Policy Packs

guardrails-samples

This section covers recommendations addressing storage on Google Cloud Platform.

GCP CIS v2.0.0 - Section 5 - Storage

main

gcp_storage_bucket_access_control

Define the Access Level settings required for `GCP &gt; Storage &gt; Bucket`.&#92;n&#92;nThe Access control determines whether the access level for GCP Storage Bucket should be set to Uniform or Fine-grained.&#92;n&#92;nEnabling uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects it contains&#92;n

bucketAccessControl

GCP > Storage > Bucket > Access Control

gcp_storage_bucket_policy_trusted_access

Check or Enforce access checking on the GCP Storage Bucket&#92;nPolicy.&#92;n&#92;nGoogle Cloud IAM allows you to control who has access to the&#92;nstorage bucket via an IAM Policy. The Trusted Access policy&#92;nallows you to configure whether Turbot will evaluate or&#92;nenforce restrictions on which members are allowed to be granted&#92;naccess.&#92;n&#92;nIf enabled, the members in the IAM policy will be evaluated&#92;nagainst the list of allowed members in each of the Trusted&#92;nAccess sub-policies (Trusted Access &gt; Domains,&#92;nTrusted Access &gt; Groups, etc).&#92;n&#92;nIf set to &quot;Enforce: Trusted Access &gt; *&quot;, access to non-trusted&#92;nmembers will be removed.&#92;n

bucketPolicyTrustedAccess

GCP > Storage > Bucket > Policy > Trusted Access

gcp_storage_bucket_policy_trusted_all_authenticated

Determine whether public access may be granted on GCP Storage Bucket.&#92;n&#92;nThis policy is used by the GCP &gt; Storage &gt; Bucket &gt; Policy &gt; Trusted Access&#92;ncontrol to determine whether grants to `allAuthenticatedUsers` is allowed.&#92;n

bucketPolicyTrustedAllAuthenticated

GCP > Storage > Bucket > Policy > Trusted Access > All Authenticated

gcp_storage_bucket_policy_trusted_all_users

Determine whether anonymous access may be granted on GCP Storage Bucket.&#92;n&#92;nThis policy is used by the GCP &gt; Storage &gt; Bucket &gt; Policy &gt; Trusted Access&#92;ncontrol to determine whether grants to `allUsers` is allowed.&#92;n

bucketPolicyTrustedAllUsers

GCP > Storage > Bucket > Policy > Trusted Access > All Users

gcp_storage_bucket_policy_trusted_domains

List of GCP Domains that are trusted for access in the GCP Storage Bucket Policy.&#92;n&#92;nThis policy is used by the GCP &gt; Storage &gt; Bucket &gt; Policy &gt; Trusted Access&#92;ncontrol to determine which members of type &quot;domain&quot; are allowed&#92;nto be granted access.You may use the &#39;*&#39; and &#39;?&#39; wildcard characters.&#92;n&#92;n```&#92;nexample:&#92;n  - company.com&#92;n  - company-dev.org&#92;n```&#92;n**Note**: Setting the policy to an `Empty` array will remove all domains.&#92;n

bucketPolicyTrustedDomains

GCP > Storage > Bucket > Policy > Trusted Access > Domains

gcp_storage_bucket_policy_trusted_groups

List of GCP Groups that are trusted for access in the GCP Storage Bucket Policy.&#92;n&#92;nThis policy is used by the GCP &gt; Storage &gt; Bucket &gt; Policy &gt; Trusted Access&#92;ncontrol to determine which members of type &quot;group&quot; are allowed&#92;nto be granted access.You may use the &#39;*&#39; and &#39;?&#39; wildcard characters.&#92;n&#92;n```&#92;nexample:&#92;n  - notification@company.com&#92;n  - &quot;*@company.com&quot;&#92;n```&#92;n&#92;n**Note**: Setting the policy to an `Empty` array will remove all groups.&#92;n

