Policy Packs

guardrails-samples

This section covers recommendations addressing Identity and Access Management on Google Cloud Platform.

GCP CIS v2.0.0 - Section 1 - Identity and Access Management

main

gcp_dataproc_cluster_approved

Determine the action to take when a GCP Dataproc cluster is not approved based on `GCP &gt; Dataproc &gt; Cluster &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

clusterApproved

GCP > Dataproc > Cluster > Approved

gcp_dataproc_cluster_approved_custom

Determine whether the GCP Dataproc cluster is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP Dataproc cluster is not approved, it will be subject to the action specified in the `GCP &gt; Dataproc &gt; Cluster &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

clusterApprovedCustom

GCP > Dataproc > Cluster > Approved > Custom

gcp_iam_api_key_active

Determine the action to take when an GCP IAM api key, based on the `GCP &gt; IAM &gt; API Key &gt; Active &gt; *` policies.&#92;n&#92;nThe control determines whether the resource is in active use, and if not,&#92;nhas the ability to delete / cleanup the resource. When running an automated&#92;ncompliance environment, it&#39;s common to end up with a wide range of alarms&#92;nthat are difficult and time consuming to clear. The Active control brings&#92;nautomated, well-defined control to this process.&#92;n&#92;nThe Active control checks the status of all defined Active policies for the&#92;nresource (`GCP &gt; IAM &gt; API Key &gt; Active &gt; *`), raises an alarm, and takes the defined enforcement&#92;naction. Each Active sub-policy can calculate a status of active, inactive&#92;nor skipped. Generally, if the resource appears to be Active for any reason&#92;nit will be considered Active.&#92;n**Note** the contrast with Approved, where if the&#92;nresource appears to be Unapproved for any reason it will be considered&#92;nUnapproved.&#92;n&#92;nSee [Active](https://turbot.com/guardrails/docs/concepts/guardrails/active) for more information.&#92;n

apiKeyActive

GCP > IAM > API Key > Active

gcp_iam_api_key_active_age

The age after which the GCP IAM api key&#92;nis no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.&#92;n&#92;nThe [Active](https://turbot.com/guardrails/docs/concepts/guardrails/active)&#92;ncontrol determines whether the resource is in active use, and if not, has&#92;nthe ability to delete / cleanup the resource. When running an automated&#92;ncompliance environment, it&#39;s common to end up with a wide range of alarms&#92;nthat are difficult and time consuming to clear. The Active control brings&#92;nautomated, well-defined control to this process.&#92;n&#92;nThe Active control checks the status of all defined Active policies for the&#92;nresource (`GCP &gt; IAM &gt; API Key &gt; Active &gt; *`),&#92;nraises an alarm, and takes the defined enforcement action. Each Active&#92;nsub-policy can calculate a status of active, inactive or skipped. Generally,&#92;nif the resource appears to be Active for any reason it will be considered Active.&#92;n**Note** the contrast with Approved, where if the resource appears to be Unapproved&#92;nfor any reason it will be considered Unapproved.&#92;n&#92;nSee [Active](https://turbot.com/guardrails/docs/concepts/guardrails/active) for more information.&#92;n

apiKeyActiveAge

GCP > IAM > API Key > Active > Age

gcp_iam_api_key_approved

Determine the action to take when a GCP IAM api key is not approved based on `GCP &gt; IAM &gt; API Key &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

apiKeyApproved

GCP > IAM > API Key > Approved

gcp_iam_api_key_approved_custom

Determine whether the GCP IAM api key is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP IAM api key is not approved, it will be subject to the action specified in the `GCP &gt; IAM &gt; API Key &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

apiKeyApprovedCustom

GCP > IAM > API Key > Approved > Custom

gcp_iam_project_user_approved

Determine the action to take when a GCP IAM project user is not approved based on `GCP &gt; IAM &gt; Project User &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

projectUserApproved

GCP > IAM > Project User > Approved

gcp_iam_project_user_approved_custom

Determine whether the GCP IAM project user is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP IAM project user is not approved, it will be subject to the action specified in the `GCP &gt; IAM &gt; Project User &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

