# Config Validator Policy Library Constraint templates specify the logic to be used by constraints. This repository contains pre-defined constraint templates that you can implement or modify for your own needs. ## Creating a constraint template You can create and implement your own custom constraint templates. For instructions on how to write constraint templates, see [How to write your own constraint templates](./constraint_template_authoring.md). ## Policy Bundles In addition to browsing all [Available Templates](#available-templates) and [Sample Constraints](#sample-constraints), you can explore these policy bundles: - [CFT Scorecard](./bundles/scorecard-v1.md) - [CIS v1.0](./bundles/cis-v1.0.md) - [CIS v1.1](./bundles/cis-v1.1.md) - [Forseti Security](./bundles/forseti-security.md) - [GKE Hardening](./bundles/gke-hardening-v2019.11.11.md) - [Healthcare Baseline](./bundles/healthcare-baseline-v1.md) ## Available Templates | Template | Samples | | -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [GCPAllowedResourceTypesConstraintV1](../policies/templates/legacy/gcp_allowed_resource_types_v1.yaml) | | | [GCPAllowedResourceTypesConstraintV2](../policies/templates/gcp_allowed_resource_types.yaml) | [deny_some_resource_types](../samples/allowed_resource_types.yaml) | | [GCPAlwaysViolatesConstraintV1](../policies/templates/gcp_always_violates_v1.yaml) | [always_violates_all](../samples/always_violates.yaml) | | [GCPAppEngineServiceVersionsConstraintV1](../policies/templates/gcp_app_service_versions.yaml) | [service_versions](../samples/appengine_versions.yaml) | | [GCPAppengineLocationConstraintV1](../policies/templates/gcp_appengine_location_v1.yaml) | [allow_appengine_applications_in_australia_and_south_america](../samples/appengine_location.yaml) | | [GCPBigQueryCMEKEncryptionConstraintV1](../policies/templates/gcp_bigquery_cmek_encryption_v1.yaml) | [gcp-bq-cmek-encryption-v1](../samples/bigquery_cmek.yaml) | | [GCPBigQueryDatasetLocationConstraintV1](../policies/templates/gcp_bq_dataset_location_v1.yaml) | [bq_dataset_allowed_locations](../samples/bq_dataset_location.yaml) | | [GCPBigQueryDatasetWorldReadableConstraintV1](../policies/templates/gcp_bigquery_dataset_world_readable_v1.yaml) | [require_bq_table_iam](../samples/bigquery_world_readable.yaml) | | [GCPBigQueryTableRetentionConstraintV1](../policies/templates/gcp_bigquery_table_retention_v1.yaml) | [bq_table_minimum_maximum_retention](../samples/bigquery_table_retention.yaml) | | [GCPCMEKRotationConstraintV1](../policies/templates/gcp_cmek_rotation_v1.yaml) | [cmek_rotation](../samples/cmek_rotation.yaml), [cmek_rotation_one_hundred_days](../samples/cmek_rotation_100_days.yaml) | | [GCPCMEKSettingsConstraintV1](../policies/templates/gcp_cmek_settings_v1.yaml) | [cmek_rotation](../samples/cmek_settings.yaml) | | [GCPComputeAllowedNetworksConstraintV2](../policies/templates/gcp_compute_allowed_networks.yaml) | [allowed-networks](../samples/compute_allowed_networks.yaml) | | [GCPComputeBlockSSHKeysConstraintV1](../policies/templates/gcp_compute_block_ssh_keys_v1.yaml) | [compute_block_ssh_keys](../samples/compute_block_ssh_keys.yaml) | | [GCPComputeDiskResourcePoliciesConstraintV1](../policies/templates/gcp_compute_disk_resource_policies_v1.yaml) | [compute_disk_resource_policies_allowlist_one](../samples/compute_disk_resource_policies.yaml) | | [GCPComputeExternalIpAccessConstraintV1](../policies/templates/legacy/gcp_compute_external_ip_access_v1.yaml) | | | [GCPComputeExternalIpAccessConstraintV2](../policies/templates/gcp_compute_external_ip_address.yaml) | [forbid_external_ip](../samples/vm_external_ip.yaml) | | [GCPComputeIpForwardConstraintV1](../policies/templates/legacy/gcp_compute_ip_forward_v1.yaml) | | | [GCPComputeIpForwardConstraintV2](../policies/templates/gcp_compute_ip_forward.yaml) | [forbid_ip_forward](../samples/compute_forbid_ip_forward.yaml) | | [GCPComputeNetworkInterfaceWhitelistConstraintV1](../policies/templates/legacy/gcp_compute_network_interface_whitelist_v1.yaml) | | | [GCPComputeRequireOSLoginConstraintV1](../policies/templates/gcp_compute_enable_oslogin_project_v1.yaml) | [compute-enable-oslogin-project](../samples/compute_enable_oslogin_project.yaml) | | [GCPComputeZoneConstraintV1](../policies/templates/gcp_compute_zone_v1.yaml) | [compute_zone_allowlist_one](../samples/compute_zone.yaml) | | [GCPDNSSECConstraintV1](../policies/templates/gcp_dnssec_v1.yaml) | [require_dnssec](../samples/dnssec.yaml) | | [GCPDNSSECPreventRSASHA1ConstraintV1](../policies/templates/gcp_dnssec_prevent_rsasha1_v1.yaml) | [dnssec_prevent_rsasha1_ksk](../samples/dnssec_prevent_rsasha1_ksk.yaml), [dnssec_prevent_rsasha1_zsk](../samples/dnssec_prevent_rsasha1_zsk.yaml) | | [GCPDataprocLocationConstraintV1](../policies/templates/gcp_dataproc_location_v1.yaml) | [allow_dataproc_clusters_in_asia](../samples/dataproc_location.yaml) | | [GCPEnforceLabelConstraintV1](../policies/templates/gcp_enforce_labels_v1.yaml) | [require_labels](../samples/enforce_label.yaml) | | [GCPEnforceNamingConstraintV1](../policies/templates/gcp_enforce_naming_v1.yaml) | [enforce_naming_convention](../samples/gcp_enforce_naming.yaml) | | [GCPExternalIpAccessConstraintV1](../policies/templates/legacy/gcp_external_ip_access_v1.yaml) | | | [GCPGKEAllowedNodeSAConstraintV1](../policies/templates/gcp_gke_allowed_node_sa_v1.yaml) | [gke_allowed_node_service_account_scope_default](../samples/gke_allowed_node_sa_scope.yaml) | | [GCPGKEContainerOptimizedOSConstraintV1](../policies/templates/gcp_gke_container_optimized_os.yaml) | [gke_container_optimized_os](../samples/gke_container_optimized_os.yaml) | | [GCPGKEDashboardConstraintV1](../policies/templates/gcp_gke_dashboard_v1.yaml) | [disable_gke_dashboard](../samples/gke_dashboard_disable.yaml) | | [GCPGKEDisableDefaultServiceAccountConstraintV1](../policies/templates/gcp_gke_disable_default_service_account_v1.yaml) | [disable_gke_default_service_account](../samples/gke_disable_default_service_account.yaml) | | [GCPGKEDisableLegacyEndpointsConstraintV1](../policies/templates/gcp_gke_disable_legacy_endpoints_v1.yaml) | [disable_gke_legacy_endpoints](../samples/gke_disable_legacy_endpoints.yaml) | | [GCPGKEEnableAliasIPRangesConstraintV1](../policies/templates/gcp_gke_enable_alias_ip_ranges.yaml) | [enable_alias_ip_ranges](../samples/gke_enable_alias_ip_ranges.yaml) | | [GCPGKEEnableBinAuthzConstraintV1](../policies/templates/gcp_gke_enable_binauthz_v1.yaml) | [gke-enable-binary-authorization](../samples/gke_enable_binauthz.yaml) | | [GCPGKEEnablePrivateEndpointConstraintV1](../policies/templates/gcp_gke_enable_private_endpoint.yaml) | [gke_enable_private_endpoint](../samples/gke_enable_private_endpoint.yaml) | | [GCPGKEEnableShieldedNodesConstraintV1](../policies/templates/gcp_gke_enable_shielded_nodes_v1.yaml) | [enable_gke_shielded_nodes](../samples/gke_enable_shielded_nodes.yaml) | | [GCPGKEEnableStackdriverKubernetesEngineMonitoringV1](../policies/templates/gcp_gke_enable_stackdriver_kubernetes_engine_monitoring_v1.yaml) | [enable_gke_stackdriver_kubernetes_engine_monitoring](../samples/gke_enable_stackdriver_kubernetes_engine_monitoring.yaml) | | [GCPGKEEnableStackdriverLoggingConstraintV1](../policies/templates/gcp_gke_enable_stackdriver_logging_v1.yaml) | [enable_gke_stackdriver_logging](../samples/gke_enable_stackdriver_logging.yaml) | | [GCPGKEEnableStackdriverMonitoringConstraintV1](../policies/templates/gcp_gke_enable_stackdriver_monitoring_v1.yaml) | [enable_gke_stackdriver_monitoring](../samples/gke_enable_stackdriver_monitoring.yaml) | | [GCPGKEEnableWorkloadIdentityConstraintV1](../policies/templates/gcp_gke_enable_workload_identity_v1.yaml) | [enable_gke_workload_identity](../samples/gke_enable_workload_identity.yaml) | | [GCPGKELegacyAbacConstraintV1](../policies/templates/gcp_gke_legacy_abac_v1.yaml) | [disable_gke_legacy_abac](../samples/gke_legacy_abac.yaml) | | [GCPGKEMasterAuthorizedNetworksEnabledConstraintV1](../policies/templates/gcp_gke_master_authorized_networks_enabled_v1.yaml) | [enable_gke_master_authorized_networks](../samples/gke_master_authorized_networks_enabled.yaml) | | [GCPGKENodeAutoRepairConstraintV1](../policies/templates/gcp_gke_node_auto_repair_v1.yaml) | [enable_auto_repair](../samples/gke_node_pool_auto_repair.yaml) | | [GCPGKENodeAutoUpgradeConstraintV1](../policies/templates/gcp_gke_node_auto_upgrade_v1.yaml) | [enable_auto_upgrade](../samples/gke_node_pool_auto_upgrade.yaml) | | [GCPGKEPrivateClusterConstraintV1](../policies/templates/gcp_gke_private_cluster_v1.yaml) | [allow_only_private_cluster](../samples/gke_allow_only_private_cluster.yaml) | | [GCPGKERestrictClientAuthenticationMethodsConstraintV1](../policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml) | [gke_restrict_client_auth_methods](../samples/gke_restrict_client_auth_methods.yaml) | | [GCPGKERestrictPodTrafficConstraintV1](../policies/templates/legacy/gcp_gke_restrict_pod_traffic_v1.yaml) | [gke_restrict_pod_traffic](../samples/legacy/gke_restrict_pod_traffic_v1.yaml) | | [GCPGKERestrictPodTrafficConstraintV2](../policies/templates/gcp_gke_restrict_pod_traffic_v2.yaml) | [gke_restrict_pod_traffic](../samples/gke_restrict_pod_traffic.yaml) | | [GCPGLBExternalIpAccessConstraintV1](../policies/templates/gcp_glb_external_ip_access_constraint_v1.yaml) | [glb_external_ip_allowlist](../samples/gcp_glb_external_ip.yaml) | | [GCPIAMAllowedBindingsConstraintV1](../policies/templates/legacy/gcp_iam_allowed_bindings_v1.yaml) | | | [GCPIAMAllowedBindingsConstraintV2](../policies/templates/legacy/gcp_iam_allowed_bindings_v2.yaml) | | | [GCPIAMAllowedBindingsConstraintV3](../policies/templates/gcp_iam_allowed_bindings.yaml) | [block_serviceaccount_token_creator](../samples/iam_block_service_account_creator_role.yaml), [deny_allusers](../samples/iam_deny_public.yaml), [deny_role](../samples/iam_deny_role.yaml), [restrict-gmail-bigquery-dataset](../samples/iam_restrict_gmail_bigquery_dataset.yaml), [restrict-googlegroups-bigquery-dataset](../samples/iam_restrict_googlegroups_bigquery_dataset.yaml), [restrict_gmail](../samples/iam_restrict_gmail.yaml), [restrict_owner_role](../samples/iam_restrict_role.yaml) | | [GCPIAMAllowedPolicyMemberDomainsConstraintV1](../policies/templates/legacy/gcp_iam_allowed_policy_member_domains_v1.yaml) | | | [GCPIAMAllowedPolicyMemberDomainsConstraintV2](../policies/templates/gcp_iam_allowed_policy_member_domains.yaml) | [only_my_domain](../samples/iam_restrict_domain.yaml), [service_accounts_only](../samples/iam_service_accounts_only.yaml) | | [GCPIAMAuditLogConstraintV1](../policies/templates/gcp_iam_audit_log.yaml) | [audit_log_all](../samples/iam_audit_log_all.yaml), [audit_log_data_read_write](../samples/iam_audit_log.yaml) | | [GCPIAMCustomRolePermissionsConstraintV1](../policies/templates/gcp_iam_custom_role_permissions_v1.yaml) | [allowlist-custom-role-permissions](../samples/iam_custom_role_permissions.yaml) | | [GCPIAMRequiredBindingsConstraintV1](../policies/templates/gcp_iam_required_bindings_v1.yaml) | [require_members_and_domains_owner](../samples/iam_required_roles.yaml) | | [GCPIAMRestrictServiceAccountCreationConstraintV1](../policies/templates/gcp_iam_restrict_service_account_creation_v1.yaml) | [iam_restrict_service_account_creation](../samples/gcp_iam_restrict_service_account_creation.yaml) | | [GCPIAMRestrictServiceAccountKeyAgeConstraintV1](../policies/templates/gcp_iam_restrict_service_account_key_age_v1.yaml) | [iam-restrict-service-account-key-age-ninety-days](../samples/gcp_iam_restrict_service_account_key_age.yaml), [iam-restrict-service-account-key-age-one-hundred-days](../samples/gcp_iam_restrict_service_account_key_age_100_days.yaml) | | [GCPIAMRestrictServiceAccountKeyTypeConstraintV1](../policies/templates/gcp_iam_restrict_service_account_key_type_v1.yaml) | [iam_restrict_service_account_key_type](../samples/gcp_iam_restrict_service_account_key_type.yaml) | | [GCPLBAllowedForwardingRulesConstraintV2](../policies/templates/gcp_lb_forwarding_rules.yaml) | [gcp_lb_forwarding_rule_allowlist](../samples/gcp_lb_forwarding.yaml) | | [GCPNetworkEnableFirewallLogsConstraintV1](../policies/templates/gcp_network_enable_firewall_logs_v1.yaml) | [enable-network-firewall-logs](../samples/network_enable_firewall_logs.yaml) | | [GCPNetworkEnableFlowLogsConstraintV1](../policies/templates/gcp_network_enable_flow_logs_v1.yaml) | [enable_network_flow_logs](../samples/network_enable_flow_logs.yaml) | | [GCPNetworkEnablePrivateGoogleAccessConstraintV1](../policies/templates/gcp_network_enable_private_google_access_v1.yaml) | [enable_network_private_google_access](../samples/network_enable_private_google_access.yaml) | | [GCPNetworkRestrictDefaultV1](../policies/templates/gcp_network_restrict_default_v1.yaml) | [network_restrict_default](../samples/network_restrict_default.yaml) | | [GCPNetworkRoutingConstraintV1](../policies/templates/gcp_network_routing_v1.yaml) | [require_global_routing](../samples/network_routing.yaml) | | [GCPResourceValuePatternConstraintV1](../policies/templates/gcp_resource_value_pattern_v1.yaml) | [gke-cluster-enable-logging](../samples/gke_enable_logging.yaml) | | [GCPRestrictedFirewallRulesConstraintV1](../policies/templates/gcp_restricted_firewall_rules_v1.yaml) | [restrict-firewall-rule-allow-ingress-demo](../samples/restrict_fw_rules_generic.yaml), [restrict-firewall-rule-rdp-world-open](../samples/restrict_fw_rules_rdp_world_open.yaml), [restrict-firewall-rule-ssh-world-open](../samples/restrict_fw_rules_ssh_world_open.yaml), [restrict-firewall-rule-world-open](../samples/restrict_fw_rules_world_open.yaml), [restrict-firewall-rule-world-open-tcp-udp-all-ports](../samples/restrict_fw_rules_world_open_tcp_udp_all_ports.yaml) | | [GCPSQLAllowedAuthorizedNetworksConstraintV1](../policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml) | [sql_allowed_authorized_networks_allowlist](../samples/sql_allowed_authorized_networks.yaml) | | [GCPSQLBackupConstraintV1](../policies/templates/gcp_sql_backup_v1.yaml) | [gcp-sql-backup-no-exemptions](../samples/sql_backup.yaml), [gcp-sql-backup-with-exemptions](../samples/sql_backup_with_exemptions.yaml) | | [GCPSQLInstanceTypeConstraintV1](../policies/templates/gcp_sql_instance_type_v1.yaml) | [sql_type_deny_sqlserver](../samples/sql_deny_sqlserver_type.yaml) | | [GCPSQLLocationConstraintV1](../policies/templates/gcp_sql_location_v1.yaml) | [allow_some_sql_location](../samples/sql_location.yaml) | | [GCPSQLMaintenanceWindowConstraintV1](../policies/templates/gcp_sql_maintenance_window_v1.yaml) | [gcp-sql-maintenance-window-v1](../samples/sql_maintenance_window.yaml) | | [GCPSQLPublicIpConstraintV1](../policies/templates/gcp_sql_public_ip_v1.yaml) | [prevent-public-ip-cloudsql](../samples/sql_public_ip.yaml) | | [GCPSQLSSLConstraintV1](../policies/templates/gcp_sql_ssl_v1.yaml) | [require_sql_ssl](../samples/sql_ssl.yaml) | | [GCPSQLWorldReadableConstraintV1](../policies/templates/gcp_sql_world_readable_v1.yaml) | [sql-world-readable](../samples/sql_world_readable.yaml) | | [GCPServiceUsageConstraintV1](../policies/templates/gcp_serviceusage_allowed