From 6173c7b24ca159394ca168a65cff6908f4361405 Mon Sep 17 00:00:00 2001 From: ScaleSec Automation Bot <55104509+scalesec-automation-bot@users.noreply.github.com> Date: Tue, 26 Mar 2024 20:00:14 -0400 Subject: [PATCH] Org Policy Update Detected on 2024-03-27 --- policies/org_policy.json | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/policies/org_policy.json b/policies/org_policy.json index 2b6eb8d..0713abb 100644 --- a/policies/org_policy.json +++ b/policies/org_policy.json @@ -126,21 +126,21 @@ { "name": "constraints/cloudfunctions.allowedVpcConnectorEgressSettings", "displayName": "Allowed VPC Connector egress settings (Cloud Functions)", - "description": "This list constraint defines the allowed VPC Connector egress settings for deployment of a Cloud Function. When this constraint is enforced, functions will be required to have VPC Connector egress settings that match one of the allowed values. By default, Cloud Functions can use any VPC Connector egress settings. VPC Connector egress settings must be specified in the allowed list using the values of the VpcConnectorEgressSettings enum.", + "description": "This list constraint defines the allowed VPC Connector egress settings for deployment of a Cloud Function (1st gen). When this constraint is enforced, functions will be required to have VPC Connector egress settings that match one of the allowed values. By default, Cloud Functions can use any VPC Connector egress settings. VPC Connector egress settings must be specified in the allowed list using the values of the VpcConnectorEgressSettings enum.For Cloud Functions (2nd gen) use the constraint constraints/run.allowedVPCEgress.", "constraintDefault": "ALLOW", "listConstraint": {} }, { "name": "constraints/cloudfunctions.allowedIngressSettings", "displayName": "Allowed ingress settings (Cloud Functions)", - "description": "This list constraint defines the allowed ingress settings for deployment of a Cloud Function. When this constraint is enforced, functions will be required to have ingress settings that match one of the allowed values. By default, Cloud Functions can use any ingress settings. Ingress settings must be specified in the allowed list using the values of the IngressSettings enum.", + "description": "This list constraint defines the allowed ingress settings for deployment of a Cloud Function (1st gen). When this constraint is enforced, functions will be required to have ingress settings that match one of the allowed values. By default, Cloud Functions can use any ingress settings. Ingress settings must be specified in the allowed list using the values of the IngressSettings enum.For Cloud Functions (2nd gen) use the constraint constraints/run.allowedIngress.", "constraintDefault": "ALLOW", "listConstraint": {} }, { "name": "constraints/cloudfunctions.requireVPCConnector", "displayName": "Require VPC Connector (Cloud Functions)", - "description": "This boolean constraint enforces setting a VPC Connector when deploying a Cloud Function. When this constraint is enforced, functions will be required to specify a VPC Connector. By default, specifying a VPC Connector is not required to deploy a Cloud Function.", + "description": "This boolean constraint enforces setting a VPC Connector when deploying a Cloud Function (1st gen). When this constraint is enforced, functions will be required to specify a VPC Connector. By default, specifying a VPC Connector is not required to deploy a Cloud Function.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -303,7 +303,7 @@ { "name": "constraints/gcp.restrictCmekCryptoKeyProjects", "displayName": "Restrict which projects may supply KMS CryptoKeys for CMEK", - "description": "This list constraint defines which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. Setting this constraint to Allow (i.e. only allow CMEK keys from these projects) ensures that CMEK keys from other projects cannot be used to protect newly created resources. Values for this constraint must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID. Supported services that enforce this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com]. Enforcement of this constraint may grow over time to include additional services. Use caution when applying this constraint to projects, folders, or organizations where a mix of supported and unsupported services are used. Setting this constraint to Deny or Deny All is not permitted. Enforcement of this constraint is not retroactive. Existing CMEK Google Cloud resources with KMS CryptoKeys from disallowed projects must be reconfigured or recreated manually to ensure enforcement.", + "description": "This list constraint defines which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. Setting this constraint to Allow (i.e. only allow CMEK keys from these projects) ensures that CMEK keys from other projects cannot be used to protect newly created resources. Values for this constraint must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID. Supported services that enforce this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com]. Enforcement of this constraint may grow over time to include additional services. Use caution when applying this constraint to projects, folders, or organizations where a mix of supported and unsupported services are used. Setting this constraint to Deny or Deny All is not permitted. Enforcement of this constraint is not retroactive. Existing CMEK Google Cloud resources with KMS CryptoKeys from disallowed projects must be reconfigured or recreated manually to ensure enforcement.", "constraintDefault": "ALLOW", "listConstraint": { "supportsUnder": true @@ -312,7 +312,7 @@ { "name": "constraints/gcp.restrictNonCmekServices", "displayName": "Restrict which services may create resources without CMEK", - "description": "This list constraint defines which services require Customer-Managed Encryption Keys (CMEK). Setting this constraint to Deny (i.e. deny resource creation without CMEK) requires that, for the specified services, newly created resources must be protected by a CMEK key. Supported services that can be set in this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, storagetransfer.googleapis.com]. Setting this constraint to Deny All is not permitted. Setting this constraint to Allow is not permitted. Enforcement of this constraint is not retroactive. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement.", + "description": "This list constraint defines which services require Customer-Managed Encryption Keys (CMEK). Setting this constraint to Deny (i.e. deny resource creation without CMEK) requires that, for the specified services, newly created resources must be protected by a CMEK key. Supported services that can be set in this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, storagetransfer.googleapis.com]. Setting this constraint to Deny All is not permitted. Setting this constraint to Allow is not permitted. Enforcement of this constraint is not retroactive. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement.", "constraintDefault": "ALLOW", "listConstraint": {} }, @@ -490,6 +490,15 @@ "constraintDefault": "ALLOW", "booleanConstraint": {} }, + { + "name": "constraints/compute.requireSslPolicy", + "displayName": "Require SSL Policy", + "description": "This list constraint defines the set of target SSL proxies and target HTTPS proxies that are allowed to use the default SSL policy. By default, all target SSL proxies and target HTTPS proxies are allowed to use the default SSL policy. When this constraint is enforced, new target SSL proxies and target HTTPS proxies will be required to specify an SSL policy. Enforcement of this constraint is not retroactive. Existing target proxies that use the default SSL policy are not affected. The allowed/denied list of target SSL proxies and target HTTPS proxies must be identified in the form:[under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, projects/PROJECT_ID/global/targetHttpsProxies/TARGET_PROXY_NAME, projects/PROJECT_ID/regions/REGION_NAME/targetHttpsProxies/TARGET_PROXY_NAME, projects/PROJECT_ID/global/targetSslProxies/TARGET_PROXY_NAME]. ", + "constraintDefault": "ALLOW", + "listConstraint": { + "supportsUnder": true + } + }, { "name": "constraints/compute.restrictVpcPeering", "displayName": "Restrict VPC peering usage",