projectUserApprovedCustom

GCP > IAM > Project User > Approved > Custom

gcp_iam_service_account_active_age

The age after which the GCP IAM service account key&#92;nis no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.&#92;n&#92;nThe [Active](https://turbot.com/guardrails/docs/concepts/guardrails/active)&#92;ncontrol determines whether the resource is in active use, and if not, has&#92;nthe ability to delete / cleanup the resource. When running an automated&#92;ncompliance environment, it&#39;s common to end up with a wide range of alarms&#92;nthat are difficult and time consuming to clear. The Active control brings&#92;nautomated, well-defined control to this process.&#92;n&#92;nThe Active control checks the status of all defined Active policies for the&#92;nresource (`GCP &gt; IAM &gt; Service Account Key &gt; Active &gt; *`),&#92;nraises an alarm, and takes the defined enforcement action. Each Active&#92;nsub-policy can calculate a status of active, inactive or skipped. Generally,&#92;nif the resource appears to be Active for any reason it will be considered Active.&#92;n**Note** the contrast with Approved, where if the resource appears to be Unapproved&#92;nfor any reason it will be considered Unapproved.&#92;n&#92;nSee [Active](https://turbot.com/guardrails/docs/concepts/guardrails/active) for more information.&#92;n

serviceAccountKeyActiveAge

GCP > IAM > Service Account Key > Active > Age

gcp_iam_service_account_approved

Determine the action to take when a GCP IAM service account is not approved based on `GCP &gt; IAM &gt; Service Account &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

serviceAccountApproved

GCP > IAM > Service Account > Approved

gcp_iam_service_account_approved_custom

Determine whether the GCP IAM service account is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP IAM service account is not approved, it will be subject to the action specified in the `GCP &gt; IAM &gt; Service Account &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

serviceAccountApprovedCustom

GCP > IAM > Service Account > Approved > Custom

gcp_iam_service_account_key_active

Determine the action to take when an GCP IAM service account key, based on the `GCP &gt; IAM &gt; Service Account Key &gt; Active &gt; *` policies.&#92;n&#92;nThe control determines whether the resource is in active use, and if not,&#92;nhas the ability to delete / cleanup the resource. When running an automated&#92;ncompliance environment, it&#39;s common to end up with a wide range of alarms&#92;nthat are difficult and time consuming to clear. The Active control brings&#92;nautomated, well-defined control to this process.&#92;n&#92;nThe Active control checks the status of all defined Active policies for the&#92;nresource (`GCP &gt; IAM &gt; Service Account Key &gt; Active &gt; *`), raises an alarm, and takes the defined enforcement&#92;naction. Each Active sub-policy can calculate a status of active, inactive&#92;nor skipped. Generally, if the resource appears to be Active for any reason&#92;nit will be considered Active.&#92;n**Note** the contrast with Approved, where if the&#92;nresource appears to be Unapproved for any reason it will be considered&#92;nUnapproved.&#92;n&#92;nSee [Active](https://turbot.com/guardrails/docs/concepts/guardrails/active) for more information.&#92;n

serviceAccountKeyActive

GCP > IAM > Service Account Key > Active

gcp_iam_service_account_key_approved

Determine the action to take when a GCP IAM service account key is not approved based on `GCP &gt; IAM &gt; Service Account Key &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

serviceAccountKeyApproved

GCP > IAM > Service Account Key > Approved

gcp_iam_service_account_key_approved_custom

Determine whether the GCP IAM service account key is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP IAM service account key is not approved, it will be subject to the action specified in the `GCP &gt; IAM &gt; Service Account Key &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

serviceAccountKeyApprovedCustom

GCP > IAM > Service Account Key > Approved > Custom

gcp_kms_crypto_key_approved

Determine the action to take when a GCP KMS crypto key is not approved based on `GCP &gt; KMS &gt; Crypto Key &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

cryptoKeyApproved

GCP > KMS > Crypto Key > Approved

gcp_kms_crypto_key_approved_custom

Determine whether the GCP KMS crypto key is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP KMS crypto key is not approved, it will be subject to the action specified in the `GCP &gt; KMS &gt; Crypto Key &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

cryptoKeyApprovedCustom

GCP > KMS > Crypto Key > Approved > Custom

gcp_kms_crypto_key_policy_trusted_access

Check or Enforce access checking on the GCP KMS Crypto Key policy.&#92;n&#92;nGoogle Cloud IAM allows you to control who has access to the&#92;nkms crypto key via an IAM Policy. The Trusted Access policy&#92;nallows you to configure whether Guardrails will evaluate or&#92;nenforce restrictions on which members are allowed to be granted&#92;naccess.&#92;n&#92;nIf enabled, the members in the IAM policy will be evaluated&#92;nagainst the list of allowed members in each of the Trusted&#92;nAccess sub-policies (Trusted Access &gt; Domains,&#92;nTrusted Access &gt; Groups, etc).&#92;n&#92;nIf set to &quot;Enforce: Trusted Access &gt; *&quot;, access to non-trusted&#92;nmembers will be removed.&#92;n

cryptoKeyPolicyTrustedAccess

GCP > KMS > Crypto Key > Policy > Trusted Access

gcp_kms_crypto_key_policy_trusted_access_all_authenticated

Determine whether public access may be granted on GCP KMS Crypto Key policy.&#92;nThis policy is used by the GCP &gt; KMS &gt; Crypto Key &gt; Policy &gt; Trusted Access&#92;ncontrol to determine whether grants to `allAuthenticatedUsers` is allowed.&#92;n

cryptoKeyPolicyTrustedAllAuthenticated

GCP > KMS > Crypto Key > Policy > Trusted Access > All Authenticated

gcp_kms_crypto_key_policy_trusted_access_all_users

Determine whether anonymous access may be granted on GCP KMS Crypto Key policy.&#92;nThis policy is used by the GCP &gt; KMS &gt; Crypto Key &gt; Policy &gt; Trusted Access&#92;ncontrol to determine whether grants to `allUsers` is allowed.&#92;n

cryptoKeyPolicyTrustedAllUsers

GCP > KMS > Crypto Key > Policy > Trusted Access > All Users

turbot_policy_setting.gcp_dataproc_cluster_approved

turbot_policy_setting.gcp_dataproc_cluster_approved_custom

turbot_policy_setting.gcp_iam_api_key_active

turbot_policy_setting.gcp_iam_api_key_active_age

turbot_policy_setting.gcp_iam_api_key_approved

turbot_policy_setting.gcp_iam_api_key_approved_custom

turbot_policy_setting.gcp_iam_project_user_approved

turbot_policy_setting.gcp_iam_project_user_approved_custom

turbot_policy_setting.gcp_iam_service_account_approved

turbot_policy_setting.gcp_iam_service_account_approved_custom

turbot_policy_setting.gcp_iam_service_account_key_active

turbot_policy_setting.gcp_iam_service_account_active_age

turbot_policy_setting.gcp_iam_service_account_key_approved

turbot_policy_setting.gcp_iam_service_account_key_approved_custom

turbot_policy_setting.gcp_kms_crypto_key_approved

turbot_policy_setting.gcp_kms_crypto_key_approved_custom

turbot_policy_setting.gcp_kms_crypto_key_policy_trusted_access

turbot_policy_setting.gcp_kms_crypto_key_policy_trusted_access_all_authenticated

turbot_policy_setting.gcp_kms_crypto_key_policy_trusted_access_all_users

Policy	Setting	Note
GCP > Dataproc > Cluster > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 1.17
GCP > Dataproc > Cluster > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 1.17
GCP > IAM > API Key > Active	Check: Active	GCP CIS v2.0.0 - Control: 1.15
GCP > IAM > API Key > Active > Age	Force inactive if age > 90 days	GCP CIS v2.0.0 - Control: 1.15
GCP > IAM > API Key > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 1.12, 1.13, 1.14
GCP > IAM > API Key > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 1.12, 1.13 and 1.14
GCP > IAM > Project User > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 1.6, 1.8 and 1.11
GCP > IAM > Project User > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 1.6, 1.8 and 1.11
GCP > IAM > Service Account > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 1.5
GCP > IAM > Service Account > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 1.5
GCP > IAM > Service Account Key > Active	Check: Active	GCP CIS v2.0.0 - Control: 1.7
GCP > IAM > Service Account Key > Active > Age	Force inactive if age > 90 days	GCP CIS v2.0.0 - Control: 1.7
GCP > IAM > Service Account Key > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 1.4
GCP > IAM > Service Account Key > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 1.4
GCP > KMS > Crypto Key > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 1.10
GCP > KMS > Crypto Key > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 1.10
GCP > KMS > Crypto Key > Policy > Trusted Access	Check: Trusted Access > *	GCP CIS v2.0.0 - Control: 1.9
GCP > KMS > Crypto Key > Policy > Trusted Access > All Authenticated	Do not allow allAuthenticatedUsers	GCP CIS v2.0.0 - Control: 1.9
GCP > KMS > Crypto Key > Policy > Trusted Access > All Users	Do not allow allUsers	GCP CIS v2.0.0 - Control: 1.9

Policy Settings