_services_v1.yaml) | [allow_basic_set_of_apis](../samples/serviceusage_allow_basic_apis.yaml), [deny_some_apis](../samples/serviceusage_deny_apis.yaml) | | [GCPSpannerLocationConstraintV1](../policies/templates/gcp_spanner_location_v1.yaml) | [allow_spanner_clusters_in_asia_and_europe](../samples/spanner_location.yaml) | | [GCPStorageBucketPolicyOnlyConstraintV1](../policies/templates/gcp_storage_bucket_policy_only_v1.yaml) | [require_bucket_policy_only](../samples/storage_bucket_policy_only.yaml) | | [GCPStorageBucketRetentionConstraintV1](../policies/templates/gcp_storage_bucket_retention_v1.yaml) | [storage_bucket_minimum_maximum_retention](../samples/storage_bucket_retention.yaml) | | [GCPStorageBucketWorldReadableConstraintV1](../policies/templates/gcp_storage_bucket_world_readable_v1.yaml) | [denylist_public_users](../samples/storage_denylist_public.yaml) | | [GCPStorageCMEKEncryptionConstraintV1](../policies/templates/gcp_storage_cmek_encryption_v1.yaml) | [storage_cmek_encryption](../samples/storage_cmek_encryption.yaml) | | [GCPStorageLocationConstraintV1](../policies/templates/gcp_storage_location_v1.yaml) | [allow_some_storage_location](../samples/storage_location.yaml) | | [GCPStorageLoggingConstraintV1](../policies/templates/gcp_storage_logging_v1.yaml) | [storage_logging](../samples/storage_logging.yaml) | | [GCPVPCSCAllowedRegionsConstraintV2](../policies/templates/gcp_vpc_sc_allowed_regions.yaml) | [vpc_sc_allowlist_regions](../samples/vpc_sc_allowlist_regions.yaml) | | [GCPVPCSCEnsureAccessLevelsConstraintV1](../policies/templates/gcp_vpc_sc_ensure_access_levels_v1.yaml) | [vpc_sc_ensure_access_levels](../samples/vpc_sc_ensure_access_levels.yaml) | | [GCPVPCSCEnsureProjectConstraintV1](../policies/templates/gcp_vpc_sc_ensure_project_v1.yaml) | [vpc_sc_ensure_project](../samples/vpc_sc_ensure_project.yaml) | | [GCPVPCSCEnsureServicesConstraintV1](../policies/templates/gcp_vpc_sc_ensure_services_v1.yaml) | [vpc_sc_ensure_services](../samples/vpc_sc_ensure_services.yaml) | | [GCPVPCSCIPRangeConstraintV1](../policies/templates/gcp_vpc_sc_ip_range_v1.yaml) | [vpc_sc_ip_range](../samples/vpc_sc_ip_range.yaml) | | [GCPVPCSCProjectPerimeterConstraintV1](../policies/templates/legacy/gcp_vpc_sc_project_perimeter_v1.yaml) | [vpc_sc_project_perimeter_whitelist](../samples/legacy/vpc_sc_project_perimeter_v1_whitelist.yaml) | | [GCPVPCSCProjectPerimeterConstraintV2](../policies/templates/legacy/gcp_vpc_sc_project_perimeter_v2.yaml) | | | [GCPVPCSCProjectPerimeterConstraintV3](../policies/templates/gcp_vpc_sc_project_perimeter.yaml) | [vpc_sc_project_perimeter_allowlist](../samples/vpc_sc_project_perimeter_allowlist.yaml), [vpc_sc_project_perimeter_denylist](../samples/vpc_sc_project_perimeter_v1_denylist.yaml) | | [GCPVPCSCWhitelistRegionsConstraintV1](../policies/templates/legacy/gcp_vpc_sc_whitelist_regions_v1.yaml) | | | [GKEClusterLocationConstraintV1](../policies/templates/legacy/gcp_gke_cluster_location_v1.yaml) | [gke_cluster_location](../samples/legacy/gke_cluster_location.yaml) | | [GKEClusterLocationConstraintV2](../policies/templates/legacy/gcp_gke_cluster_location_v2.yaml) | | | [GKEClusterVersionConstraintV1](../policies/templates/gcp_gke_cluster_version_v1.yaml) | [gke-cluster-version](../samples/gke_cluster_version.yaml) | ## Sample Constraints The repo also contains a number of sample constraints: | Sample | Template | Description | | -------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | | [allow_appengine_applications_in_australia_and_south_america](../samples/appengine_location.yaml) | [Link](../policies/templates/gcp_appengine_location_v1.yaml) | Restrict locations (regions) where App Engine applications are deployed. | | [allow_basic_set_of_apis](../samples/serviceusage_allow_basic_apis.yaml) | [Link](../policies/templates/gcp_serviceusage_allowed_services_v1.yaml) | Only a basic set of APIS | | [allow_dataproc_clusters_in_asia](../samples/dataproc_location.yaml) | [Link](../policies/templates/gcp_dataproc_location_v1.yaml) | Checks that Dataproc clusters are in correct regions. | | [allow_only_private_cluster](../samples/gke_allow_only_private_cluster.yaml) | [Link](../policies/templates/gcp_gke_private_cluster_v1.yaml) | Verifies all GKE clusters are Private Clusters. | | [allow_some_sql_location](../samples/sql_location.yaml) | [Link](../policies/templates/gcp_sql_location_v1.yaml) | Checks Cloud SQL instance locations against allowed or disallowed locations. | | [allow_some_storage_location](../samples/storage_location.yaml) | [Link](../policies/templates/gcp_storage_location_v1.yaml) | Checks Cloud Storage bucket locations against allowed or disallowed locations. | | [allow_spanner_clusters_in_asia_and_europe](../samples/spanner_location.yaml) | [Link](../policies/templates/gcp_spanner_location_v1.yaml) | Checks Cloud Spanner locations. | | [allowed-networks](../samples/compute_allowed_networks.yaml) | [Link](../policies/templates/gcp_compute_allowed_networks.yaml) | Checks all VM network interfaces are attached to