-
Notifications
You must be signed in to change notification settings - Fork 28
Security_Controls
- Issue ID label filter - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity-controls
- TODO: add P1 and optionally P2 controls - Use the new "All Products" page for a list of Google Cloud Services https://console.cloud.google.com/products
Category + count |
Controls subset P1=bold |
Inherited Controls |
Guardrails Additional + |
|---|---|---|---|
| AC | AC-2 AC-2(2) AC-2(3) AC-2(4) AC-2(10) AC-3 AC-3(4) AC-3(7) AC-3(9) AC-4 AC-4(21) AC-6(10) AC-7 AC-8 AC-9 AC-10 AC-11 AC-11(1) AC-12 AC-16(2) AC-16(4) AC-16(5) AC-17(1) AC-17(2) AC-17(3) AC-17(100) AC-18(1) | ||
| AC | AU-3 AU-3(1) AU-4(1) AU-5 AU-6(4) AU-7 AU-7(1) AU-7(2) AU-8 AU-8(1) AU-9 AU-9(2) AU-12 AU-12(1) AU-12(2) |
- 31 (15 guardrails) + 10 + 25 = 66 (guardrails subset = 48)
Category |
31 Controls highlighted 20 P1 in bold, 11 P2- in italic GR + |
10 Extended/Inherited Controls |
25 Guardrails Additional + |
|---|---|---|---|
| AC 5 | +AC-2 +AC-3 +AC-4 +AC-6 AC-12 | AC-17(1) | +AC-5 +AC-6(5) +AC-6(10) +AC-7 +AC-9 +AC‑19 +AC‑20(3) |
| AT 1 | AT-3 | ||
| AU 4 | +AU-2 +AU-3 +AU-6 AU-13 | +AU-9 +AU-12 | +AU-8 +AU-9(4) |
| CA 1 | CA-3 | ||
| CM 1 | +CM-2 | +CM-8 | +CM-3 +CM-4 +CM-5 |
| IA 2 | +IA-2 +IA-5 | +IA-2(1) +IA-2(2) | +IA-2(11) +IA-4 +IA-5(1) +IA-5(6) +IA-5(7) +IA-5(13) +IA-6 +IA-8 |
| IR 1 | IR-6 | ||
| MP 1 | MP-2 | ||
| PE 2 | PE-3 PE-19 | ||
| PS 1 | PS-6 | ||
| RA 1 | RA-5 | ||
| SA 2 | SA-4 SA-8 | +SA-22 | |
| SC 5 | +SC-7 +SC-13 SC-26 +SC-28 SC-101 | +SC-5 SC-7(3) +SC-7(5) +SC-28(1) | +SC-8 +SC-8(1) +SC-12 +SC-17 |
| SI 4 | +SI-2 SI-3 +SI-4 SI-7 |
140 P1
24 AC-1/2/3/3.7/3.9/3.10/4/4.4/4.12/4.13/4.14/4.15/5/6/6.5/7/8/17/18/18.5/19/19.4/19.100/22
4 AT-1/2/2.2 3
8 AU-1/2/3/4/4.1/6/8/12
8 CA-1 / 2.1 /3/3.2 3.3/3.4/6 7.1
10 CM-1 2 2.7 3 5 6 7 7.5 8 9
2 CP-1 9
8 IA-1 2 2.1 3 4 5 5.1 6
2 IR-1 9
3 MA-1 3.2 5.2
9 MP-1 2 3 4 5 5.3 8 8.3 8.4
15 PE-1 2 2.3 2.100 3 4 6 6.2 6.3 6.4 8 16 18 18.1 20
7 PL-1 2 4 7 8 8.1 8.2
9 PS-1 3 3.1 3.2 4 5 6 6.2 7
3 RA-1 2 3
5 SA-1 4.2 4.6 4.7 9
17 SC-1 2 5 7 7.3 7.5 7.9 7.14 8 12.2 12.3 18 23 24 28 43 101
6 SI-1 2 3 4 5 8
- 140 P1 list in italic referenced in https://cyber.gc.ca/sites/default/files/cyber/publications/Annex%20B%20CCCS%20MEDIUM%20Cloud%20Profile%20Recommendations.xlsx replaces older 2021 https://cyber.gc.ca/sites/default/files/cyber/publications/itsg33-ann4a-1-eng.pdf (replaces moved https://cyber.gc.ca/sites/default/files/publications/itsg33-ann4a-1-eng.pdf)
- See P1 list italic diff of 77 in https://cyber.gc.ca/sites/default/files/cyber/publications/itsg33-ann4a-1-eng.pdf
graph LR;
style GCP fill:#44f,stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
%% mapped and documented
PBMM-->AU-1;
PBMM-->AU-2;
PBMM-->AU-3;
PBMM-->AU-4;
PBMM-->AU-4.1;
PBMM-->AU-6;
PBMM-->AU-8;
PBMM-->AU-12;
PBMM-->CM-1;
PBMM-->CM-2;
PBMM-->CM-3;
