Skip to content

Commit

Permalink
fix: Removing securitycontrols.md and security control tags from expe…
Browse files Browse the repository at this point in the history
…rimentation (#811)

* removing securitycontrols.md and security control tags from exp

* fix: removed extra security control tag
  • Loading branch information
johnswayty-ssc authored Feb 5, 2024
1 parent 43c96f4 commit f17ff29
Show file tree
Hide file tree
Showing 32 changed files with 2 additions and 247 deletions.
3 changes: 0 additions & 3 deletions solutions/experimentation/admin-folder/folder-iam.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
# limitations under the License.
#########
# Grant GCP role Folder Admin on Admin's folder to admin
# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
Expand All @@ -30,7 +29,6 @@ spec:
member: admin-owner # kpt-set: ${admin-owner}
---
# Grant GCP role Project Creator on Admin's folder to admin
# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
Expand All @@ -47,7 +45,6 @@ spec:
member: admin-owner # kpt-set: ${admin-owner}
---
# Grant GCP role Owner on Admin's folder to admin
# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
# limitations under the License.
#########
# Grant GCP role Folder Viewer on client's folder to client's user group
# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ spec:
description: Folder sink for client-name Platform and Component logs # kpt-set: Folder sink for ${client-name} Platform and Component logs
# the log sink must be enabled (disabled: false) to meet the listed security controls
disabled: false
# AU-2, AU-12(A), AU-12(C)
# Includes the following types of logs:
# Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, and HTTP(S) Load Balancer
# These logs are not enabled by default. They are enabled inside the client-experimentation package:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
######
# Cloud Logging bucket for client Platform and Component logs
# Logs are routed using a log sink to a central logging project into a dedicated log bucket
# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects
apiVersion: logging.cnrm.cloud.google.com/v1beta1
kind: LoggingLogBucket
metadata:
Expand All @@ -29,6 +28,5 @@ spec:
location: northamerica-northeast1
description: Cloud Logging bucket for client-name Platform and Component logs # kpt-set: Cloud Logging bucket for ${client-name} Platform and Component logs
# Implement retention policy and retention locking policy
# AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specificied number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability.
locked: false # kpt-set: ${retention-locking-policy}
retentionDays: 1 # kpt-set: ${retention-in-days}
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ spec:
kind: Project
name: logging-project-id # kpt-set: ${logging-project-id}
namespace: projects
# AC-3(7) - Write access to the logging buckets is limited by IAM to just the identities of the log sinks configured to send logs to the buckets (set at the logging project level)
bindings:
- role: roles/logging.bucketWriter
members:
Expand Down

This file was deleted.