certain VPC networks. | | [allowlist-custom-role-permissions](../samples/iam_custom_role_permissions.yaml) | [Link](../policies/templates/gcp_iam_custom_role_permissions_v1.yaml) | Custom BigQuery role must only have specific permissions | | [always_violates_all](../samples/always_violates.yaml) | [Link](../policies/templates/gcp_always_violates_v1.yaml) | Testing policy, will always violate. | | [audit_log_all](../samples/iam_audit_log_all.yaml) | [Link](../policies/templates/gcp_iam_audit_log.yaml) | Checks that all services have all types of audit logs enabled. | | [audit_log_data_read_write](../samples/iam_audit_log.yaml) | [Link](../policies/templates/gcp_iam_audit_log.yaml) | Checks that the defined services have audit logs enabled (ADMIN_READ, DATA_READ, DATA_WRITE). | | [block_serviceaccount_token_creator](../samples/iam_block_service_account_creator_role.yaml) | [Link](../policies/templates/gcp_iam_allowed_bindings.yaml) | Ban any users from being granted Service Account Token Creator access | | [bq_dataset_allowed_locations](../samples/bq_dataset_location.yaml) | [Link](../policies/templates/gcp_bq_dataset_location_v1.yaml) | Checks in which locations BigQuery datasets exist. | | [bq_table_minimum_maximum_retention](../samples/bigquery_table_retention.yaml) | [Link](../policies/templates/gcp_bigquery_table_retention_v1.yaml) | Checks if a BigQuery table violates retention policy. | | [cmek_rotation](../samples/cmek_settings.yaml) | [Link](../policies/templates/gcp_cmek_settings_v1.yaml) | Checks multiple CMEK key settings (protection level, algorithm, purpose, rotation period). | | [cmek_rotation](../samples/cmek_rotation.yaml) | [Link](../policies/templates/gcp_cmek_rotation_v1.yaml) | Checks that CMEK rotation policy is in place and is sufficiently short. | | [cmek_rotation_one_hundred_days](../samples/cmek_rotation_100_days.yaml) | [Link](../policies/templates/gcp_cmek_rotation_v1.yaml) | Checks that CMEK rotation policy is in place and is sufficiently short. | | [compute-enable-oslogin-project](../samples/compute_enable_oslogin_project.yaml) | [Link](../policies/templates/gcp_compute_enable_oslogin_project_v1.yaml) | Verifies that all VMs in a project have OS login enabled. | | [compute_block_ssh_keys](../samples/compute_block_ssh_keys.yaml) | [Link](../policies/templates/gcp_compute_block_ssh_keys_v1.yaml) | Checks if "Block Project-wide SSH keys" is enabled for VM instances | | [compute_disk_resource_policies_allowlist_one](../samples/compute_disk_resource_policies.yaml) | [Link](../policies/templates/gcp_compute_disk_resource_policies_v1.yaml) | Checks that Persistent Disks have correct resource policies (eg. snapshot schedules) attached to them. | | [compute_zone_allowlist_one](../samples/compute_zone.yaml) | [Link](../policies/templates/gcp_compute_zone_v1.yaml) | Checks the instances and Persistent Disks are in desired zones. | | [deny_allusers](../samples/iam_deny_public.yaml) | [Link](../policies/templates/gcp_iam_allowed_bindings.yaml) | Prevent public users from having access to resources via IAM | | [deny_role](../samples/iam_deny_role.yaml) | [Link](../policies/templates/gcp_iam_allowed_bindings.yaml) | Ban any users from being granted Service Account User access | | [deny_some_apis](../samples/serviceusage_deny_apis.yaml) | [Link](../policies/templates/gcp_serviceusage_allowed_services_v1.yaml) | Deny a set of APIS | | [deny_some_resource_types](../samples/allowed_resource_types.yaml) | [Link](../policies/templates/gcp_allowed_resource_types.yaml) | Restricts kind of resources that are allowed in your projects. | | [denylist_public_users](../samples/storage_denylist_public.yaml) | [Link](../policies/templates/gcp_storage_bucket_world_readable_v1.yaml) | Prevent public users from having access to resources via IAM | | [disable_gke_dashboard](../samples/gke_dashboard_disable.yaml) | [Link](../policies/templates/gcp_gke_dashboard_v1.yaml) | Ensure Kubernetes web UI / Dashboard is disabled | | [disable_gke_default_service_account](../samples/gke_disable_default_service_account.yaml) | [Link](../policies/templates/gcp_gke_disable_default_service_account_v1.yaml) | Ensure default Service account is not used for Project access in Kubernetes Clusters | | [disable_gke_legacy_abac](../samples/gke_legacy_abac.yaml) | [Link](../policies/templates/gcp_gke_legacy_abac_v1.yaml) | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | | [disable_gke_legacy_endpoints](../samples/gke_disable_legacy_endpoints.yaml) | [Link](../policies/templates/gcp_gke_disable_legacy_endpoints_v1.yaml) | Checks that legacy metadata endpoints are disabled (disabled by default since GKE 1.12+). | | [dnssec_prevent_rsasha1_ksk](../samples/dnssec_prevent_rsasha1_ksk.yaml) | [Link](../policies/templates/gcp_dnssec_prevent_rsasha1_v1.yaml) | Ensure that RSASHA1 is not used for key-signing key in Cloud DNS | | [dnssec_prevent_rsasha1_zsk](../samples/dnssec_prevent_rsasha1_zsk.yaml) | [Link](../policies/templates/gcp_dnssec_prevent_rsasha1_v1.yaml) | Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS | | [enable-network-firewall-logs](../samples/network_enable_firewall_logs.yaml) | [Link](../policies/templates/gcp_network_enable_firewall_logs_v1.yaml) | Ensure Firewall logs is enabled for every firewall in VPC Network | | [enable_alias_ip_ranges](../samples/gke_enable_alias_ip_ranges.yaml) | [Link](../policies/templates/gcp_gke_enable_alias_ip_ranges.yaml) | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | | [enable_auto_repair](../samples/gke_node_pool_auto_repair.yaml) | [Link](../policies/templates/gcp_gke_node_auto_repair_v1.yaml) | Ensure automatic node repair is enabled on all node pools in a GKE cluster | | [enable_auto_upgrade](../samples/gke_node_pool_auto_upgrade.yaml) | [Link](../policies/templates/gcp_gke_node_auto_upgrade_v1.yaml) | Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes | | [enable_gke_master_authorized_networks](../samples/gke_master_authorized_networks_enabled.yaml) | [Link](../policies/templates/gcp_gke_master_authorized_networks_enabled_v1.yaml) | Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters | | [enable_gke_shielded_nodes](../samples/gke_enable_shielded_nodes.yaml) | [Link](../policies/templates/gcp_gke_enable_shielded_nodes_v1.yaml) | Checks that GKE is using Shielded nodes (secure boot). | | [enable_gke_stackdriver_kubernetes_engine_monitoring](../samples/gke_enable_stackdriver_kubernetes_engine_monitoring.yaml) | [Link](../policies/templates/gcp_gke_enable_stackdriver_kubernetes_engine_monitoring_v1.yaml) | Ensure Stackdriver Kubernetes Engine Monitoring is enabled | | [enable_gke_stackdriver_logging](../samples/gke_enable_stackdriver_logging.yaml) | [Link](../policies/templates/gcp_gke_enable_stackdriver_logging_v1.yaml) | Ensure stackdriver logging is enabled on a GKE cluster | | [enable_gke_stackdriver_monitoring](../samples/gke_enable_stackdriver_monitoring.yaml) | [Link](../policies/templates/gcp_gke_enable_stackdriver_monitoring_v1.yaml) | Ensure stackdriver monitoring is enabled on a GKE cluster | | [enable_gke_workload_identity](../samples/gke_enable_workload_identity.yaml) | [Link](../policies/templates/gcp_gke_enable_workload_identity_v1.yaml) | Ensure Workload Identity is enabled on a GKE cluster | | [enable_network_flow_logs](../samples/network_enable_flow_logs.yaml) | [Link](../policies/templates/gcp_network_enable_flow_logs_v1.yaml) | Ensure VPC Flow logs is enabled for every subnet in VPC Network | | [enable_network_private_google_access](../samples/network_enable_private_google_access.yaml) | [Link](../policies/templates/gcp_network_enable_private_google_access_v1.yaml) | Ensure Private Google Access is enabled for all subnetworks in VPC | | [enforce_naming_convention](../samples/gcp_enforce_naming.yaml) | [Link](../policies/templates/gcp_enforce_naming_v1.yaml) | Checks defined resources that are supported by Cloud Asset Inventory are named according to regular expression pattern. | | [forbid_external_ip](../samples/vm_external_ip.yaml) | [Link](../policies/templates/gcp_compute_external_ip_address.yaml) | Checks if Compute Engine instances have public IPs. | | [forbid_ip_forward](../samples/compute_forbid_ip_forward.yaml) | [Link](../policies/templates/gcp_compute_ip_forward.yaml) | Checks if a VM has IP forwarding turned on. | | [gcp-bq-cmek-encryption-v1](../samples/bigquery_cmek.yaml) | [Link](../policies/templates/gcp_bigquery_cmek_encryption_v1.yaml) | Checks if BigQuery datasets have a CMEK key set. | | [gcp-sql-backup-no-exemptions](../samples/sql_backup.yaml) | [Link](../policies/templates/gcp_sql_backup_v1.yaml) | Checks that Cloud SQL backups are enabled. | | [gcp-sql-backup-with-exemptions](../samples/sql_backup_with_exemptions.yaml) | [Link](../policies/templates/gcp_sql_backup_v1.yaml) | Checks that Cloud SQL backups are enabled. | | [gcp-sql-maintenance-window-v1](../samples/sql_maintenance_window.yaml) | [Link](../policies/templates/gcp_sql_maintenance_window_v1.yaml) | Checks that every Cloud SQL instance has a specified maintenance window set. | | [gcp_lb_forwarding_rule_allowlist](../samples/gcp_lb_forwarding.yaml) | [Link](../policies/templates/gcp_lb_forwarding_rules.yaml) | Verifies load balancer forwarding rules against allowed values. | | [gke-cluster-allowed-locations](../samples/gke_cluster_location.yaml) | | Checks which zones are allowed/disallowed for GKE clusters. | | [gke-cluster-enable-logging](../samples/gke_enable_logging.yaml) | [Link](../policies/templates/gcp_resource_value_pattern_v1.yaml) | Ensure Kubernetes Clusters have logging enabled. | | [gke-cluster-version](../samples/gke_cluster_version.yaml) | [Link](../policies/templates/gcp_gke_cluster_version_v1.yaml) | Checks if a GKE cluster is using a master version type other than 1.12.10-gke.17. | | [gke-enable-binary-authorization](../samples/gke_enable_binauthz.yaml) | [Link](../policies/templates/gcp_gke_enable_binauthz_v1.yaml) | | | [gke_allowed_node_service_account_scope_default](../samples/gke_allowed_node_sa_scope.yaml) | [Link](../policies/templates/gcp_gke_allowed_node_sa_v1.yaml) | Checks