Policy Packs

guardrails-samples

This section covers recommendations addressing Logging and Monitoring on Google Cloud Platform.

GCP CIS v2.0.0 - Section 2 - Logging and Monitoring

main

gcp_dns_dns_policy_logging

Determine whether to check or enforce Logging for the GCP DNS Policy.&#92;n

dnsPolicyLogging

GCP > DNS > Policy > Logging

gcp_network_backend_service_logging

Define the Logging settings required for `GCP &gt; Network &gt; Backend Service &gt; Logging`.&#92;n&#92;nBackend Service Logging allows you to audit, verify, and analyze the effects of your Backend Service.&#92;n

backendServiceLogging

GCP > Network > Backend Service > Logging

gcp_network_backend_service_logging_sample_rate

The value of the field must be in [0, 1]. This configures the sampling rate of&#92;nrequests to the load balancer where 1 means all logged requests are reported and&#92;n0 means no logged requests are reported. The default value is 1.&#92;n

backendServiceLoggingSampleRate

GCP > Network > Backend Service > Logging > Sample Rate

gcp_project_stack

Configure a custom stack on GCP, per the custom `Stack &gt; Source`.&#92;n&#92;nA Guardrails `Stack` is a set of resources configured by Guardrails, as specified&#92;nvia Terraform source.  Stacks are responsible for the creation and deletion&#92;nof multiple resources. Once created, stack resources are responsible for&#92;nconfiguring themselves from the stack source via their `Configured` control.&#92;n

projectStack

GCP > Project > Stack

gcp_project_stack_source

The Terraform HCL source used to configure this stack.&#92;n&#92;nA Guardrails `Stack` is a set of resources configured by Guardrails, as specified&#92;nvia Terraform source.  Stacks are responsible for the creation and deletion&#92;nof multiple resources. Once created, stack resources are responsible for&#92;nconfiguring themselves from the stack source via their `Configured` control.&#92;n

projectStackSource

GCP > Project > Stack > Source

gcp_project_stack_terraform_version

The Version of Terraform to use for this stack.&#92;nSpecify an [npm-style semver](https://docs.npmjs.com/misc/semver) string to&#92;ndetermine which version of the Terraform container&#92;nGuardrails will use to run this stack.&#92;n&#92;nA Guardrails `Stack` is a set of resources configured by Guardrails,&#92;nas specified  via Terraform source.  Stacks are responsible&#92;nfor the creation and deletion of multiple resources. Once created,&#92;nstack resources are responsible for configuring themselves from&#92;nthe stack source via their `Configured` control.&#92;n

projectStackTerraformVersion

GCP > Project > Stack > Terraform Version

gcp_storage_bucket_approved

Determine the action to take when a GCP Storage bucket is not approved based on `GCP &gt; Storage &gt; Bucket &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

bucketApproved

GCP > Storage > Bucket > Approved

gcp_storage_bucket_approved_custom

Determine whether the GCP Storage bucket is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP Storage bucket is not approved, it will be subject to the action specified in the `GCP &gt; Storage &gt; Bucket &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

bucketApprovedCustom

GCP > Storage > Bucket > Approved > Custom

gcp_turbot_event_handler_logging

Configure the Guardrails Event Handlers stack. This stack configures&#92;nthe logging sink required for Guardrails real-time event routing.&#92;n

eventHandlersLogging

GCP > Turbot > Event Handlers > Logging

gcp_turbot_event_handler_logging_sink_destination_topic

The destination of the logging sink.  This is the PubSub topic that the logs will be sent to,&#92;nfor example:  &quot;pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]&quot;.&#92;nThe writer associated with the sink must have access to publish to this topic.&#92;n

eventHandlerLoggingSinkDestinationTopic

GCP > Turbot > Event Handlers > Logging > Sink > Destination Topic

gcp_turbot_event_handler_logging_sink_name_prefix

A string to be used as a prefix to the turbot generated name on the&#92;nGuardrails Event Handler Logging Sink.  The name will be pre-pended&#92;nwith this value.&#92;n

eventHandlerLoggingSinkNamePrefix

GCP > Turbot > Event Handlers > Logging > Sink > Name Prefix

gcp_turbot_event_handler_logging_unique_writer_identity

Choose the writer identity used for Guardrails Event Handlers logging sink in the Project.&#92;nIf `Enforce: Default Service Account`, the default writer identity, `serviceAccount:cloud-logs@system.gserviceaccount.com`, is used. (This is the default setting.)&#92;nIf `Enforce: Unique Identity`, a new service account is created matching the pattern: `serviceAccount:service-${projectNumber}@gcp-sa-logging.iam.gserviceaccount.com` and it will then be used for creating the logging sink.&#92;n

