本頁面提供 Security Health Analytics 自訂模組總覽。如要瞭解內建模組,請參閱安全狀態分析內建偵測器。
透過自訂模組,您可以建立自訂偵測工具,掃描您使用規則指定的 Google Cloud資源和政策,檢查是否有漏洞、設定錯誤或違規情形,進而擴充 Security Health Analytics 的偵測功能。
自訂模組的設定或定義 (無論是在Google Cloud 控制台中建立,還是自行編寫程式碼),都會決定偵測工具檢查的資源、評估的屬性,以及偵測到安全性漏洞或設定錯誤時傳回的資訊。
您可以為 Security Command Center 支援的任何資源或資產建立自訂模組。
如果您自行編寫自訂模組定義,請使用 YAML 和一般運算語言 (CEL) 運算式。如果您使用Google Cloud 控制台建立自訂模組,系統會為您完成大部分的程式碼編寫作業,但您仍須編寫 CEL 運算式。
如需 YAML 檔案中的自訂模組定義範例,請參閱「自訂模組定義範例」。
自訂模組會與 Security Health Analytics 的內建偵測器一起執行即時和批次掃描。在即時模式下,只要資產設定變更,就會觸發掃描。系統每天會為已註冊的機構或專案,使用所有偵測器執行批次模式掃描。
掃描期間,系統會將每個自訂偵測器套用至每個機構、資料夾或專案中所有相符的資產 (已啟用偵測器)。
自訂偵測工具的發現項目會寫入 Security Command Center。
如要瞭解詳情,請參考下列資源:
比較內建偵測工具和自訂模組
您可以使用自訂模組偵測內建 Security Health Analytics 偵測器無法偵測到的項目,但內建偵測器支援某些 Security Command Center 功能,自訂模組則不支援。
功能支援
攻擊路徑模擬功能不支援 Security Health Analytics 自訂模組,因此自訂模組產生的發現項目不會取得攻擊曝險分數或攻擊路徑。
比較偵測邏輯
舉例來說,如要瞭解自訂模組的用途,請比較內建偵測器 PUBLIC_SQL_INSTANCE 的檢查項目與自訂模組的檢查項目。
內建偵測器 PUBLIC_SQL_INSTANCE 會檢查 Cloud SQL 執行個體的 authorizedNetworks 屬性是否設為 0.0.0.0/0。如果是,偵測器會產生一項調查結果,指出 Cloud SQL 執行個體對外開放,因為該執行個體會接受來自所有 IP 位址的連線。
使用自訂模組,您可以實作更複雜的偵測邏輯,檢查 Cloud SQL 執行個體是否符合下列條件:
- 使用萬用字元指定特定前置字串的 IP 位址。
state屬性的值,可用於在值設為MAINTENANCE時忽略執行個體,或在值為其他內容時觸發發現項目。region屬性的值,可用於僅針對特定區域中具有公開 IP 位址的執行個體觸發調查結果。
必要 IAM 角色和權限
身分與存取權管理角色會決定您可透過 Security Health Analytics 自訂模組執行的動作。
下表列出安全性狀態分析自訂模組所需的權限,以及包含這些權限的預先定義 IAM 角色。
您可以使用 Google Cloud 控制台或 Security Command Center API,在機構、資料夾或專案層級套用這些角色。
| 必要權限 | 角色 |
|---|---|
securitycentermanagement.securityHealthAnalyticsCustomModules.create
|
roles/securitycentermanagement.shaCustomModulesEditor |
securitycentermanagement.securityHealthAnalyticsCustomModules.list
|
roles/securitycentermanagement.shaCustomModulesViewer
|
如要進一步瞭解 IAM 權限和角色,以及如何授予這些權限和角色,請參閱「使用 Google Cloud 控制台授予 IAM 角色」。
自訂模組配額
Security Health Analytics 自訂模組有配額限制。
建立自訂模組的預設配額上限為 100,但如有需要,您可以申請提高配額。
呼叫自訂模組方法的 API 也會受到配額限制。下表列出自訂模組 API 呼叫的預設配額限制。
| API 呼叫類型 | 限制 |
|---|---|
| CustomModules 讀取要求 (Get、List) | 每個機構每分鐘 1,000 次 API 呼叫 |
| CustomModules 寫入要求 (建立、更新、刪除) | 每個機構每分鐘 60 次 API 呼叫 |
| CustomModules 測試要求 | 每個機構每分鐘 12 次 API 呼叫 |
如要增加配額,請前往 Google Cloud 控制台的「配額」頁面提出申請。
如要進一步瞭解 Security Command Center 配額,請參閱配額與限制。
支援的資源類型
Access Context Manager-
accesscontextmanager.googleapis.com/AccessLevel -
accesscontextmanager.googleapis.com/AccessPolicy -
accesscontextmanager.googleapis.com/ServicePerimeter Address-
compute.googleapis.com/Address Alert Policymonitoring.googleapis.com/AlertPolicyAlloyDB for PostgreSQL-
alloydb.googleapis.com/Backup -
alloydb.googleapis.com/Cluster -
alloydb.googleapis.com/Instance Api Keys-
apikeys.googleapis.com/Key Artifact Registry Repository-
artifactregistry.googleapis.com/Repository Autoscaler-
compute.googleapis.com/Autoscaler Backend Bucket-
compute.googleapis.com/BackendBucket Backend Service-
compute.googleapis.com/BackendService BigQuery Data Transfer Service-
bigquerydatatransfer.googleapis.com/TransferConfig BigQuery Modelbigquery.googleapis.com/ModelBigQuery Tablebigquery.googleapis.com/TableBucket-
storage.googleapis.com/Bucket Cloud Billing Project Billing Info-
cloudbilling.googleapis.com/ProjectBillingInfo Cloud Data Fusion-
datafusion.googleapis.com/Instance Cloud Function-
cloudfunctions.googleapis.com/CloudFunction Cloud Run-
run.googleapis.com/DomainMapping -
run.googleapis.com/Execution -
run.googleapis.com/Job -
run.googleapis.com/Revision -
run.googleapis.com/Service Cluster-
