServiceNow
• Trusted Access

It is also targeted by these controls:

• GCP > CIS v1 > 1 Identity and Access Management > 1.01 Ensure that corporate login credentials are used instead of Gmail accounts (Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.04 Ensure that ServiceAccount has no Admin privileges (Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.05 Ensure that IAM users are not assigned Service Account User role at project level (Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.07 Ensure that Separation of duties is enforced while assigning service account related roles to users (Not Scored)
• GCP > CIS v1 > 1 Identity and Access Management > 1.09 Ensure that Separation of duties is enforced while assigning KMS related roles to users (Scored)
• GCP > CIS v1 > 2 Logging and Monitoring > 2.01 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project (Scored)
• GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
• GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
• GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
• GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
• GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
• GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly

Category

• IAM

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/gcp-iam#/resource/types/projectIamPolicy

Category URI

tmod:@turbot/turbot#/resource/categories/iam

GraphQL

query resource(id: "tmod:@turbot/gcp-iam#/resource/types/projectIamPolicy") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/gcp-iam#/resource/types/projectIamPolicy'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/gcp-iam#/resource/types/projectIamPolicy"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/gcp-iam#/resource/types/projectIamPolicy';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/gcp-iam#/resource/types/projectIamPolicy"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/gcp-iam#/resource/types/projectIamPolicy' and notification_type in ('resource_updated', 'resource_created');