This bundle can be installed via kpt:
export BUNDLE=forseti-security
kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
kpt fn source policy-library/samples/ | \
kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
kpt fn sink policy-library/policies/constraints/
| Constraint | Control | Description |
|---|---|---|
| cmek_rotation_one_hundred_days | v2.26.0 | Checks that CMEK rotation policy is in place and is sufficiently short. |
| denylist_public_users | v2.26.0 | Prevent public users from having access to resources via IAM |
| iam-restrict-service-account-key-age-one-hundred-days | v2.26.0 | Checks if service account keys are older than 100 days. |
| only_my_domain | v2.26.0 | Only allow members from my domain to be added to IAM roles |
| require_bq_table_iam | v2.26.0 | Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers. |
| restrict-firewall-rule-world-open | v2.26.0 | Checks for open firewall rules allowing ingress from the internet. |
| restrict-firewall-rule-world-open-tcp-udp-all-ports | v2.26.0 | Checks for open firewall rules allowing TCP/UDP from the internet. |
| restrict-gmail-bigquery-dataset | v2.26.0 | Enforce corporate domain by banning gmail.com addresses access to BigQuery datasets |
| restrict-googlegroups-bigquery-dataset | v2.26.0 | Enforce corporate domain by banning googlegroups.com addresses access to BigQuery datasets |
| sql-world-readable | v2.26.0 | Checks if Cloud SQL instances are world readable. |