Compliance Manager includes many built-in cloud controls that you can add to frameworks and deploy in your environment. If required, you can create and manage your own custom cloud controls and update built-in cloud controls.
Before you begin
-
To get the permissions that you need to manage cloud controls frameworks, ask your administrator to grant you the following IAM roles on your organization:
-
Compliance Manager Admin (
roles/cloudsecuritycompliance.admin) -
To create or modify cloud controls that are based on organization policies, one of:
-
Organization Policy Administrator (
roles/orgpolicy.policyAdmin) -
Assured Workloads Administrator (
roles/assuredworkloads.admin) -
Assured Workloads Editor (
roles/assuredworkloads.editor)
-
Organization Policy Administrator (
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
-
Compliance Manager Admin (
View cloud controls
Complete the following steps to view built-in cloud controls and any custom cloud controls that you already created.
In the Google Cloud console, go to the Compliance page.
Select your organization.
In the Configure tab, click Cloud Controls. The available cloud controls display.
The dashboard includes information about which frameworks include the cloud control and the number of resources (organization, folders, and projects) that the cloud control is applied to.
To view details about a cloud control, click the control name.
Create a custom cloud control
A custom cloud control applies to only one resource type. The only supported data type is Cloud Asset Inventory resources. Custom cloud controls don't support parameters.
In the Google Cloud console, go to the Compliance page.
Select your organization.
In the Configure tab, click Cloud Controls. The list of available cloud controls are displayed.
Create a cloud control, either with Gemini or manually:
Use Gemini
Ask Gemini to generate a cloud control for you. Based on your prompt, Gemini provides a unique identifier, a name, associated detection logic, and possible remediation steps.
Review the recommendations and make any required changes.
Save your custom cloud control.
Create manually
In Cloud control ID, provide a unique identifier for your control.
Enter a name and description to help users in your organization understand the purpose of the custom cloud control.
Optional: Select the categories for the control. Click Continue.
Select an available resource type for your custom cloud control. Compliance Manager supports all resource types. To find the name for a resource, see Asset types.
Provide the detection logic for your cloud control, in Common Expression Language (CEL) format.
CEL expressions lets you define how you want to evaluate the properties of a resource. For more information and examples, see Write rules for custom cloud controls. Click Continue.
If your evaluation rule isn't valid, an error is displayed.
Select an appropriate findings severity.
Write your remediation instructions so that incident responders and administrators in your organization can resolve any findings for the cloud control. Click Continue.
Review your entries, and then click Create.
Edit a custom cloud control
After you create a cloud control, you can change its name, description, rules, remediation steps, and severity level. You can't change the cloud control category.
In the Google Cloud console, go to the Compliance page.
Select your organization.
In the Configure tab, click Cloud Controls. The list of available cloud controls display.
Click the cloud control that you want to edit.
In the Cloud controls details page, verify that the cloud control isn't included in a framework. If required, edit the framework to remove the cloud control.
Click Edit.
In the Edit custom cloud control page, change the name and description as required. Click Continue.
Update the rules, finding severity, and remediation steps. Click Continue.
Review your changes and click Save.
Update a built-in cloud control to a newer release
Google publishes regular updates to its built-in cloud controls as services deploy new features or as new best practices emerge. Updates can include new controls or changes to existing controls.
You can view the releases of built-in cloud controls in the cloud controls dashboard in the Configure tab or in the cloud control details page.
Google notifies you in the release notes when the following items are updated:
- Cloud control name
- Finding category
- Change in the detective or preventive logic in a rule
- Underlying logic of a rule
To update a cloud control after you receive a notification, you must unassign and redeploy the frameworks that include the cloud control. For instructions, see Update a framework to a newer release.
Delete a custom cloud control
Delete a cloud control when it's no longer required. You can only delete cloud controls that you create. You can't delete built-in cloud controls.
In the Google Cloud console, go to the Compliance page.
Select your organization.
In the Configure tab, click Cloud Controls. The list of available cloud controls display.
Click the cloud control that you want to delete.
In the Cloud controls details page, verify that the cloud control isn't included in a framework. If required, edit the framework to remove the cloud control.
Click Delete.
In the Delete window, review the message. Type
Deleteand click Confirm.