eventHandlersLoggingUniqueWriterIdentity

GCP > Turbot > Event Handlers > Logging > Unique Writer Identity

gcp_turbot_event_handler_pubsub

Configure the Guardrails Event Handler stack. This stack configures the pub/sub&#92;ntopic and subscription resources required for Guardrails real-time event routing.&#92;n

eventHandlersPubSub

GCP > Turbot > Event Handlers > Pub/Sub

gcp_turbot_event_handler_pubsub_subscription_name_prefix

A string to be used as a prefix to the turbot generated name on the&#92;nGuardrails Event Handler Pub/Sub Subscription. The name will be&#92;npre-pended with this value.&#92;n

eventHandlerPubSubSubscriptionNamePrefix

GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Name Prefix

gcp_turbot_event_handler_pubsub_topic_name_prefix

eventHandlerPubSubTopicNamePrefix

GCP > Turbot > Event Handlers > Pub/Sub > Topic > Name Prefix

turbot_policy_setting.gcp_dns_dns_policy_logging

turbot_policy_setting.gcp_network_backend_service_logging

turbot_policy_setting.gcp_network_backend_service_logging_sample_rate

turbot_policy_setting.gcp_project_stack

turbot_policy_setting.gcp_project_stack_source

turbot_policy_setting.gcp_project_stack_terraform_version

turbot_policy_setting.gcp_storage_bucket_approved

turbot_policy_setting.gcp_storage_bucket_approved_custom

turbot_policy_setting.gcp_turbot_event_handler_logging

turbot_policy_setting.gcp_turbot_event_handler_logging_sink_destination_topic

turbot_policy_setting.gcp_turbot_event_handler_logging_sink_name_prefix

turbot_policy_setting.gcp_turbot_event_handler_logging_unique_writer_identity

turbot_policy_setting.gcp_turbot_event_handler_pubsub

turbot_policy_setting.gcp_turbot_event_handler_pubsub_subscription_name_prefix

turbot_policy_setting.gcp_turbot_event_handler_pubsub_topic_name_prefix

Policy	Setting	Note
GCP > DNS > Policy > Logging	Check: Enabled	GCP CIS v2.0.0 - Control: 2.12
GCP > Network > Backend Service > Logging	Check: Enabled	GCP CIS v2.0.0 - Control: 2.16
GCP > Network > Backend Service > Logging > Sample Rate	1	GCP CIS v2.0.0 - Control: 2.16
GCP > Project > Stack	Check: Configured	GCP CIS v2.0.0 - Controls: 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 2.10 and 2.11
GCP > Project > Stack > Source	Calculated	GCP CIS v2.0.0 - Controls: 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 2.10 and 2.11
GCP > Project > Stack > Terraform Version	0.15.*	GCP CIS v2.0.0 - Controls: 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 2.10 and 2.11
GCP > Storage > Bucket > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 2.3
GCP > Storage > Bucket > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 2.3
GCP > Turbot > Event Handlers > Logging	Check: Configured	GCP CIS v2.0.0 - Control: 2.1
GCP > Turbot > Event Handlers > Logging > Sink > Destination Topic	pubsub.googleapis.com/projects/myProjectId/topics/myTopicId	GCP CIS v2.0.0 - Control: 2.1
GCP > Turbot > Event Handlers > Logging > Sink > Name Prefix	myLoggingSinkNamePrefix	GCP CIS v2.0.0 - Control: 2.1
GCP > Turbot > Event Handlers > Logging > Unique Writer Identity	Enforce: Default Service Account	GCP CIS v2.0.0 - Control: 2.1
GCP > Turbot > Event Handlers > Pub/Sub	Check: Configured	GCP CIS v2.0.0 - Control: 2.2
GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Name Prefix	myPubSubSubscriptionNamePrefix	GCP CIS v2.0.0 - Control: 2.2
GCP > Turbot > Event Handlers > Pub/Sub > Topic > Name Prefix	myPubSubTopicNamePrefix	GCP CIS v2.0.0 - Control: 2.2

Policy Settings