Skip to content

Security_Controls

Jump to bottom Edit New page
Michael O'Brien edited this page Nov 29, 2023 · 37 revisions

Controls

Controls Coverage

pending: GCP Service extraction into securitycontrols.md https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/746 Use the new "All Products" page for a list of Google Cloud Services https://console.cloud.google.com/products

Controls to Code Mappings

(From generated source - 20231128)

(From yaml comments)

(From KRM tagging)

Controls to GCP Services Mappings

Controls to Landing Zone Deployment Runtime Inventory

Recommended Security Controls List

Category + count Controls subset P1=**bold** P2=_italic_ Inherited Controls Guardrails Additional +
AC 28 P1=7 P2=17 AC-2 AC-2(2) AC-2(3) AC-2(4) AC-2(10) AC-3 AC-3(4) AC-3(7) AC-3(9) AC-4 AC-4(21) AC-6(10) AC-7 AC-8 AC-9 AC-9(3) AC-10 AC-11 AC-11(1) AC-12 AC-16(2) AC-16(4) AC-16(5) AC-17(1) AC-17(2) AC-17(3) AC-17(100) AC-18(1)
AU 16 P1=3 P2=13 AU-3 AU-3(1) AU-4(1) AU-5 AU-5(1) AU-6(4) AU-7 AU-7(1) AU-7(2) AU-8 AU-8(1) (AU-9 P1?) AU-9(2) (AU-12 P1?) AU-12(1) AU-12(2)
CA 1 P3=1 CA-9(1)(P3)
CM 3 P2=2 P3=1 CM-5(1) CM-11(1) CM-11(2)(P3)
CP 1 P3=1 CP-11(P3)
IA 16 P1=5 P2=8 IA-2 IA-2(1) IA-2(3) IA-2(6) IA-2(8) IA-2(9) IA-2(11) IA-3 IA-3(1) IA-5(1) IA-5(2) IA-5(11) IA-5(13) (from P1) IA-6 IA-7 IA-8 (from P1)
MA 1 P3=1 MA-4(6)(P3)
MP 1 P2=1 MP-5(4)
RA 1 RA-5(5)
SC 28 P1=7 P2=12 P3=4 SC-2 SC-2(1) SC-4 SC-5 SC-5(2) SC-7(5) SC-7(7) SC-7(8) SC-7(9) SC-7(11) SC-7(18) SC-8 SC-8(1) SC-10(P3) SC-13(P3) SC-15(P3) SC-18(1) SC-18(3) SC-18(4) SC-20 SC-22(P3) SC-23 SC-23(1) SC-23(3) SC-24 SC-28 SC-28(1) SC-39
SI 11 P2=8 P3=3 SI-3(2) SI-3(4) SI-3(7)(P3) SI-4(4) SI-4(5) SI-4(7) SI-7(1) SI-8(2) SI-10(P3) SI-11(P3) SI-16

Controls Summary

Code to Controls Mapping

V20231128

Yaml Code Controls
a b

Controls to Code Mapping

V20231128

Controls Yaml Code
AC-2 1
AC-2(2) 1
AC-2(3) 1
AC-2(4) 1
AC-2(10) 1
AC-3 1
AC-3(4) 1
AC-3(7) 1
AC-3(9) 1
AC-4 1
AC-4(21) 1
AC-6(10) 1
AC-7 1
AC-8 1
AC-9 1
AC-9(3) 1
AC-10 1
AC-11 1
AC-11(1) 1
AC-12 1
AC-16(2) 1
AC-16(4) 1
AC-16(5) 1
AC-17(1) 1
AC-17(2) 1
AC-17(3) 1
AC-17(100) 1
AC-18(1) 1
AU-3 1
AU-3(1) 1
AU-4(1) 1
AU-5 1
AU-5(1) 1
AU-6(4) 1
AU-7 1
AU-7(1) 1
AU-7(2) 1
AU-8 1
AU-8(1) 1
(AU-9 P1?) 1
AU-9(2) 1
(AU-12 P1?) 1
AU-12(1) 1
AU-12(2) 1
CA-9(1)(P3) 1
CM-5(1) 1
CM-11(1) 1
CM-11(2)(P3) 1
CP-11(P3) 1
IA-2 1
IA-2(1) 1
IA-2(3) 1
IA-2(6) 1
IA-2(8) 1
IA-2(9) 1
IA-2(11) 1
IA-3 1
IA-3(1) 1
IA-5(1) 1
IA-5(2) 1
IA-5(11) 1
IA-5(13) (from P1) 1
IA-6 1
IA-7 1
IA-8 (from P1) 1
MA-4(6)(P3) 1
MP-5(4) 1
RA-5(5) 1
SC-2 1
SC-2(1) 1
SC-4 1
SC-5 1
SC-5(2) 1
SC-7(5) 1
SC-7(7) 1
SC-7(8) 1
SC-7(9) 1
SC-7(11) 1
SC-7(18) 1
SC-8 1
SC-8(1) 1
SC-10(P3) 1
SC-13(P3) 1
SC-15(P3) 1
SC-18(1) 1
SC-18(3) 1
SC-18(4) 1
SC-20 1
SC-22(P3) 1 2
SC-23 1
SC-23(1) 1
SC-23(3) 1
SC-24 1
SC-28 1
SC-28(1) 1
SC-39 1
SI-3(2) 1
SI-3(4) 1
SI-3(7)(P3) 1
SI-4(4) 1
SI-4(5) 1
SI-4(7) 1
SI-7(1) 1
SI-8(2) 1
SI-10(P3) 1
SI-11(P3) 1
SI-16 1