that certain service account scopes are not assigned to nodes. | | [gke_cluster_location](../samples/legacy/gke_cluster_location.yaml) | [Link](../policies/templates/legacy/gcp_gke_cluster_location_v1.yaml) | | | [gke_container_optimized_os](../samples/gke_container_optimized_os.yaml) | [Link](../policies/templates/gcp_gke_container_optimized_os.yaml) | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters | | [gke_enable_private_endpoint](../samples/gke_enable_private_endpoint.yaml) | [Link](../policies/templates/gcp_gke_enable_private_endpoint.yaml) | Enable a private endpoint for the cluster to be accessible from an internal network only. | | [gke_restrict_client_auth_methods](../samples/gke_restrict_client_auth_methods.yaml) | [Link](../policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml) | Checks that client certificate and password authentication methods are disabled for GKE clusters. | | [gke_restrict_pod_traffic](../samples/legacy/gke_restrict_pod_traffic_v1.yaml) | [Link](../policies/templates/legacy/gcp_gke_restrict_pod_traffic_v1.yaml) | Checks that GKE clusters have a Network Policy installed. | | [gke_restrict_pod_traffic](../samples/gke_restrict_pod_traffic.yaml) | [Link](../policies/templates/gcp_gke_restrict_pod_traffic_v2.yaml) | Checks that GKE clusters have a Network Policy installed. | | [glb_external_ip_allowlist](../samples/gcp_glb_external_ip.yaml) | [Link](../policies/templates/gcp_glb_external_ip_access_constraint_v1.yaml) | Checks if Global Load Balancers have external IPs. | | [iam-restrict-service-account-key-age-ninety-days](../samples/gcp_iam_restrict_service_account_key_age.yaml) | [Link](../policies/templates/gcp_iam_restrict_service_account_key_age_v1.yaml) | Checks if service account keys are older than 90 days. | | [iam-restrict-service-account-key-age-one-hundred-days](../samples/gcp_iam_restrict_service_account_key_age_100_days.yaml) | [Link](../policies/templates/gcp_iam_restrict_service_account_key_age_v1.yaml) | Checks if service account keys are older than 100 days. | | [iam_allow_roles](../samples/iam_allowed_roles.yaml) | | Only the roles in this list are allowed. All other roles trigger violation. | | [iam_ban_roles](../samples/iam_banned_roles.yaml) | | Only the roles in this list trigger violation. All other roles allowed. | | [iam_restrict_service_account_creation](../samples/gcp_iam_restrict_service_account_creation.yaml) | [Link](../policies/templates/gcp_iam_restrict_service_account_creation_v1.yaml) | Checks if any service accounts have been created. | | [iam_restrict_service_account_key_type](../samples/gcp_iam_restrict_service_account_key_type.yaml) | [Link](../policies/templates/gcp_iam_restrict_service_account_key_type_v1.yaml) | Checks if any service accounts have user created keys. | | [network_restrict_default](../samples/network_restrict_default.yaml) | [Link](../policies/templates/gcp_network_restrict_default_v1.yaml) | Restrict default networks with open firewall rules | | [only_my_domain](../samples/iam_restrict_domain.yaml) | [Link](../policies/templates/gcp_iam_allowed_policy_member_domains.yaml) | Only allow members from my domain to be added to IAM roles | | [prevent-public-ip-cloudsql](../samples/sql_public_ip.yaml) | [Link](../policies/templates/gcp_sql_public_ip_v1.yaml) | Prevents a public IP from being assigned to a Cloud SQL instance. | | [require_bq_table_iam](../samples/bigquery_world_readable.yaml) | [Link](../policies/templates/gcp_bigquery_dataset_world_readable_v1.yaml) | Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers. | | [require_bucket_policy_only](../samples/storage_bucket_policy_only.yaml) | [Link](../policies/templates/gcp_storage_bucket_policy_only_v1.yaml) | Checks if Cloud Storage buckets have Bucket Only Policy turned on. | | [require_dnssec](../samples/dnssec.yaml) | [Link](../policies/templates/gcp_dnssec_v1.yaml) | Checks that DNSSEC is enabled for a Cloud DNS managed zone. | | [require_global_routing](../samples/network_routing.yaml) | [Link](../policies/templates/gcp_network_routing_v1.yaml) | Checks that every VPC is in global routing mode. | | [require_labels](../samples/enforce_label.yaml) | [Link](../policies/templates/gcp_enforce_labels_v1.yaml) | Checks that labels are set for all resources (or a subset of resources) and that they match a certain regular expression pattern. | | [require_members_and_domains_owner](../samples/iam_required_roles.yaml) | [Link](../policies/templates/gcp_iam_required_bindings_v1.yaml) | Trigger violations if the following members and domains are absent in roles/owner | | [require_sql_ssl](../samples/sql_ssl.yaml) | [Link](../policies/templates/gcp_sql_ssl_v1.yaml) | Checks if Cloud SQL instances have SSL turned on. | | [restrict-firewall-rule-allow-ingress-demo](../samples/restrict_fw_rules_generic.yaml) | [Link](../policies/templates/gcp_restricted_firewall_rules_v1.yaml) | Checks that every firewall rule matches certain