container.googleapis.com/Cluster Cluster Role-
rbac.authorization.k8s.io/ClusterRole Cluster Role Binding-
rbac.authorization.k8s.io/ClusterRoleBinding Commitment-
compute.googleapis.com/Commitment Composer Environment-
composer.googleapis.com/Environment Compute Project-
compute.googleapis.com/Project -
compute.googleapis.com/SecurityPolicy CryptoKey-
cloudkms.googleapis.com/CryptoKey CryptoKey Version-
cloudkms.googleapis.com/CryptoKeyVersion Dataflow Job-
dataflow.googleapis.com/Job Dataproc Autoscaling Policy-
dataproc.googleapis.com/AutoscalingPolicy Dataproc Batch-
dataproc.googleapis.com/Batch Dataproc Cluster-
dataproc.googleapis.com/Cluster Dataproc Job-
dataproc.googleapis.com/Job Dataset-
bigquery.googleapis.com/Dataset Datastream Connection Profiledatastream.googleapis.com/ConnectionProfileDatastream Private Connectiondatastream.googleapis.com/PrivateConnectionDatastream Streamdatastream.googleapis.com/StreamDialogflow CX-
dialogflow.googleapis.com/Agent Disk-
compute.googleapis.com/Disk DLP Deidentify Template-
dlp.googleapis.com/DeidentifyTemplate DLP Inspect Template-
dlp.googleapis.com/InspectTemplate DLP Job-
dlp.googleapis.com/DlpJob DLP Job Trigger-
dlp.googleapis.com/JobTrigger DLP Stored Info Type-
dlp.googleapis.com/StoredInfoType DNS Policy-
dns.googleapis.com/Policy File Instance-
file.googleapis.com/Instance Firewall-
compute.googleapis.com/Firewall Firewall Policy-
compute.googleapis.com/FirewallPolicy Folder-
cloudresourcemanager.googleapis.com/Folder Forwarding Rule-
compute.googleapis.com/ForwardingRule Global Forwarding Rule-
compute.googleapis.com/GlobalForwardingRule Health Check-
compute.googleapis.com/HealthCheck Hub-
gkehub.googleapis.com/Feature -
gkehub.googleapis.com/Membership IAM Role-
iam.googleapis.com/Role Image-
compute.googleapis.com/Image Instance-
compute.googleapis.com/Instance Instance Group-
compute.googleapis.com/InstanceGroup Instance Group Manager-
compute.googleapis.com/InstanceGroupManagers Instance Template-
compute.googleapis.com/InstanceTemplate Interconnect Attachment-
compute.googleapis.com/InterconnectAttachment Keyring-
cloudkms.googleapis.com/KeyRing KMS Import Job-
cloudkms.googleapis.com/ImportJob Kubernetes CronJob-
k8s.io/CronJob Kubernetes DaemonSet-
k8s.io/DaemonSet Kubernetes Deployment-
k8s.io/Deployment Kubernetes Ingress-
k8s.io/Ingress Kubernetes NetworkPolicy-
k8s.io/NetworkPolicy Kubernetes ReplicaSet-
k8s.io/ReplicaSet Kubernetes Service-
k8s.io/Service Kubernetes StatefulSet-
k8s.io/StatefulSet Log Bucket-
logging.googleapis.com/LogBucket Log Metric-
logging.googleapis.com/LogMetric Log Sink-
logging.googleapis.com/LogSink Managed Zone-
dns.googleapis.com/ManagedZone Machine Image-
compute.googleapis.com/MachineImage Monitoring Notification Channel-
monitoring.googleapis.com/NotificationChannel Namespace-
k8s.io/Namespace NetApp Snapshot-
netapp.googleapis.com/Snapshot NetApp Volume-
netapp.googleapis.com/Volume Network-
compute.googleapis.com/Network Network Endpoint Group-
compute.googleapis.com/NetworkEndpointGroup Node-
k8s.io/Node Node Group-
compute.googleapis.com/NodeGroup Node Template-
compute.googleapis.com/NodeTemplate Nodepoolcontainer.googleapis.com/NodePoolOrganization-
cloudresourcemanager.googleapis.com/Organization Organization Policy Service v2-
orgpolicy.googleapis.com/CustomConstraint -