Service to Controls Mappings

Package Module File Code - Kind Controls
client-landing-zone client-folder/firewall-policy/rules defaults computeFirewallPolicyRule 2 3 4 AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
client-landing-zone client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis dns.yaml DNSManagedZone SC-22
DNSRecordSet SC-22

Controls

SC-22:

Secondary Reference - Security Controls List

  • 31 (15 guardrails) + 10 + 25 = 66 (guardrails subset = 48)
Category 31 Controls highlighted 20 P1 in bold, 11 P2- in italic GR + 10 Extended/Inherited Controls 25 Guardrails Additional +
AC 5 +AC-2 +AC-3 +AC-4 +AC-6 AC-12 AC-17(1) +AC-5 +AC-6(5) +AC-6(10) +AC-7 +AC-9 +AC‑19 +AC‑20(3)
AT 1 AT-3
AU 4 +AU-2 +AU-3 +AU-6 AU-13 +AU-9 +AU-12 +AU-8 +AU-9(4)
CA 1 CA-3
CM 1 +CM-2 +CM-8 +CM-3 +CM-4 +CM-5
IA 2 +IA-2 +IA-5 +IA-2(1) +IA-2(2) +IA-2(11) +IA-4 +IA-5(1) +IA-5(6) +IA-5(7) +IA-5(13) +IA-6 +IA-8
IR 1 IR-6
MP 1 MP-2
PE 2 PE-3 PE-19
PS 1 PS-6
RA 1 RA-5
SA 2 SA-4 SA-8 +SA-22
SC 5 +SC-7 +SC-13 SC-26 +SC-28 SC-101 +SC-5 SC-7(3) +SC-7(5) +SC-28(1) +SC-8 +SC-8(1) +SC-12 +SC-17
SI 4 +SI-2 SI-3 +SI-4 SI-7

P1 Controls

140 P1
24 AC-1/2/3/3.7/3.9/3.10/4/4.4/4.12/4.13/4.14/4.15/5/6/6.5/7/8/17/18/18.5/19/19.4/19.100/22
4 AT-1/2/2.2 3
8 AU-1/2/3/4/4.1/6/8/12
8 CA-1 / 2.1 /3/3.2 3.3/3.4/6 7.1 
10 CM-1 2 2.7 3 5 6 7 7.5 8 9 
2 CP-1 9
8 IA-1 2 2.1 3 4 5 5.1 6
2 IR-1 9
3 MA-1 3.2 5.2
9 MP-1 2 3 4 5 5.3 8 8.3 8.4
15 PE-1 2 2.3 2.100 3 4 6 6.2 6.3 6.4 8 16 18 18.1 20
7 PL-1 2 4 7 8 8.1 8.2
9 PS-1 3 3.1 3.2 4 5 6 6.2 7
3 RA-1 2 3
5 SA-1 4.2 4.6 4.7 9
17 SC-1 2 5 7 7.3 7.5 7.9 7.14 8 12.2 12.3 18 23 24 28 43 101
6 SI-1 2 3 4 5 8

graph LR;
    style GCP fill:#44f,stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
    %% mapped and documented