2 changes: 0 additions & 2 deletions solutions/experimentation/client-landing-zone/setters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,6 @@ data:
# Set the number of days to retain logs in Cloud Logging buckets
# Set the lock mechanism on the bucket to: true or false
# After a retention policy is locked (true), you can't delete the bucket until every log in the bucket has fulfilled the bucket's retention period
# AU-9 PROTECTION OF AUDIT INFORMATION
# AU-11 AUDIT RECORD RETENTION
# The values below must be modified to locked: true and retentionDays: 365 in a Production setting to implement above mentioned security controls.
retention-locking-policy: "false"
retention-in-days: "1"
Expand Down
2 changes: 0 additions & 2 deletions solutions/experimentation/client-project/network/dns.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#########
# AU-12 - Enable logging for DNS
apiVersion: dns.cnrm.cloud.google.com/v1beta1
kind: DNSPolicy
metadata:
Expand All @@ -24,7 +23,6 @@ metadata:
spec:
resourceID: logging-dnspolicy
description: "DNS policy to enable logging"
# AU-12
enableLogging: true
networks:
- networkRef:
Expand Down
3 changes: 0 additions & 3 deletions solutions/experimentation/client-project/network/nat.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
# limitations under the License.
#########
# Cloud NAT northamerica-northeast1
# # AU-12 - Enable Logging for Cloud Nat
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeRouterNAT
metadata:
Expand All @@ -29,7 +28,6 @@ spec:
routerRef:
name: project-id-nane1-router # kpt-set: ${project-id}-nane1-router
sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
# AU-12
logConfig:
enable: true
filter: ALL
Expand Down Expand Up @@ -66,7 +64,6 @@ spec:
routerRef:
name: project-id-nane2-router # kpt-set: ${project-id}-nane2-router
sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
# AU-12
logConfig:
enable: true
filter: ALL
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
#########
# A Route to the internet that requires that the resources attached to the network
# specify it's tag to access the internet
# SC-7(5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeRoute
metadata:
Expand Down
14 changes: 0 additions & 14 deletions solutions/experimentation/client-project/network/subnet.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,12 @@
# limitations under the License.
#########
##################################
# AC-4 Information flow enforcement - Subnet creation to segregate and force through ZIP for access
##################################
# All subnets have :
# - logging enabled for flow logs https://cloud.google.com/vpc/docs/using-flow-logs
# - private google access enabled https://cloud.google.com/vpc/docs/private-google-access
##################################
# Subnet PAZ northamerica-northeast1
# SC-7 BOUNDARY PROTECTION
# AU-12 - Enable Logging for Subnet
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSubnetwork
metadata:
Expand All @@ -38,14 +35,12 @@ spec:
privateIpGoogleAccess: true
networkRef:
name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
# AU-12
logConfig:
aggregationInterval: INTERVAL_5_SEC
flowSampling: 0.5
metadata: INCLUDE_ALL_METADATA
---
# Subnet APPRZ northamerica-northeast1
# SC-7 BOUNDARY PROTECTION
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSubnetwork
metadata:
Expand All @@ -62,14 +57,12 @@ spec:
privateIpGoogleAccess: true
networkRef:
name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
# AU-12
logConfig:
aggregationInterval: INTERVAL_5_SEC
flowSampling: 0.5
metadata: INCLUDE_ALL_METADATA
---
# Subnet DATARZ northamerica-northeast1
# SC-7 BOUNDARY PROTECTION
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSubnetwork
metadata:
Expand All @@ -86,14 +79,12 @@ spec:
privateIpGoogleAccess: true
networkRef:
name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
# AU-12
logConfig:
aggregationInterval: INTERVAL_5_SEC
flowSampling: 0.5
metadata: INCLUDE_ALL_METADATA
---
# Subnet PAZ northamerica-northeast2
# SC-7 BOUNDARY PROTECTION
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSubnetwork
metadata:
Expand All @@ -110,14 +101,12 @@ spec:
privateIpGoogleAccess: true
networkRef:
name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
# AU-12
logConfig:
aggregationInterval: INTERVAL_5_SEC
flowSampling: 0.5
metadata: INCLUDE_ALL_METADATA
---
# Subnet APPRZ northamerica-northeast2
# SC-7 BOUNDARY PROTECTION
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSubnetwork
metadata:
Expand All @@ -134,14 +123,12 @@ spec:
privateIpGoogleAccess: true
networkRef:
name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
# AU-12
logConfig:
aggregationInterval: INTERVAL_5_SEC
flowSampling: 0.5
metadata: INCLUDE_ALL_METADATA
---
# Subnet DATARZ northamerica-northeast2
# SC-7 BOUNDARY PROTECTION
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSubnetwork
metadata:
Expand All @@ -158,7 +145,6 @@ spec:
privateIpGoogleAccess: true
networkRef:
name: project-id-global-vpc1-vpc # kpt-set: ${project-id}-global-vpc1-vpc
# AU-12
logConfig:
aggregationInterval: INTERVAL_5_SEC
flowSampling: 0.5
Expand Down
4 changes: 2 additions & 2 deletions solutions/experimentation/client-project/network/vpc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,5 @@ spec:
resourceID: global-vpc1-vpc
description: experimentation VPC
routingMode: REGIONAL
autoCreateSubnetworks: false # SC-7
deleteDefaultRoutesOnCreate: true # AC-4, SC-7(5)
autoCreateSubnetworks: false
deleteDefaultRoutesOnCreate: true
2 changes: 0 additions & 2 deletions solutions/experimentation/client-project/project-iam.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
# limitations under the License.
#########
# Grant GCP role Editor to project-editor
# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
Expand All @@ -30,7 +29,6 @@ spec:
member: project-editor # kpt-set: ${project-editor}
---
# Grant GCP role IAM Security Admin to project-editor
# AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
Expand Down
34 changes: 0 additions & 34 deletions solutions/experimentation/client-project/securitycontrols.md

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
######
# Cloud Logging bucket for Security logs: Cloud Audit, Access Transparency Logs, and Data Access Logs
# Logs are routed using a log sink to a central logging project into a dedicated log bucket
# AU-4(1), AU-9(2) - Log buckets are created in a logging project, isolating them from the source of the log entries in other projects
apiVersion: logging.cnrm.cloud.google.com/v1beta1
kind: LoggingLogBucket
metadata:
Expand All @@ -29,7 +28,6 @@ spec:
location: northamerica-northeast1
description: Cloud Logging bucket for Security logs
# Implement retention policy and retention locking policy
# AU-9, AU-11 - RetentionDays sets the policy where existing log content cannot be changed/deleted for the specificied number of days (from setters.yaml), locked setting means policy cannot be changed, ensuring immutability.
locked: false # kpt-set: ${retention-locking-policy}
retentionDays: 1 # kpt-set: ${retention-in-days}
---
Expand All @@ -48,6 +46,5 @@ spec:
location: northamerica-northeast1
description: Cloud Logging bucket for Platform and Component logs
# Implement retention policy and retention locking policy
# AU-9, AU-11
locked: false # kpt-set: ${retention-locking-policy}
retentionDays: 1 # kpt-set: ${retention-in-days}
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
# limitations under the License.
# Cloud Storage bucket to store logs related to security incidents
# https://cloud.google.com/logging/docs/routing/copy-logs
# AU-9, AU-11 - Storage bucket created to hold logs related to security incidents (AU-11). Log is protected from modification and deletion (AU-9)
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
Expand All @@ -30,7 +29,6 @@ spec:
location: northamerica-northeast1
publicAccessPrevention: "enforced"
uniformBucketLevelAccess: true
# AU-9
retentionPolicy:
isLocked: false # kpt-set: ${security-incident-log-bucket-retention-locking-policy}
retentionPeriod: 86400 # kpt-set: ${security-incident-log-bucket-retention-in-seconds}
Loading

0 comments on commit f17ff29

Please sign in to comment.