Policy Packs

guardrails-samples

This section covers recommendations addressing networking on Google Cloud Platform.

GCP CIS v2.0.0 - Section 3 - Networking

main

gcp_dns_managed_zone_approved

Determine the action to take when a GCP DNS managed zone is not approved based on `GCP &gt; DNS &gt; Managed Zone &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

managedZoneApproved

GCP > DNS > Managed Zone > Approved

gcp_dns_managed_zone_approved_custom

Determine whether the GCP DNS managed zone is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP DNS managed zone is not approved, it will be subject to the action specified in the `GCP &gt; DNS &gt; Managed Zone &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

managedZoneApprovedCustom

GCP > DNS > Managed Zone > Approved > Custom

gcp_dns_managed_zone_dnssec_configuration

Determine whether to check or enforce DNSSEC Configuration settings for the GCP Managed Zone.&#92;n

managedZoneDnssecConfiguration

GCP > DNS > Managed Zone > DNSSEC Configuration

gcp_network_approved

Determine the action to take when a GCP Network network is not approved based on `GCP &gt; Network &gt; Network &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

networkApproved

GCP > Network > Network > Approved

gcp_network_approved_custom

Determine whether the GCP Network network is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP Network network is not approved, it will be subject to the action specified in the `GCP &gt; Network &gt; Network &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

networkApprovedCustom

GCP > Network > Network > Approved > Custom

gcp_network_firewall_approved

Determine the action to take when a GCP Network firewall is not approved based on `GCP &gt; Network &gt; Firewall &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

firewallApproved

GCP > Network > Firewall > Approved

gcp_network_firewall_approved_custom

Determine whether the GCP Network firewall is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP Network firewall is not approved, it will be subject to the action specified in the `GCP &gt; Network &gt; Firewall &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

firewallApprovedCustom

GCP > Network > Firewall > Approved > Custom

gcp_network_firewall_ingress_rules_approved

Configure Firewall Ingress Rule checking. This policy defines whether&#92;nto verify the firewall ingress rules are approved, as well as the&#92;nsubsequent action to take on unapproved items.&#92;n&#92;nIf set to `Enforce: Delete unapproved`, any unapproved rules will be&#92;nrevoked from the firewall.&#92;n

firewallIngressRulesApproved

GCP > Network > Firewall > Ingress Rules > Approved

gcp_network_firewall_ingress_rules_approved_rules

An [Object Control List (OCL)](https://turbot.com/guardrails/docs/reference/ocl)&#92;nwith a list of filter rules to approve or reject firewall rules.&#92;n&#92;nExamples:&#92;n  ```&#92;n  Allow HTTP and HTTPS rules for RFC1918 private space&#92;n  APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:&lt;=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16&#92;n  APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:&lt;=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16&#92;n&#92;n  Reject any rule from 0.0.0.0/0&#92;n  REJECT $.turbot.cidr:0.0.0.0/0&#92;n  ```&#92;n

firewallIngressRulesApprovedRules

GCP > Network > Firewall > Ingress Rules > Approved > Rules

gcp_network_ssl_policy_minimum_tls_version

Define the minimum version of SSL protocol the clients will be able to use to establish a connection.&#92;n

sslPolicyMinimumTlsVersion

GCP > Network > SSL Policy > Minimum TLS Version

gcp_network_ssl_policy_profile

Define the profile which sets the features used in negotiating SSL with clients.&#92;n&#92;nManaged profiles are maintained to support new SSL capabilities.&#92;n

sslPolicyProfile

GCP > Network > SSL Policy > Profile

gcp_network_subnetwork_flow_log

Define the Flow log settings required for `GCP &gt; Network &gt; Subnetwork &gt; FlowLog`.&#92;n&#92;nSubnetwork Flow log allows you to audit, verify, and analyze the network traffic for your Subnet.&#92;n

Policy	Setting	Note
GCP > DNS > Managed Zone > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 3.4 and 3.5
GCP > DNS > Managed Zone > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 3.4 and 3.5
GCP > DNS > Managed Zone > DNSSEC Configuration	Check: Enabled	GCP CIS v2.0.0 - Control: 3.3
GCP > Network > Firewall > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 3.10
GCP > Network > Firewall > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 3.10
GCP > Network > Firewall > Ingress Rules > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 3.6 and 3.7
GCP > Network > Firewall > Ingress Rules > Approved > Rules	REJECT $.turbot.cidr:0.0.0.0/0 $.turbot.ports=22,3389 APPROVE *	GCP CIS v2.0.0 - Control: 3.6 and 3.7
GCP > Network > Network > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 3.1 and 3.2
GCP > Network > Network > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 3.1 and 3.2
GCP > Network > SSL Policy > Minimum TLS Version	Check: TLS 1.2	GCP CIS v2.0.0 - Control: 3.9
GCP > Network > SSL Policy > Profile	Check: Restricted	GCP CIS v2.0.0 - Control: 3.9
GCP > Network > Subnetwork > Flow Log	Check: Enabled	GCP CIS v2.0.0 - Control: 3.8

Policy Settings