PBMM-->CM-5;
PBMM-->CM-6;
PBMM-->CM-7;
PBMM-->CM-7.5;
PBMM-->CM-8;
PBMM-->CM-9;
PBMM-->CP-1;
PBMM-->IR-1;
PBMM-->IR-9;
PBMM-->MA-1;
PBMM-->MA-3.3;
PBMM-->MP-2;
PBMM-->PE-3;
PBMM-->PE-19;
PBMM-->RA-1;
PBMM-->RA-2;
PBMM-->RA-3;
%% subset edit point above
%% mapped but not yet documented
unmapped-->AC-2.1/5/6.5/6.10/7/19;
unmapped-->AU-3.2/4/9.4;
unmapped-->CM-3/4/5/8;
unmapped-->CP-7;
unmapped-->IA-4/5.1/5.7/5.13/6/8;
unmapped-->SA-22;
unmapped-->SC-5/7.7/8/8.1/12/17;
%% control to sub-service
AC-2-->bucket-not-public;
AC-2-->enforce-public-access-prevention;
AC-2-->restrict-public-IP-access-sql;
AC-2-->Roles;
AC-2-->Identity-Federation;
AC-3-->Roles;
AC-4-->IDS;
AC-4-->VFW;
AC-4-->Asset-Inventory;
AC-6-->Roles;
AC-12-->Pre-Signed-URLs;
AC-17.1-->IAP;
AC-20.3-->BeyondCorp-CAA;
AU-2-->Monitoring;
AU-2-->Identity;
AU-2-->Password-Policies;
AU-2-->Audit-and-Investigation;
AU-2-->Apps-Reports-Accounts;
AU-2-->Alert-Policy;
AU-2-->Logs-Explorer;
AU-2-->Logs-Router;
AU-2-->bucket-not-public;
AU-2-->bucket-protection-retention-1-sec;
AU-3-->Monitoring;
AU-3-->Alert-Policy;
AU-3-->Logs-Explorer;
AU-3-->Logs-Router;
AU-6-->bucket-protection-retention-1-sec;
AU-6-->Monitoring;
AU-6-->Alert-Policy;
AU-6-->Logs-Explorer;
AU-6-->Logs-Router;
AU-13-->DLP;
AU-13-->bucket-not-public;
AU-13-->Monitoring;
AU-13-->Alert-Policy;
AU-13-->Logs-Explorer;
AU-13-->Logs-Router;
AU-8-->Event-Logging;
%% post-Terraform
post-TF-console-->SC-7-->Location-Restriction;
%% requires Traffic Generation app
AU-12== traffic gen ==>VPC-Flow-Logs;
AU-12== traffic gen ==>SCC-Findings;
AU-12-->SCC-Compliance;
AU-9-->Non-Public-->Cloud-Storage;
AU-9-->Protection-Retention-->Cloud-Storage;
AT-3-->Certification-Training;
CA-3-->IAP;
CA-3-->Cloud-Deploy;
CA-3-->Deployment-Manager;
CA-3-->Private-Access;
CM-2-->Marketplace-Role-restriction;
IA-2-->Identity-Federation;
IA-2-->IAP;
IA-2.1-->Roles;
IA-2.1-->Identity-Federation;
IA-2.2-->Identity-Federation;
IA-2.1-->IAP;
IA-2.1-->Roles;
IA-2.2-->Roles;
IA-5-->IAP;
IA-5-->Roles;
IA-5-->2FA;
IR-6-->Alert-Policy;
IR-6-->Logs-Explorer;
IR-6-->Logs-Router;
IR-6-->bucket-not-public;
IR-6-->bucket-protection-retention-1-sec
MP-2-->DLP;
MP-2-->Data-Center-Security;
PE-3-->Data-Center-Security;
PE-19-->Data-Center-Security;
RA-5-->SCC-Vulnerabilities;
RA-5-->Vulnerability-Scanning;
SA-4-->SCC-Vulnerabilities;
SA-4-->Vulnerability-Scanning;
SA-8-->Encryption-at-rest;
SA-8-->Encryption-in-transit;
SC-7-->Resource-Location-Restriction;
SC-7== traffic gen ==>VPC-Firewall-Logs;
SC-7-->IDS;
SC-7== traffic gen ==>VPC-Firewall-Rules;
SC-7.3== traffic gen ==>VPC-Firewall-Logs;
SC-7.5== traffic gen ==>VPC-Firewall-Logs;
SC-8-->Encryption-at-rest;
SC-8-->Encryption-in-transit;
SC-13-->Encryption-at-rest;
SC-13-->Encryption-in-transit;
SC-13-->bucket-not-public;
SC-13-->bucket-protection-retention-1-sec
SC-26-->SCC-Container-Threat-Detection;
SC-26-->Armor;