    PBMM-->AU-1;
    PBMM-->AU-2;
    PBMM-->AU-3;
    PBMM-->AU-4;
    PBMM-->AU-4.1;
    PBMM-->AU-6;
    PBMM-->AU-8;
    PBMM-->AU-12;
    PBMM-->CM-1;
    PBMM-->CM-2;
    PBMM-->CM-3;
    PBMM-->CM-5;
    PBMM-->CM-6;
    PBMM-->CM-7;
    PBMM-->CM-7.5;
    PBMM-->CM-8;
    PBMM-->CM-9;
    PBMM-->CP-1;
    PBMM-->IR-1;
    PBMM-->IR-9;
    PBMM-->MA-1;
    PBMM-->MA-3.3;
    PBMM-->MP-2;
    PBMM-->PE-3;
    PBMM-->PE-19;
    PBMM-->RA-1;
    PBMM-->RA-2;
    PBMM-->RA-3;
    %% subset edit point above

    
    %% mapped but not yet documented
    unmapped-->AC-2.1/5/6.5/6.10/7/19;
    unmapped-->AU-3.2/4/9.4;
    unmapped-->CM-3/4/5/8;
    unmapped-->CP-7;
    unmapped-->IA-4/5.1/5.7/5.13/6/8;
    unmapped-->SA-22;
    unmapped-->SC-5/7.7/8/8.1/12/17;
    
    %% control to sub-service
    AC-2-->bucket-not-public;
    AC-2-->enforce-public-access-prevention;
    AC-2-->restrict-public-IP-access-sql;
    AC-2-->Roles;
    AC-2-->Identity-Federation;
    AC-3-->Roles;
    AC-4-->IDS;
    AC-4-->VFW;
    AC-4-->Asset-Inventory;
    AC-6-->Roles;
    AC-12-->Pre-Signed-URLs;
    AC-17.1-->IAP;
    AC-20.3-->BeyondCorp-CAA;
    AU-2-->Monitoring;
    AU-2-->Identity;
    AU-2-->Password-Policies;
    AU-2-->Audit-and-Investigation;
    AU-2-->Apps-Reports-Accounts;
    AU-2-->Alert-Policy;
    AU-2-->Logs-Explorer;
    AU-2-->Logs-Router;
    AU-2-->bucket-not-public;
    AU-2-->bucket-protection-retention-1-sec;
    AU-3-->Monitoring;
    AU-3-->Alert-Policy;
    AU-3-->Logs-Explorer;
    AU-3-->Logs-Router;
    AU-6-->bucket-protection-retention-1-sec;
    AU-6-->Monitoring;
    AU-6-->Alert-Policy;
    AU-6-->Logs-Explorer;
    AU-6-->Logs-Router;
    AU-13-->DLP;
    AU-13-->bucket-not-public;
    AU-13-->Monitoring;
    AU-13-->Alert-Policy;
    AU-13-->Logs-Explorer;
    AU-13-->Logs-Router;
    AU-8-->Event-Logging;
    
    %% post-Terraform
    post-TF-console-->SC-7-->Location-Restriction;
    
    %% requires Traffic Generation app
    AU-12== traffic gen ==>VPC-Flow-Logs;
    AU-12== traffic gen ==>SCC-Findings;
    AU-12-->SCC-Compliance;
    
    AU-9-->Non-Public-->Cloud-Storage;
    AU-9-->Protection-Retention-->Cloud-Storage;
    AT-3-->Certification-Training;
    CA-3-->IAP;
    CA-3-->Cloud-Deploy;
    CA-3-->Deployment-Manager;
    CA-3-->Private-Access;
    CM-2-->Marketplace-Role-restriction;
    IA-2-->Identity-Federation;
    IA-2-->IAP;
    IA-2.1-->Roles;
    IA-2.1-->Identity-Federation;
    IA-2.2-->Identity-Federation;
    IA-2.1-->IAP;
    IA-2.1-->Roles;
    IA-2.2-->Roles;
    IA-5-->IAP;
    IA-5-->Roles;
    IA-5-->2FA;
    IR-6-->Alert-Policy;
    IR-6-->Logs-Explorer;
    IR-6-->Logs-Router;
    IR-6-->bucket-not-public;
    IR-6-->bucket-protection-retention-1-sec
    MP-2-->DLP;
    MP-2-->Data-Center-Security;
    PE-3-->Data-Center-Security;
    PE-19-->Data-Center-Security;
    
