ZCSPM
Creating Custom Security Policies for GCP
ZCSPM supports creating custom security policies for Google Cloud Platform (GCP). To create a custom security policy:
- Simulate a GCP API Explorer query on ZCSPM
To simulate a GCP API Explorer query on ZCSPM:
- On the ZCSPM Admin Portal, go to Configurations > Security Policies.
- Under License level, select GCP.
- Click Add Custom Policy and select the required cloud accounts using the Cloud Account drop-down menu.
- Enter your Query Statement and click Run Simulation.
The simulation result will display a table with all the columns as possible criteria to build your policy.
Important information regarding simulating queries:
- The asset-types parameter is mandatory. However, the query parameter is optional.
- ZCSPM supports only those queries which return a single resource type.
- ZCSPM does not support those queries which return only the count attribute.
Suppose you want to create a custom security policy to ensure that http traffic is not allowed on the compute engine. For this example, the query on GCP API explorer is:
--query='networkTags:http-server' --asset-types='compute.googleapis.com/Instance'
Close - Define the pass criteria for the custom security policy
After the query has successfully run, you can define the pass criteria. Based on the pass criteria that you define, ZCSPM determines if your cloud resources pass the policy or not.
To define the pass criteria:
- Select the attribute for which you want to create a rule from the Criteria 1 drop-down menu.
- Select an operator and enter a Value. The Operator drop-down menu is populated based on the attribute selected in the previous step.
- Equals
- Not Equals
- Contains
- Greater than Equal to
- Less than Equal to
- To add more rules to your pass criteria, click Add Condition and then select a condition to combine the rules. The condition can be:
- AND
- OR
Important information regarding pass criteria:
- Ensure that you do not have conflicting conditions on the same criteria.
- ZCSPM does not support nested conditions.
For our example, the networkTags critera is used to build the custom security policy.
Close - Specify the custom security policy details and map to a benchmark
After you have determined the pass criteria for your policy, you can specify the custom security policy details:
- Enter the Policy Title, Risk Impact, and the associated Cloud Account.
- (Optional) You can specify audit and remediation procedures.
- Click Next.
- Map your custom policy to a Benchmark, choose a Benchmark Category, then click Next.
- Review all the information, then click Save.
You can view the custom policy on the CSBP page.
Close