SC-28.1-->Encryption-at-rest;
SC-28-->Encryption-at-rest;
SC-101-->Data-Center-Security;
SI-2-->Armor;
SI-3-->Vulnerability-Scanning;
SI-3-->SCC-Vulnerabilities;
SI-4== traffic gen ==>Compute-VM;
SI-4-->Armor;
SI-4-->VM-logging-agent-logs;
%% sub-service to service
2FA-->Identity;
Alert-Policy-->Cloud-Logging;
Apps-Reports-Accounts-->Reporting;
Reporting-->Identity;
Asset-Inventory-->IAM;
Armor-->Network-Security;
Audit-and-Investigation-->Identity;
bucket-not-public-->Org-Policies;
bucket-protection-retention-1-sec-->Org-Policies;
enforce-public-access-prevention-->Org-Policies;
restrict-public-IP-access-sql-->Org-Policies;
BeyondCorp-CAA-->Security;
Certification-Training-->Training;
Cloud-Identity-->Google-Admin;
Compute-VM-->Cloud-Logging;
Data-Center-Security-->Security;
Cloud-Deploy-->GCP;
Deployment-Manager-->GCP;
DLP-->Security;
Encryption-in-transit-->Security;
Encryption-at-rest-->Security;
Event-Logging-->Cloud-Operations-Suite;
IAP-->Security;
Identity-Federation-->IAM;
IDS-->Network-Security;
Location-Restriction-->Org-Policies;
Logs-Explorer-->Cloud-Logging;
Logs-Router-->Cloud-Logging;
Marketplace-Role-restriction-->Marketplace
MFA-->Cloud-Identity;
Monitoring-->GCP;
Org-Policies-->IAM;
Password-Policies-->Identity;
Pre-Signed-URLs-->Cloud-Storage;
Private-Access-->VPC-Networks;
Resource-Location-Restriction-->Org-Policies;
Roles-->IAM;
SCC-Findings-->SCC;
SCC-Compliance-->SCC;
SCC-Container-Threat-Detection-->SCC;
SCC-Vulnerabilities-->SCC;
VM-logging-agent-logs-->Cloud-Logging;
VFW-->VPC-Networks;
VPC-Flow-Logs-->VPC-Networks;
VPC-Firewall-Rules-->VPC-Networks;
VPC-Firewall-Logs-->VPC-Networks;
Vulnerability-Scanning-->Artifact-Registry;
%% service to gcp
Artifact-Registry-->GCP;
Cloud-Operations-Suite-->GCP;
Cloud-Logging-->GCP;
Cloud-Storage-->GCP;
Identity-->Admin;
IAM-->GCP;
Marketplace-->GCP;
Network-Security-->GCP;
SCC-->GCP;
Security-->GCP;
Training-->GCP;
VPC-Networks-->GCP{GCP};
%%PBHH
PBHH-->AU-3.2
PBHH-->IA-2.2
Rev: 20231114
-
ITSG 33 : Security Control Catalogue : https://www.cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33
-
AU-1 - family: audit and accountability - class: technical - AU-1 : audit and accountability policy and procedures
-
AU-2 - family: audit and accountability - class: technical - AU-2 : auditable events
-
AU-3 - family: audit and accountability - class: technical - AU-3 : content of audit records
-
AU-4 - family: audit and accountability - class: technical - AU-4 : audit storage capacity
-
AU-4(1) - family: audit and accountability - class: technical - AU-4.1 : audit storage capacity | transfer to alternate storage
-
AU-6 - family: audit and accountability - class: technical - AU-6 : audit review, analysis, and reporting
-
AU-8 - family: audit and accountability - class: technical - AU-8 : time stamps
-
AU-12 - family: audit and accountability - class: technical - AU-12 : audit generation
