Policy Packs

guardrails-samples

This section covers recommendations addressing virtual machines on Google Cloud Platform.

GCP CIS v2.0.0 - Section 4 - Virtual Machines

main

gcp_computeengine_disk_approved

Determine the action to take when a GCP Compute Engine disk is not approved based on `GCP &gt; Compute Engine &gt; Disk &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

diskApproved

GCP > Compute Engine > Disk > Approved

gcp_computeengine_disk_approved_encryption_at_rest

Define the minimum level of encryption required for GCP &gt; Compute Engine &gt; Disk.&#92;n&#92;nThis policy will be evaluated by the Approved control. If a GCP Compute Engine disk does not meet the minimum encryption level specified, it will be subject to the action specified in the `GCP &gt; Compute Engine &gt; Disk &gt; Approved` policy.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

diskApprovedEncryptionAtRest

GCP > Compute Engine > Disk > Approved > Encryption at Rest

gcp_computeengine_instance_approved

Determine the action to take when a GCP Compute Engine instance is not approved based on `GCP &gt; Compute Engine &gt; Instance &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

instanceApproved

GCP > Compute Engine > Instance > Approved

gcp_computeengine_instance_approved_custom

Determine whether the GCP Compute Engine instance is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If a GCP Compute Engine instance is not approved, it will be subject to the action specified in the `GCP &gt; Compute Engine &gt; Instance &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

instanceApprovedCustom

GCP > Compute Engine > Instance > Approved > Custom

gcp_computeengine_instance_approved_ip_forwarding

Determine whether the GCP Compute Engine instance is allowed to have a IP Forwarding enabled.&#92;n&#92;nThis policy will be evaluated by the Approved control. If an GCP Compute engine instance is not approved, it will be subject to the action specified in the `GCP &gt; Compute engine &gt; Instance &gt; Approved` policy.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

instanceApprovedIpForwarding

GCP > Compute Engine > Instance > Approved > IP Forwarding

gcp_computeengine_instance_block_project_wide_ssh_keys

Configure whether Block Project Wide SSH Keys is enabled for a Compute Engine instance.

instanceBlockProjectWideSshKeys

GCP > Compute Engine > Instance > Block Project Wide SSH Keys

gcp_computeengine_instance_external_ip_addresses

Determine the action to take when a GCP Compute Engine instance has external IP addresses.&#92;n

instanceExternalIpAddresses

GCP > Compute Engine > Instance > External IP Addresses

gcp_computeengine_instance_serial_port_access

Configure whether Serial Port Access is enabled for a Compute Engine instance.

instanceSerialPortAccess

GCP > Compute Engine > Instance > Serial Port Access

gcp_computeengine_instance_shielded_instance_configuration

Configure shielded instance settings for an instance. To updated the configuration instance should be in stopped state.

shieldedInstanceConfiguration

GCP > Compute Engine > Instance > Shielded Instance Configuration

gcp_computeengine_instance_shielded_instance_configuration_integrity_monitoring

Determine whether the integrity monitoring setting is enabled or disabled.

shieldedInstanceConfigurationIntegrityMonitoring

GCP > Compute Engine > Instance > Shielded Instance Configuration > Integrity Monitoring

gcp_computeengine_instance_shielded_instance_configuration_vtpm

Determine whether the vTPM setting is enabled or disabled.

shieldedInstanceConfigurationVtpm

GCP > Compute Engine > Instance > Shielded Instance Configuration > vTPM

gcp_computeengine_project_os_login_enabled

Configure whether OS Login is enabled for a Compute Engine computeProject.

osLoginEnabled

GCP > Compute Engine > Project > OS Login Enabled

turbot_policy_setting.gcp_computeengine_disk_approved

turbot_policy_setting.gcp_computeengine_disk_approved_encryption_at_rest

turbot_policy_setting.gcp_computeengine_instance_approved

turbot_policy_setting.gcp_computeengine_instance_approved_custom

turbot_policy_setting.gcp_computeengine_instance_approved_ip_forwarding

turbot_policy_setting.gcp_computeengine_instance_block_project_wide_ssh_keys

turbot_policy_setting.gcp_computeengine_instance_external_ip_addresses

turbot_policy_setting.gcp_computeengine_instance_serial_port_access

turbot_policy_setting.gcp_computeengine_instance_shielded_instance_configuration

turbot_policy_setting.gcp_computeengine_instance_shielded_instance_configuration_integrity_monitoring

turbot_policy_setting.gcp_computeengine_instance_shielded_instance_configuration_vtpm

turbot_policy_setting.gcp_computeengine_project_os_login_enabled

Policy	Setting	Note
GCP > Compute Engine > Disk > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 4.7
GCP > Compute Engine > Disk > Approved > Encryption at Rest	Customer supplied key	GCP CIS v2.0.0 - Control: 4.7
GCP > Compute Engine > Instance > Approved	Check: Approved	GCP CIS v2.0.0 - Control: 4.1, 4.2, 4.6 and 4.11
GCP > Compute Engine > Instance > Approved > Custom	Calculated	GCP CIS v2.0.0 - Control: 4.1, 4.2 and 4.11
GCP > Compute Engine > Instance > Approved > IP Forwarding	Approved if disabled	GCP CIS v2.0.0 - Control: 4.6
GCP > Compute Engine > Instance > Block Project Wide SSH Keys	Check: Enabled	GCP CIS v2.0.0 - Control: 4.3
GCP > Compute Engine > Instance > External IP Addresses	Check: None	GCP CIS v2.0.0 - Control: 4.9
GCP > Compute Engine > Instance > Serial Port Access	Check: Disabled	GCP CIS v2.0.0 - Control: 4.5
GCP > Compute Engine > Instance > Shielded Instance Configuration	Check: Enabled per `Shielded Instance Configuration > *`	GCP CIS v2.0.0 - Control: 4.8
GCP > Compute Engine > Instance > Shielded Instance Configuration > Integrity Monitoring	Enabled	GCP CIS v2.0.0 - Control: 4.8
GCP > Compute Engine > Instance > Shielded Instance Configuration > vTPM	Enabled	GCP CIS v2.0.0 - Control: 4.8
GCP > Compute Engine > Project > OS Login Enabled	Check: Enabled	GCP CIS v2.0.0 - Control: 4.4

Policy Settings