    
    RA-5-->SCC-Vulnerabilities;
    RA-5-->Vulnerability-Scanning;
    SA-4-->SCC-Vulnerabilities;
    SA-4-->Vulnerability-Scanning;
    SA-8-->Encryption-at-rest;
    SA-8-->Encryption-in-transit;
    SC-7-->Resource-Location-Restriction;
    SC-7== traffic gen ==>VPC-Firewall-Logs;
    SC-7-->IDS;
    SC-7== traffic gen ==>VPC-Firewall-Rules;
    SC-7.3== traffic gen ==>VPC-Firewall-Logs;
    SC-7.5== traffic gen ==>VPC-Firewall-Logs;
    
    SC-8-->Encryption-at-rest;
    SC-8-->Encryption-in-transit;
    SC-13-->Encryption-at-rest;
    SC-13-->Encryption-in-transit;
    SC-13-->bucket-not-public;
    SC-13-->bucket-protection-retention-1-sec
    SC-26-->SCC-Container-Threat-Detection;
    SC-26-->Armor;
    SC-28.1-->Encryption-at-rest;
    SC-28-->Encryption-at-rest;
    SC-101-->Data-Center-Security;
    SI-2-->Armor;
    SI-3-->Vulnerability-Scanning;
    SI-3-->SCC-Vulnerabilities;
    SI-4== traffic gen ==>Compute-VM;
    SI-4-->Armor;
    SI-4-->VM-logging-agent-logs;
    
    %% sub-service to service
    

    
    2FA-->Identity;
    Alert-Policy-->Cloud-Logging;
    Apps-Reports-Accounts-->Reporting;
    Reporting-->Identity;
    Asset-Inventory-->IAM;
    Armor-->Network-Security;
    Audit-and-Investigation-->Identity;
    bucket-not-public-->Org-Policies;
    bucket-protection-retention-1-sec-->Org-Policies;
    enforce-public-access-prevention-->Org-Policies;
    restrict-public-IP-access-sql-->Org-Policies;
    BeyondCorp-CAA-->Security;
    Certification-Training-->Training;
    Cloud-Identity-->Google-Admin;
    Compute-VM-->Cloud-Logging;
    Data-Center-Security-->Security;
    Cloud-Deploy-->GCP;
    Deployment-Manager-->GCP;
    DLP-->Security;
    Encryption-in-transit-->Security;
    Encryption-at-rest-->Security;
    Event-Logging-->Cloud-Operations-Suite;
    IAP-->Security;
    Identity-Federation-->IAM;
    IDS-->Network-Security;
    Location-Restriction-->Org-Policies;
    Logs-Explorer-->Cloud-Logging;
    Logs-Router-->Cloud-Logging;
    Marketplace-Role-restriction-->Marketplace
    MFA-->Cloud-Identity;
    Monitoring-->GCP;
    Org-Policies-->IAM;
    Password-Policies-->Identity;
    Pre-Signed-URLs-->Cloud-Storage;
    Private-Access-->VPC-Networks;
    Resource-Location-Restriction-->Org-Policies;
    Roles-->IAM;
    SCC-Findings-->SCC;
    SCC-Compliance-->SCC;
    SCC-Container-Threat-Detection-->SCC;
    SCC-Vulnerabilities-->SCC;
    VM-logging-agent-logs-->Cloud-Logging;
    VFW-->VPC-Networks;
    VPC-Flow-Logs-->VPC-Networks;
    VPC-Firewall-Rules-->VPC-Networks;
    VPC-Firewall-Logs-->VPC-Networks;
    Vulnerability-Scanning-->Artifact-Registry;
    
    
    %% service to gcp
    Artifact-Registry-->GCP;
    Cloud-Operations-Suite-->GCP;
    Cloud-Logging-->GCP;
    Cloud-Storage-->GCP;

    Identity-->Admin;
    IAM-->GCP;
    Marketplace-->GCP;
    Network-Security-->GCP;
    SCC-->GCP;
    Security-->GCP;
    Training-->GCP;
    VPC-Networks-->GCP{GCP};

   %%PBHH
    PBHH-->AU-3.2
    PBHH-->IA-2.2
Loading

mermaid - diagrams as code

Security Controls List

Rev: 20231114

Security Controls to Code Mappings

Security Controls to GCP Services Mappings

History

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/560

20231027

Check removed files

 delete mode 100644 solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/securitycontrols.md
 delete mode 100644 solutions/client-landing-zone/logging-project/securitycontrols.md
 delete mode 100644 solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md

Todo

Example visuals for extract and/or live compliance dashboard

Links

Add a custom footer
Add a custom sidebar
Clone this wiki locally