Skip to content

Security_Controls

Jump to bottom Edit New page
Michael O'Brien edited this page Mar 26, 2024 · 37 revisions

Controls

Controls Coverage

pending: GCP Service extraction into securitycontrols.md https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/746 Use the new "All Products" page for a list of Google Cloud Services https://console.cloud.google.com/products

Controls to Code Mappings

(From generated source - 20231128)

(From yaml comments)

(From KRM tagging)

Controls to GCP Services Mappings

Controls to Landing Zone Deployment Runtime Inventory

Recommended Security Controls List

Category + count Controls subset P1=**bold** P2=_italic_ Inherited Controls Guardrails Additional +
AC 28 P1=7 P2=17 AC-2 AC-2(2) AC-2(3) AC-2(4) AC-2(10) AC-3 AC-3(4) AC-3(7) AC-3(9) AC-4 AC-4(21) AC-6(10) AC-7 AC-8 AC-9 AC-9(3) AC-10 AC-11 AC-11(1) AC-12 AC-16(2) AC-16(4) AC-16(5) AC-17(1) AC-17(2) AC-17(3) AC-17(100) AC-18(1)
AU 16 P1=3 P2=13 AU-3 AU-3(1) AU-4(1) AU-5 AU-5(1) AU-6(4) AU-7 AU-7(1) AU-7(2) AU-8 AU-8(1) (AU-9 P1?) AU-9(2) (AU-12 P1?) AU-12(1) AU-12(2)
CA 1 P3=1 CA-9(1)(P3)
CM 3 P2=2 P3=1 CM-5(1) CM-11(1) CM-11(2)(P3)
CP 1 P3=1 CP-11(P3)
IA 16 P1=5 P2=8 IA-2 IA-2(1) IA-2(3) IA-2(6) IA-2(8) IA-2(9) IA-2(11) IA-3 IA-3(1) IA-5(1) IA-5(2) IA-5(11) IA-5(13) (from P1) IA-6 IA-7 IA-8 (from P1)
MA 1 P3=1 MA-4(6)(P3)
MP 1 P2=1 MP-5(4)
RA 1 RA-5(5)
SC 28 P1=7 P2=12 P3=4 SC-2 SC-2(1) SC-4 SC-5 SC-5(2) SC-7(5) SC-7(7) SC-7(8) SC-7(9) SC-7(11) SC-7(18) SC-8 SC-8(1) SC-10(P3) SC-13(P3) SC-15(P3) SC-18(1) SC-18(3) SC-18(4) SC-20 SC-22(P3) SC-23 SC-23(1) SC-23(3) SC-24 SC-28 SC-28(1) SC-39
SI 11 P2=8 P3=3 SI-3(2) SI-3(4) SI-3(7)(P3) SI-4(4) SI-4(5) SI-4(7) SI-7(1) SI-8(2) SI-10(P3) SI-11(P3) SI-16

Controls Summary

Code to Controls Mapping

V20231128

Yaml Code Controls
a b

Controls to Code Mapping

V20231128

Controls Yaml Code
AC-2 1
AC-2(2) 1
AC-2(3) 1
AC-2(4) 1
AC-2(10) 1
AC-3 1
AC-3(4) 1
AC-3(7) 1
AC-3(9) 1
AC-4 1
AC-4(21) 1
AC-6(10) 1
AC-7 1
AC-8 1
AC-9 1
AC-9(3) 1
AC-10 1
AC-11 1
AC-11(1) 1
AC-12 1
AC-16(2) 1
AC-16(4) 1
AC-16(5) 1
AC-17(1) 1
AC-17(2) 1
AC-17(3) 1
AC-17(100) 1
AC-18(1) 1
AU-3 1
AU-3(1) 1
AU-4(1) 1
AU-5 1
AU-5(1) 1
AU-6(4) 1
AU-7 1
AU-7(1) 1
AU-7(2) 1
AU-8 1
AU-8(1) 1
(AU-9 P1?) 1
AU-9(2) 1
(AU-12 P1?) 1
AU-12(1) 1
AU-12(2) 1
CA-9(1)(P3) 1
CM-5(1) 1
CM-11(1) 1
CM-11(2)(P3) 1
CP-11(P3) 1
IA-2 1
IA-2(1) 1
IA-2(3) 1
IA-2(6) 1
IA-2(8) 1
IA-2(9) 1
IA-2(11) 1
IA-3 1
IA-3(1) 1
IA-5(1) 1
IA-5(2) 1
IA-5(11) 1
IA-5(13) (from P1) 1
IA-6 1
IA-7 1
IA-8 (from P1) 1
MA-4(6)(P3) 1
MP-5(4) 1
RA-5(5) 1
SC-2 1
SC-2(1) 1
SC-4 1
SC-5 1
SC-5(2) 1
SC-7(5) 1
SC-7(7) 1
SC-7(8) 1
SC-7(9) 1
SC-7(11) 1
SC-7(18) 1
SC-8 1
SC-8(1) 1
SC-10(P3) 1
SC-13(P3) 1
SC-15(P3) 1
SC-18(1) 1
SC-18(3) 1
SC-18(4) 1
SC-20 1
SC-22(P3) 1 2
SC-23 1
SC-23(1) 1
SC-23(3) 1
SC-24 1
SC-28 1
SC-28(1) 1
SC-39 1
SI-3(2) 1
SI-3(4) 1
SI-3(7)(P3) 1
SI-4(4) 1
SI-4(5) 1
SI-4(7) 1
SI-7(1) 1
SI-8(2) 1
SI-10(P3) 1
SI-11(P3) 1
SI-16 1

Service to Controls Mappings

Package Module File Code - Kind Controls
client-landing-zone client-folder/firewall-policy/rules defaults computeFirewallPolicyRule 2 3 4 AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
client-landing-zone client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis dns.yaml DNSManagedZone SC-22
DNSRecordSet SC-22

Controls

SC-22:

Security Controls to Code Mappings

Security Controls to GCP Services Mappings

History

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/560

20231027

Check removed files

 delete mode 100644 solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/securitycontrols.md
 delete mode 100644 solutions/client-landing-zone/logging-project/securitycontrols.md
 delete mode 100644 solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md

Todo

Example visuals for extract and/or live compliance dashboard

Links

Add a custom footer
Add a custom sidebar
Clone this wiki locally