orgpolicy.googleapis.com/Policy Packet Mirroring-
compute.googleapis.com/PacketMirroring Pod-
k8s.io/Pod Private CA Certificate-
privateca.googleapis.com/Certificate Private CA Certificate Revocation List-
privateca.googleapis.com/CertificateRevocationList Project-
cloudresourcemanager.googleapis.com/Project Pubsub Snapshot-
pubsub.googleapis.com/Snapshot Pubsub Subscription-
pubsub.googleapis.com/Subscription Pubsub Topic-
pubsub.googleapis.com/Topic Redis Cluster-
redis.googleapis.com/Cluster Redis Instance-
redis.googleapis.com/Instance Region Backend Service-
compute.googleapis.com/RegionBackendService Region Disk-
compute.googleapis.com/RegionDisk Reservation-
compute.googleapis.com/Reservation Resource Policy-
compute.googleapis.com/ResourcePolicy Route-
compute.googleapis.com/Route Router-
compute.googleapis.com/Router Role-
rbac.authorization.k8s.io/Role Role Binding-
rbac.authorization.k8s.io/RoleBinding Secret Manager-
secretmanager.googleapis.com/Secret Secret Version-
secretmanager.googleapis.com/SecretVersion Service Account Key-
iam.googleapis.com/ServiceAccountKey ServiceUsage Service-
serviceusage.googleapis.com/Service Snapshot-
compute.googleapis.com/Snapshot Spanner Backup-
spanner.googleapis.com/Backup Spanner Database-
spanner.googleapis.com/Database Spanner Instance-
spanner.googleapis.com/Instance SQL Backup Run-
sqladmin.googleapis.com/BackupRun SQL Instance-
sqladmin.googleapis.com/Instance SSL Certificate-
compute.googleapis.com/SslCertificate SSL Policy-
compute.googleapis.com/SslPolicy Subnetwork-
compute.googleapis.com/Subnetwork Tag Binding-
cloudresourcemanager.googleapis.com/TagBinding Target HTTP Proxy-
compute.googleapis.com/TargetHttpProxy Target HTTPS Proxy-
compute.googleapis.com/TargetHttpsProxy Target Instance-
compute.googleapis.com/TargetInstance Target Pool-
compute.googleapis.com/TargetPool Target SSL Proxy-
compute.googleapis.com/TargetSslProxy Target VPN Gateway-
compute.googleapis.com/TargetVpnGateway URL Map-
compute.googleapis.com/UrlMap Vertex AI-
aiplatform.googleapis.com/BatchPredictionJob -
aiplatform.googleapis.com/CustomJob -
aiplatform.googleapis.com/Dataset -
aiplatform.googleapis.com/Endpoint -
aiplatform.googleapis.com/Featurestore -
aiplatform.googleapis.com/HyperparameterTuningJob -
aiplatform.googleapis.com/Index -
aiplatform.googleapis.com/MetadataStore -
aiplatform.googleapis.com/Model -
aiplatform.googleapis.com/SpecialistPool -
aiplatform.googleapis.com/Tensorboard -
aiplatform.googleapis.com/TrainingPipeline -
aiplatform.googleapis.com/NotebookRuntimeTemplate Vertex AI Workbench-
notebooks.googleapis.com/Instance VMware Engine-
vmwareengine.googleapis.com/Cluster -
vmwareengine.googleapis.com/ExternalAccessRule -
vmwareengine.googleapis.com/ExternalAddress -
vmwareengine.googleapis.com/VmwareEngineNetwork -
vmwareengine.googleapis.com/NetworkPeering -
vmwareengine.googleapis.com/NetworkPolicy -
vmwareengine.googleapis.com/PrivateCloud -
vmwareengine.googleapis.com/PrivateConnection VPC Connector-
vpcaccess.googleapis.com/Connector VPN Gateway-
compute.googleapis.com/VpnGateway VPN Tunnel-
compute.googleapis.com/VpnTunnel Workstations-
workstations.googleapis.com/Workstation -
workstations.googleapis.com/WorkstationConfig
後續步驟
- 如要使用自訂模組,請參閱使用 Security Health Analytics 自訂模組。
- 如要自行編寫自訂模組定義,請參閱「編寫 Security Health Analytics 自訂模組」。
- 如要測試自訂模組,請參閱「測試 Security Health Analytics 自訂模組」。