bucketPolicyTrustedGroups

GCP > Storage > Bucket > Policy > Trusted Access > Groups

gcp_storage_bucket_policy_trusted_projects

List of GCP Projects that are trusted for access in the GCP Storage Bucket Policy.&#92;n&#92;nThis policy is used by the GCP &gt; Storage &gt; Bucket &gt; Policy &gt; Trusted Access&#92;ncontrol to determine whether members of type &quot;project&quot; are allowed&#92;nto be granted access.You may use the &#39;*&#39; and &#39;?&#39; wildcard characters.&#92;n&#92;n```&#92;nexample:&#92;n  - dev-aaa&#92;n  - dev-aab&#92;n```&#92;n&#92;n**Note**: Setting the policy to an `Empty` array will remove all projects.&#92;n

bucketPolicyTrustedProjects

GCP > Storage > Bucket > Policy > Trusted Access > Projects

gcp_storage_bucket_policy_trusted_service_accounts

List of GCP Service Accounts that are trusted for access in the GCP Storage&#92;nBucket Policy.&#92;n&#92;nThis policy is used by the GCP &gt; Storage &gt; Bucket &gt; Policy &gt; Trusted Access&#92;ncontrol to determine which members of type &quot;serviceAccount&quot; are allowed&#92;nto be granted access.You may use the &#39;*&#39; and &#39;?&#39; wildcard characters.&#92;n&#92;n```&#92;nexample:&#92;n  - project-owner@dev-aaa.iam.gserviceaccount.com&#92;n  - &quot;*&quot; # All service account trusted&#92;n```&#92;n**Note**: Setting the policy to an `Empty` array will remove all service accounts.&#92;n

bucketPolicyTrustedServiceAccounts

GCP > Storage > Bucket > Policy > Trusted Access > Service Accounts

gcp_storage_bucket_policy_trusted_users

List of GCP Users that are trusted for access in the GCP Storage Bucket Policy.&#92;n&#92;nThis policy is used by the GCP &gt; Storage &gt; Bucket &gt; Policy &gt; Trusted Access&#92;ncontrol to determine whether which of type &quot;user&quot; are allowed&#92;nto be granted access.You may use the &#39;*&#39; and &#39;?&#39; wildcard characters.&#92;n&#92;n```&#92;nexample:&#92;n  - &quot;*@company.com&quot; # All users with email ending in @company.com are trusted&#92;n  - &quot;test@dev-company.com&quot;&#92;n  - &quot;dummy@gmail.com&quot;&#92;n```&#92;n&#92;n**Note**: Setting the policy to an `Empty` array will remove all users.&#92;n

Policy	Setting	Note
GCP > Storage > Bucket > Access Control	Check: Uniform	GCP CIS v2.0.0 - Control: 5.2
GCP > Storage > Bucket > Policy > Trusted Access	Check: Trusted Access > *	GCP CIS v2.0.0 - Control: 5.1
GCP > Storage > Bucket > Policy > Trusted Access > All Authenticated	Do not allow allAuthenticatedUsers	GCP CIS v2.0.0 - Control: 5.1
GCP > Storage > Bucket > Policy > Trusted Access > All Users	Do not allow allUsers	GCP CIS v2.0.0 - Control: 5.1
GCP > Storage > Bucket > Policy > Trusted Access > Domains	- "example.com" - "example-dev.org"	GCP CIS v2.0.0 - Control: 5.1
GCP > Storage > Bucket > Policy > Trusted Access > Groups	- "notification@example.com" - "email@example.com"	GCP CIS v2.0.0 - Control: 5.1
GCP > Storage > Bucket > Policy > Trusted Access > Projects	- "dev-aaa" - "dev-aab"	GCP CIS v2.0.0 - Control: 5.1
GCP > Storage > Bucket > Policy > Trusted Access > Service Accounts	- "project-owner@dev-aaa.iam.gserviceaccount.com" - "project-operator@dev-aaa.iam.gserviceaccount.com"	GCP CIS v2.0.0 - Control: 5.1
GCP > Storage > Bucket > Policy > Trusted Access > Users	- "acme@example.com" - "johndoe@example.com"	GCP CIS v2.0.0 - Control: 5.1

Policy Settings