Mapping of Security Health Analytics detectors to cloud controls
The following table shows how Compliance Manager cloud controls map to Security Health Analytics detectors.
| Finding category in Security Health Analytics | Cloud control name in Compliance Manager |
|---|---|
|
Enable Access Transparency |
|
Block Administrator Roles from Service Accounts |
|
Configure the Allowed Ingress Settings for Cloud Run Organization Policy Constraint |
|
Configure the Allowed VPC Egress Settings for Cloud Run Organization Policy Constraint |
|
Enable AlloyDB Automated Backups on Cluster |
|
Enable AlloyDB Backups on Cluster |
|
Enable CMEK for AlloyDB Clusters |
|
Set Log Error Verbosity Flag for AlloyDB Instances |
|
Set Log Min Error Statement Flag for AlloyDB Instances |
|
Set Log Min Messages Flag for AlloyDB Instances |
|
Block Public IP Addresses for AlloyDB Cluster Instances |
|
Disable Alpha Features on GKE Clusters |
|
Restrict API Keys for Required APIs Only |
|
Not available |
|
Require Rotation of API Key |
|
Configure Log Metrics and Alerts for Audit Logging Changes |
|
Implement Event Logging for Google Cloud Services |
|
Enable Automatic Backups for Cloud SQL Databases |
|
Enable Auto Repair for GKE Clusters |
|
Enable Auto Upgrade on GKE Clusters |
|
Enable CMEK for BigQuery Tables |
|
Require Binary Authorization on a Cluster |
|
Enable CMEK for Cloud Storage Buckets |
|
Configure Log Metrics and Alerts for Cloud Storage IAM Policy Changes |
|
Require Cloud Storage Bucket Logging |
|
Enable Uniform Bucket-Level Access on Cloud Storage Buckets |
|
Enable Cloud Asset Inventory Service |
|
Enable Cloud Logging on GKE Clusters |
|
Enable Cloud Monitoring on GKE Clusters |
|
Enable Private Google Access on an instance |
|
Enable Encryption on GKE Clusters |
|
Enable Shielded GKE Nodes on a Cluster |
|
Block Project-Wide SSH Keys on Compute Engine Instances |
|
Enable Secure Boot on Compute Engine Instances |
|
Block Serial Ports for Compute Engine Instances |
|
Enable Confidential Computing for Compute Engine Instances |
|
Require Container-Optimized OS for a GKE Cluster |
|
Not available |
|
Configure Log Metrics and Alerts for Custom Role Changes |
|
Require CMEK on Dataproc Clusters |
|
Use Latest Image Versions on Dataproc Clusters |
|
Enable CMEK for BigQuery Datasets |
|
Use Networks with Custom Firewall Rules |
|
Use Custom Service Accounts for Compute Engine Instances |
|
Configure the Disable VPC External IPv6 Usage Organization Policy |
|
Configure the Disable VPC External IPv6 Usage Organization Policy |
|
Configure the Disable VM Serial Port Logging to Stackdriver Organization Policy |
|
Enable CMEK on Compute Engine Persistent Disks |
|
Enable CSEK On Compute Engine Persistent Disks |
|
Enable Cloud DNS Logs Monitoring |
|
Enable DNSSEC for Cloud DNS |
|
Enforce Deny All Egress Firewall Rule |
|
Define Essential Contacts |
|
Configure Log Metrics and Alerts for VPC Network Firewall Changes |
|
Enable Firewall Rule Logging |
|
Enable Flow Logs for VPC Subnet |
|
Restrict API Access to Google Cloud APIs for Compute Engine Instances |
|
Enforce HTTPS Traffic Only |
|
Define Service Perimeters in VPC Service Controls |
|
Enable OS Login |
|
Enable Integrity Monitoring on GKE Clusters |
|
Enable Intranode Visibility for GKE Clusters |
|
Enable IP Alias Range for GKE Clusters |
|
Prevent IP Forwarding on Compute Engine Instances |
|
Define Rotation Period for Cloud KMS Keys |
|
Not available |
|
Not available |
|
Enforce Separation of Duties |
|
Block Legacy Authorization on GKE Clusters |
|
Disable Legacy Metadata Server Endpoints on Compute Engine |
|
Don't Use Legacy Networks |
|
Enable Load Balancer Logging |
|
Lock Storage Bucket Retention Policies |
|
Configure Log Sinks |
|
Enable Control Plane Authorized Networks on GKE Clusters |
|
Not available |
|
Configure Log Metrics and Alerts for VPC Network Changes |
|
Enable Network Policy on GKE Clusters |
|
Enable CMEK on GKE Node Pool Boot Disks |
|
Enable Secure Boot for Shielded GKE Nodes |
|
Not available |
|
Enable Object Versioning on Buckets |
|
Block Connections to Cassandra Ports from All IP Addresses |
|
Block Connections to CiscoSecure/WebSM Ports from All IP Addresses |
|
Block Connections to Directory Services Ports from All IP Addresses |
|