settings. | | [restrict-firewall-rule-rdp-world-open](../samples/restrict_fw_rules_rdp_world_open.yaml) | [Link](../policies/templates/gcp_restricted_firewall_rules_v1.yaml) | Checks for open firewall rules allowing RDP from the internet. | | [restrict-firewall-rule-ssh-world-open](../samples/restrict_fw_rules_ssh_world_open.yaml) | [Link](../policies/templates/gcp_restricted_firewall_rules_v1.yaml) | Checks for open firewall rules allowing SSH from the internet. | | [restrict-firewall-rule-world-open](../samples/restrict_fw_rules_world_open.yaml) | [Link](../policies/templates/gcp_restricted_firewall_rules_v1.yaml) | Checks for open firewall rules allowing ingress from the internet. | | [restrict-firewall-rule-world-open-tcp-udp-all-ports](../samples/restrict_fw_rules_world_open_tcp_udp_all_ports.yaml) | [Link](../policies/templates/gcp_restricted_firewall_rules_v1.yaml) | Checks for open firewall rules allowing TCP/UDP from the internet. | | [restrict-gmail-bigquery-dataset](../samples/iam_restrict_gmail_bigquery_dataset.yaml) | [Link](../policies/templates/gcp_iam_allowed_bindings.yaml) | Enforce corporate domain by banning gmail.com addresses access to BigQuery datasets | | [restrict-googlegroups-bigquery-dataset](../samples/iam_restrict_googlegroups_bigquery_dataset.yaml) | [Link](../policies/templates/gcp_iam_allowed_bindings.yaml) | Enforce corporate domain by banning googlegroups.com addresses access to BigQuery datasets | | [restrict_gmail](../samples/iam_restrict_gmail.yaml) | [Link](../policies/templates/gcp_iam_allowed_bindings.yaml) | Enforce corporate domain by banning gmail.com addresses | | [restrict_owner_role](../samples/iam_restrict_role.yaml) | [Link](../policies/templates/gcp_iam_allowed_bindings.yaml) | Only my domain members are allowed to have the Owner role on projects | | [service_accounts_only](../samples/iam_service_accounts_only.yaml) | [Link](../policies/templates/gcp_iam_allowed_policy_member_domains.yaml) | Checks that members that have been granted IAM roles belong to allowlisted domains. | | [service_versions](../samples/appengine_versions.yaml) | [Link](../policies/templates/gcp_app_service_versions.yaml) | Limit the number App Engine application versions simultaneously running. installed. | | [sql-world-readable](../samples/sql_world_readable.yaml) | [Link](../policies/templates/gcp_sql_world_readable_v1.yaml) | Checks if Cloud SQL instances are world readable. | | [sql_allowed_authorized_networks_allowlist](../samples/sql_allowed_authorized_networks.yaml) | [Link](../policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml) | Checks Cloud SQL master authorized networks list against a allowlist. | | [sql_type_deny_sqlserver](../samples/sql_deny_sqlserver_type.yaml) | [Link](../policies/templates/gcp_sql_instance_type_v1.yaml) | Checks for allowed or disallowed Cloud SQL instance types. | | [storage_bucket_minimum_maximum_retention](../samples/storage_bucket_retention.yaml) | [Link](../policies/templates/gcp_storage_bucket_retention_v1.yaml) | | | [storage_cmek_encryption](../samples/storage_cmek_encryption.yaml) | [Link](../policies/templates/gcp_storage_cmek_encryption_v1.yaml) | Checks if Cloud Storage buckets have CMEK turned on. | | [storage_logging](../samples/storage_logging.yaml) | [Link](../policies/templates/gcp_storage_logging_v1.yaml) | Ensure storage logs are delivered to a separate bucket | | [vpc_sc_allowlist_regions](../samples/vpc_sc_allowlist_regions.yaml) | [Link](../policies/templates/gcp_vpc_sc_allowed_regions.yaml) | Checks that only allowed geographical regions are allowed in VPC Service Controls perimeters. | | [vpc_sc_ensure_access_levels](../samples/vpc_sc_ensure_access_levels.yaml) | [Link](../policies/templates/gcp_vpc_sc_ensure_access_levels_v1.yaml) | Checks if a VPC Service Controls perimeter has desired access levels set. | | [vpc_sc_ensure_project](../samples/vpc_sc_ensure_project.yaml) | [Link](../policies/templates/gcp_vpc_sc_ensure_project_v1.yaml) | Checks if a VPC Service Controls perimeter has correct projects in them. | | [vpc_sc_ensure_services](../samples/vpc_sc_ensure_services.yaml) | [Link](../policies/templates/gcp_vpc_sc_ensure_services_v1.yaml) | Checks is a VPC Service Controls perimeter has correct services set. | | [vpc_sc_ip_range](../samples/vpc_sc_ip_range.yaml) | [Link](../policies/templates/gcp_vpc_sc_ip_range_v1.yaml) | Checks the CIDR notation size in VPC Service Controls access levels. | | [vpc_sc_project_perimeter_allowlist](../samples/vpc_sc_project_perimeter_allowlist.yaml) | [Link](../policies/templates/gcp_vpc_sc_project_perimeter.yaml) | Checks that only allowed VPC Service Controls perimeters exists. | | [vpc_sc_project_perimeter_denylist](../samples/vpc_sc_project_perimeter_v1_denylist.yaml) | [Link](../policies/templates/gcp_vpc_sc_project_perimeter.yaml) | Older, deprecated version of above policy. | | [vpc_sc_project_perimeter_whitelist](../samples/legacy/vpc_sc_project_perimeter_v1_whitelist.yaml) | [Link](../policies/templates/legacy/gcp_vpc_sc_project_perimeter_v1.yaml) | |