-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Support GCP PCI rules - Part 2
- Loading branch information
Showing
22 changed files
with
3,474 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,31 @@ | ||
import Gcp_PCI_DSS_321_IAM_1 from './pci-dss-3.2.1-iam-check-1' | ||
import Gcp_PCI_DSS_321_IAM_2 from './pci-dss-3.2.1-iam-check-2' | ||
import Gcp_PCI_DSS_321_Monitoring_1 from './pci-dss-3.2.1-monitoring-check-1' | ||
import Gcp_PCI_DSS_321_Monitoring_2 from './pci-dss-3.2.1-monitoring-check-2' | ||
import Gcp_PCI_DSS_321_Monitoring_3 from './pci-dss-3.2.1-monitoring-check-3' | ||
import Gcp_PCI_DSS_321_Monitoring_4 from './pci-dss-3.2.1-monitoring-check-4' | ||
import Gcp_PCI_DSS_321_Monitoring_5 from './pci-dss-3.2.1-monitoring-check-5' | ||
import Gcp_PCI_DSS_321_Monitoring_6 from './pci-dss-3.2.1-monitoring-check-6' | ||
import Gcp_PCI_DSS_321_Monitoring_7 from './pci-dss-3.2.1-monitoring-check-7' | ||
import Gcp_PCI_DSS_321_Monitoring_8 from './pci-dss-3.2.1-monitoring-check-8' | ||
import Gcp_PCI_DSS_321_Networking_1 from './pci-dss-3.2.1-networking-check-1' | ||
import Gcp_PCI_DSS_321_Networking_2 from './pci-dss-3.2.1-networking-check-2' | ||
import Gcp_PCI_DSS_321_Networking_3 from './pci-dss-3.2.1-networking-check-3' | ||
import Gcp_PCI_DSS_321_Networking_4 from './pci-dss-3.2.1-networking-check-4' | ||
|
||
export default [ | ||
// TODO: Add rules to export | ||
Gcp_PCI_DSS_321_IAM_1, | ||
Gcp_PCI_DSS_321_IAM_2, | ||
Gcp_PCI_DSS_321_Monitoring_1, | ||
Gcp_PCI_DSS_321_Monitoring_2, | ||
Gcp_PCI_DSS_321_Monitoring_3, | ||
Gcp_PCI_DSS_321_Monitoring_4, | ||
Gcp_PCI_DSS_321_Monitoring_5, | ||
Gcp_PCI_DSS_321_Monitoring_6, | ||
Gcp_PCI_DSS_321_Monitoring_7, | ||
Gcp_PCI_DSS_321_Monitoring_8, | ||
Gcp_PCI_DSS_321_Networking_1, | ||
Gcp_PCI_DSS_321_Networking_2, | ||
Gcp_PCI_DSS_321_Networking_3, | ||
Gcp_PCI_DSS_321_Networking_4, | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
// GCP CIS 1.2.0 Rule equivalent 1.11 | ||
export default { | ||
id: 'gcp-pci-dss-3.2.1-iam-check-1', | ||
title: 'IAM check 1: IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles', | ||
|
||
description: 'It is recommended that the principle of "Separation of Duties" is enforced while assigning KMS related roles to users.', | ||
|
||
audit: `**From Console:** | ||
1. Go to IAM & Admin/IAM by visiting https://console.cloud.google.com/iam-admin/iam | ||
2. Ensure no member has the roles Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter assigned. | ||
**From Command Line:** | ||
1. List all users and role assignments: | ||
gcloud projects get-iam-policy PROJECT_ID | ||
2. Ensure that there are no common users found in the member section for roles cloudkms.admin and any one of Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter`, | ||
|
||
rationale: `The built-in/predefined IAM role Cloud KMS Admin allows the user/identity to create, delete, and manage service account(s). The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter/Decrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s). | ||
The built-in/predefined IAM role Cloud KMS CryptoKey Encrypter allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s). The built-in/predefined IAM role Cloud KMS CryptoKey Decrypter allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s). | ||
Separation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice. | ||
No user(s) should have Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles assigned at the same time`, | ||
|
||
remediation: `**From Console:** | ||
1. Go to IAM & Admin/IAM using https://console.cloud.google.com/iam-admin/iam | ||
2. For any member having Cloud KMS Admin and any of the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, Cloud KMS CryptoKey Decrypter roles granted assigned, click the Delete Bin icon to remove the role from the member.`, | ||
|
||
references: ['https://cloud.google.com/kms/docs/separation-of-duties'], | ||
gql: `{ | ||
querygcpIamPolicy { | ||
id | ||
__typename | ||
bindings { | ||
role | ||
members | ||
} | ||
} | ||
}`, | ||
resource: 'querygcpIamPolicy[*]', | ||
severity: 'unknown', | ||
conditions: { | ||
jq: `[({"member" : .bindings[].members[], "roles" : .bindings[].role}) ] | ||
| group_by(.member) | ||
| map({ "member" : .[].member, "roles" : map(.roles) }) | ||
| [.[] | ||
| select(.roles | ||
| contains(["roles/cloudkms.admin", "roles/cloudkms.cryptoKeyEncrypterDecrypter"]) | ||
or contains(["roles/cloudkms.admin", "roles/cloudkms.cryptoKeyEncrypter"]) | ||
or contains(["roles/cloudkms.admin", "roles/cloudkms.cryptoKeyDecrypter"]))] | ||
| {"userHasInvalidRoles": ( (. | length) > 0)}`, | ||
path: '@', | ||
and: [ | ||
{ | ||
path: '@.userHasInvalidRoles', | ||
notEqual: true, | ||
}, | ||
], | ||
}, | ||
} |
Oops, something went wrong.