Implement various compliance configuration and principle of least privilege for hardened dataset #3635
Conversation
vannicktrinquier
force-pushed
the
vannick/fsi-5-wave
branch
from
d673953 to
85850e0
Compare
…ud-foundation-fabric into vannick/fsi-5-wave
| ```tfvars | ||
| factories_config = { | ||
| defaults = "datasets/hardened/defaults.yaml" | ||
| folders = "datasets/hardened/folders" |
There was a problem hiding this comment.
Update documentation which was incomplete previously.
Also mainly in this PR datasets/hardened/folders has been added with drift with classic datasets as follow mainly:
classicstill useownerandviewerrole for *-rw and *-ro service accounthardenednow use predefined and custom roles.
Tests have been done extensively already to validate the permissions are the good ones:
- stage 0 to 3 tested (except 3-secops and 3-gcve-dev) but rest has been validate
|
|
||
| # yaml-language-server: $schema=../../../../schemas/custom-role.schema.json | ||
| # the following permissions are a descoped version of storage.admin | ||
|
|
There was a problem hiding this comment.
All the roles created below ar eneeded because generally predenefined roles does not provided permissions for *. getIamPolicy
This requires creation of multiple roles so readonly service account can retrieve iam policy when doing terraform plan in pipeline
| - bigquerydatatransfer.googleapis.com | ||
| - cloudkms.googleapis.com | ||
| - logging.googleapis.com | ||
| - storage.googleapis.com |
There was a problem hiding this comment.
Use authoritative bindings for roles/owner, this to ensure:
- no roles owner permissions are provided
- but also, when a project is created, the creator principal is automatically being set as owner of the project. This ensure that once project is created, the owner role is removed to the creator
| keys: | ||
| bigquery: | ||
| rotation_period: 7776000s | ||
| log_buckets: |
There was a problem hiding this comment.
Done in hardened datasets to follow NIST requirements where logs have to be made available at least for 90d.
| iac-outputs: | ||
| description: Terraform state for the org-level automation. | ||
| versioning: true | ||
| encryption_key: $kms_keys:iac-0/ew1/storage |
There was a problem hiding this comment.
Compliance requirement to update storage class based on object activity
| ingress_rules: | ||
| allow-healthchecks: | ||
| description: Enable SSH, HTTP and HTTPS healthchecks | ||
| priority: 1001 |
There was a problem hiding this comment.
For 2-networking and 2-project-factory, i have added commented line to ensure:
- logging enablement
- enforce owner role removed for project creator
- log retention
- vpc flow logs
Those have been commented only
| var.billing_account.id | ||
| ) | ||
| ), null) | ||
| prefix = coalesce( |
There was a problem hiding this comment.
Was buggy when both var.data_defaults.billing_account and var.billing_account.id were empty
vannicktrinquier
changed the title
vannicktrinquier
force-pushed
the
vannick/fsi-5-wave
branch
from
eb13d69 to
c0d3aec
Compare
1 participant
This PR focuses on tightening security controls to align with the principle of Least Privilege for the various service account, and specifically targeting hardened datasets.
It also includes configuration updates to address findings (or false positives) from compliance standards like CIS GCP, CIS GKE, and NIST, ensuring the foundation can be ready for more sensitive organization (FSI)
Main changes:
compute.disableVpcInternalIpv6as recommended by Compliance ManagerI applicable, I acknowledge that I have:
terraform fmton all modified filestools/tfdoc.py