-
CM-1 - family: configuration management - class: operational - CM-1: configuration management policy and procedures
-
CM-2 - family: configuration management - class: operational - CM-2: baseline configuration
-
CM-3 - family: configuration management - class: operational - CM-3: configuration change control
-
CM-5 - family: configuration management - class: operational - CM-5: access restrictions for change
-
CM-6 - family: configuration management - class: operational - CM-6: configuration settings
-
CM-7 - family: configuration management - class: operational - CM-7: least functionality
-
CM-7(5) - family: configuration management - class: operational - CM-7.5: least functionality | authorized software / whitelisting
-
CM-8 - family: configuration management - class: operational - CM-8: information system component inventory
-
CM-9 - family: configuration management - class: operational - CM-9: configuration management plan
-
CP-1 - family: contingency planning (continuity planning) - class: operational - CP-1 : contingency planning policy and procedures
-
IR-1 - family: incident response - class: operational - IR-1 incident response policy and procedures
-
IR-9 - family: incident response - class: operational - IR-9 : information spillage response
-
MA-1 - family: maintenance - class: operational - MA-1 : system maintenance policy and procedures
-
MA-3(3) - family: maintenance - class: operational - MA-3 : maintenance tools | prevent unauthorized removal
-
RA-1 - family: risk assessment - class: management - RA-1 : risk assessment policy and procedures
-
RA-2 - family: risk assessment - class: management - RA-2 : security categorization
-
RA-3 - family: risk assessment - class: management - RA-3 : risk assessment
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/560
Check removed files
delete mode 100644 solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/securitycontrols.md
delete mode 100644 solutions/client-landing-zone/logging-project/securitycontrols.md
delete mode 100644 solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md
Example visuals for extract and/or live compliance dashboard
-
d3js.org based or mermaid in-line-repo markup (generated) in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Security_Controls
- https://cloud.google.com/security/compliance/fedramp
- detailed ITSG-33 (2014) https://cyber.gc.ca/en/guidance/annex-2-information-system-security-risk-management-activities-itsg-33
- summary ITSG-33 https://cyber.gc.ca/en/guidance/annex-4-identification-control-elements-security-controls-itsg-41
- AU-2 AU-3 AU-4 AU-5 AU-16 via cloud logging fedramp compliance https://cloud.google.com/blog/products/identity-security/5-must-know-security-and-compliance-features-in-cloud-logging
- COM https://ssc-clouddocs.canada.ca/s/com?language=en_US
- https://cloud-services-infonuagiques.canada.ca/