Block Connections to DNS Ports from All IP Addresses |
|
Block Connections to Elasticsearch Ports from All IP Addresses |
|
Not available |
|
Black Connections to FTP Ports from All IP Addresses |
|
Not available |
|
Block Connections to HTTP Ports from All IP Addresses |
|
Block Connections to LDAP Ports from All IP Addresses |
|
Block Connections to Memcached Ports from All IP Addresses |
|
Block Connections to MongoDB Ports from All IP Addresses |
|
Block Connections to MySQL Ports from All IP Addresses |
|
Block Connections to NetBIOS Ports from All IP Addresses |
|
Block Connections to Oracle Database Ports from All IP Addresses |
|
Block Connections to POP3 Server Ports from All IP Addresses |
|
Block Connections to PostgreSQL Server Ports from All IP Addresses |
|
Block Access to RDP Port |
|
Block Connections to Redis Server Ports from All IP Addresses |
|
Block Connections to SMTP Server Ports from All IP Addresses |
|
Block Access to SSH Port |
|
Block Connections to Telnet Server Ports from All IP Addresses |
|
Enable the Confidential VM Organization Policy Constraint |
|
Enable OS Login for All Instances at Project Level |
|
Use Least Privilege Service Accounts for GKE Clusters |
|
Create GKE Clusters with Limited Service Account Access Scopes |
|
Block Administrator Roles from Service Accounts |
|
Not available |
|
Not available |
|
Restrict Legacy IAM Roles |
|
Enable Private Clusters for GKE |
|
Enable Private Google Access for VPC Subnets |
|
Restrict Public Access to Cloud Storage Buckets |
|
Restrict Public Access to Compute Images |
|
Restrict Public Access to BigQuery Datasets |
|
Restrict Public IP Addresses to Compute Engine Instances |
|
Restrict Public Access to Cloud Storage Buckets |
|
Restrict Public Access to Cloud SQL Database Instances |
|
Encrypt Pub/Sub topic with CMEK |
|
Enable Log Statement Flag for PostgreSQL |
|
Not available |
|
Subscribe a GKE Cluster to a Release Channel |
|
Enable OS Login |
|
Define VPC Connector Egress For Cloud Run Functions |
|
Enable the Restrict Authorized Networks on Cloud SQL Instances Organization Policy Constraint |
|
Configure Log Metrics and Alerts for VPC Route Changes |
|
Avoid RSASHA1 for DNSSEC Signing |
|
Not available |
|
Not available |
|
Require Service Account Key Rotation |
|
Enforce Separation of Duties |
|
Enable Shielded VM for Compute Engine Instances |
|
Restrict Default Network Creation for Compute Engine Instances |
|
Enable CMEK for Cloud SQL Databases |
|
Turn Off Contained Database Authentication Flag for SQL Server |
|
Turn Off Cross Database Ownership Chaining Flag for SQL Server |
|
Turn Off External Scripts Flag for SQL Server |
|
Configure Log Metrics and Alerts for Cloud SQL Configuration Changes |
|
Turn Off Local Infile Flag for MySQL |
|
Enable Log Checkpoints Flag for PostgreSQL |
|
Enable Log Connections Flag for PostgreSQL |
|
Enable Log Disconnections Flag for PostgreSQL |
|
Enable Log Duration Flag for PostgreSQL instance |
|
Enable Log Error Verbosity Flag for PostgreSQL |
|
Turn Off Log Executor Stats Flag for PostgreSQL |
|
Turn off Log Hostname Flag for PostgreSQL |
|
Enable Log Locks Wait Flag for PostgreSQL instance |
|
Turn Off Log Min Duration Statement Flag for PostgreSQL |
|
Enable Log Min Error Statement Flag for PostgreSQL |
|
Not available |
|
Enable Log Min Messages Flag for PostgreSQL |
|
Turn off Log Parser Stats Flag for PostgreSQL |
|
Turn off Log Planner Stats Flag for PostgreSQL |
|
Enable Log Statement Flag for PostgreSQL |
|
Enable Log Temp Files Flag for PostgreSQL instance |
|
Not available |
|
Block Public IP Addresses for Cloud SQL Instances |
|
Turn Off Remote Access Flag for SQL Server |
|
Enable SSL Encryption On AlloyDB Instances |
|
Enable Skip Show Database Flag for MySQ |
|
Enable 3625 Trace Database Flag for SQL Server |
|
Don't Use User Connections Flag for SQL Server |
|
Don't Use User Options Flag for SQL Server |
|
Not available |
|
Enforce SSL for all Incoming Database Connections |
|
Limit KMS Crypto Keys Users to Three |
|
Enable Uniform Bucket-Level Access on Cloud Storage Buckets |
|
Restrict User Managed Service Account Keys |
|
Not available |
|
Restrict Insecure SSL Policies for Compute Engine Instances |
|
Don't Use Kubernetes Web UI |
|
Enable Workload Identity Federation for GKE on clusters |