| Guardrail | Description | Enforcement |
|---|---|---|
| 01 Protect Root / Global Admins Account | Doc (MFA | |
| 02 Management of Administrative Privileges | Doc (MFA) | |
| 03 Cloud Console Access | Doc (MFA) | |
| 04 Enterprise Monitoring Accounts | Rego | |
| 05 Data Location | Rego | |
| 06 Protection of Data-At-Rest | Doc | |
| 07 Protection of Data-In-Transit | Doc | |
| 08 Segment and Separate | Rego | |
| 09 Network Security Services | Rego | |
| 10 Cyber Defence Services | MOU | |
| 11 Logging and Monitoring | Rego | |
| 12 Configuration of Cloud Marketplaces | Rego |
Government of Canada Guardrails
- Cloud Asset Viewer
- Service Usage Consumer
- Enable Cloud Asset Inventory API
gcloud services enable cloudasset.googleapis.com
- Create a storage bucket for storing the asset inventory output
export MY_BUCKET_NAME=<bucket-name>
gsutil mb gs://$MY_BUCKET_NAME
- Run inventory report
gcloud asset export --output-path=gs://$MY_BUCKET_NAME/resource_inventory.json \
--content-type=resource \ # content types can be the following: resource, iam-policy, access-policy, org-policy
--project=<your_project_id> \ # --folder or --organization can also be used
- Download Conftest
# Linux
$ wget https://github.com/open-policy-agent/conftest/releases/download/v0.17.1/conftest_0.17.1_Linux_x86_64.tar.gz
$ tar xzf conftest_0.17.1_Linux_x86_64.tar.gz
$ sudo mv conftest /usr/local/bin
Installation process for other OSes
-
Clone this repo
-
Copy files from google storage to your location disk
gsutil cp gs://<your_bucket_name>/resource_inventory.json ./cai-dir
- Run the Tests
./format.sh
This will format the output from the inventory dump and run the tests. Results will be placed in the report.txt folder in the current directory.
example output
./cai-dir/access_policy_inventory.json
--------------------------------------------------------------------------------
PASS: 1/1
WARN: 0/1
FAIL: 0/1
./cai-dir/iam_inventory.json
--------------------------------------------------------------------------------
PASS: 10/10
WARN: 0/10
FAIL: 0/10
./cai-dir/inventory.json
�[31mFAIL�[0m - //compute.googleapis.com/projects/gke-test-project/regions/asia-east2/subnetworks/default not located in Canada 'asia-east2'
�[31mFAIL�[0m - //compute.googleapis.com/projects/gke-test-project/regions/asia-south1/subnetworks/default not located in Canada 'asia-south1'
�[31mFAIL�[0m - //compute.googleapis.com/projects/gke-test-project/regions/asia-southeast1/subnetworks/default not located in Canada 'asia-southeast1'