Skip to content

Latest commit

 

History

History
27 lines (22 loc) · 3.11 KB

forseti-security.md

File metadata and controls

27 lines (22 loc) · 3.11 KB

forseti-security

This bundle can be installed via kpt:

export BUNDLE=forseti-security
kpt pkg get https://github.com/forseti-security/policy-library.git ./policy-library
kpt fn source policy-library/samples/ | \
  kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
  kpt fn sink policy-library/policies/constraints/

Constraints

Constraint Control Description
cmek_rotation_one_hundred_days v2.26.0 Checks that CMEK rotation policy is in place and is sufficiently short.
denylist_public_users v2.26.0 Prevent public users from having access to resources via IAM
iam-restrict-service-account-key-age-one-hundred-days v2.26.0 Checks if service account keys are older than 100 days.
only_my_domain v2.26.0 Only allow members from my domain to be added to IAM roles
require_bq_table_iam v2.26.0 Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers.
restrict-firewall-rule-world-open v2.26.0 Checks for open firewall rules allowing ingress from the internet.
restrict-firewall-rule-world-open-tcp-udp-all-ports v2.26.0 Checks for open firewall rules allowing TCP/UDP from the internet.
restrict-gmail-bigquery-dataset v2.26.0 Enforce corporate domain by banning gmail.com addresses access to BigQuery datasets
restrict-googlegroups-bigquery-dataset v2.26.0 Enforce corporate domain by banning googlegroups.com addresses access to BigQuery datasets
sql-world-readable v2.26.0 Checks if Cloud SQL instances are world readable.