feat(CG-1300): add gcp cis 1.30 2.15

james-zhou-inspire11 · james-zhou-inspire11 · commit fe76508cfb7c · 2022-12-20T23:17:22.000-06:00
diff --git a/src/gcp/cis-1.3.0/README.md b/src/gcp/cis-1.3.0/README.md
@@ -84,6 +84,7 @@ Policy Pack based on the GCP Foundations 1.3.0 benchmark provided by the [Center
 | GCP CIS 2.12   | Ensure that Cloud DNS logging is enabled for all VPC networks                                                                                                       |
 | GCP CIS 2.13   | Ensure Cloud Asset Inventory Is Enabled                                                                                                                             |
 | GCP CIS 2.14   | Ensure 'Access Transparency' is 'Enabled'                                                                                                                           |
+| GCP CIS 2.15   | Ensure 'Access Approval' is 'Enabled'                                                                                                                         |
 | GCP CIS 3.1    | Ensure that the default network does not exist in a project                                                                                                         |
 | GCP CIS 3.2    | Ensure legacy networks do not exist for a project                                                                                                                   |
 | GCP CIS 3.3    | Ensure that DNSSEC is enabled for Cloud DNS                                                                                                                         |
diff --git a/src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-2.15.ts b/src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-2.15.ts
@@ -0,0 +1,94 @@
+export default {
+  id: 'gcp-cis-1.3.0-2.15',
+  title:
+    'GCP CIS 2.15  Ensure \'Access Approval\' is \'Enabled\'',
+  description: `GCP Access Approval enables you to require your organizations' explicit approval
+  whenever Google support try to access your projects. You can then select users within your
+  organization who can approve these requests through giving them a security role in IAM.
+  All access requests display which Google Employee requested them in an email or Pub/Sub
+  message that you can choose to Approve. This adds an additional control and logging of
+  who in your organization approved/denied these requests.`,
+  audit: `**Determine if Access Transparency is Enabled**
+
+  1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Hover over the IAM & Admin Menu. Select settings in the middle of the column that opens.
+  2. The status should be "Enabled' under the heading *Access Transparency*
+
+  **Enable Access Transparency**
+
+  1. From the Google Cloud Home, click on the Navigation hamburger menu in the top left. Hover over the *IAM & Admin* Menu. Select *settings* in the middle of the column that opens.
+  2. Click the blue button labeled Enable *Access Transparency for Organization*
+
+  **Determine if Access Approval is Enabled**
+
+  1. From the Google Cloud Home, within the project you wish to check, click on the Navigation hamburger menu in the top left. Hover over the *Security* Menu. Select *Access Approval* in the middle of the column that opens.
+  2. The status will be displayed here. If you see a screen saying you need to enroll in Access Approval, it is not enabled.
+
+  **From CLI:
+
+  Determine if Access Approval is Enabled**
+
+  1. From within the project you wish to audit, run the following command.
+
+        gcloud access-approval settings get
+
+  2. The status will be displayed in the output.`,
+
+  rationale: `Controlling access to your information is one of the foundations of information security.
+  Google Employees do have access to your organizations' projects for support reasons. With
+  Access Approval, organizations can then be certain that their information is accessed by
+  only approved Google Personnel.`,
+  remediation: `**From Console:**
+
+  1. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the *Security* Menu. Select *Access Approval* in the middle of the column that opens.
+  2. The status will be displayed here. On this screen, there is an option to click *Enroll*. If
+  it is greyed out and you see an error bar at the top of the screen that says *Access Transparency is not enabled* please view the corresponding reference within this section to enable it.
+  3. In the second screen click *Enroll*.
+
+  **Grant an IAM Group or User the role with permissions to Add Users to be Access Approval message Recipients**
+
+  1. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the *IAM and Admin*. Select *IAM* in the middle of the column that opens.
+  2. Click the blue button the says *+add* at the top of the screen.
+  3. In the *principals* field, select a user or group by typing in their associated email address.
+  4. Click on the role field to expand it. In the filter field enter *Access Approval Approver* and select it.
+  5. Click *save*.
+
+  **Add a Group or User as an Approver for Access Approval Requests**
+
+  1. As a user with the *Access Approval Approver* permission, within the project where you wish to add an email address to which request will be sent, click on the Navigation hamburger menu in the top left. Hover over the *Security* Menu. Select *Access Approval* in the middle of the column that opens.
+  2. Click *Manage Settings*
+  3. Under *Set up approval notifications*s, enter the email address associated with a Google Cloud User or Group you wish to send Access Approval requests to. All future access approvals will be sent as emails to this address.
+
+  **From CLI:**
+
+  1. To update all services in an entire project, run the following command from an account that has permissions as an 'Approver for Access Approval Requests'
+
+        gcloud access-approval settings update --project=<project name> --
+        enrolled_services=all --notification_emails='<email recipient for access
+        approval requests>@<domain name>'
+
+  **Default Value:**
+
+  By default Access Approval and its dependency of Access Transparency are not enabled.`,
+  references: [
+    'https://cloud.google.com/cloud-provider-access-management/accessapproval/docs',
+    'https://cloud.google.com/cloud-provider-access-management/accessapproval/docs/overview',
+    'https://cloud.google.com/cloud-provider-access-management/accessapproval/docs/quickstart-custom-key',
+    'https://cloud.google.com/cloud-provider-access-management/accessapproval/docs/supported-services',
+    'https://cloud.google.com/cloud-provider-access-management/accessapproval/docs/view-historical-requests',
+  ],
+  gql: `{
+    querygcpProject {
+      id
+      __typename
+      accessApprovals {
+        id
+      }
+    }
+  }`,
+  resource: 'querygcpProject[*]',
+  severity: 'unknown',
+  check: ({ resource }: any) => {
+    const { accessApprovals } = resource
+    return !!accessApprovals
+  },
+}
diff --git a/src/gcp/cis-1.3.0/rules/index.ts b/src/gcp/cis-1.3.0/rules/index.ts
@@ -27,6 +27,7 @@ import Gcp_CIS_130_211 from './gcp-cis-1.3.0-2.11'
 import Gcp_CIS_130_212 from './gcp-cis-1.3.0-2.12'
 import Gcp_CIS_130_213 from './gcp-cis-1.3.0-2.13'
 import Gcp_CIS_130_214 from './gcp-cis-1.3.0-2.14'
+import Gcp_CIS_130_215 from './gcp-cis-1.3.0-2.15'
 import Gcp_CIS_130_31 from './gcp-cis-1.3.0-3.1'
 import Gcp_CIS_130_32 from './gcp-cis-1.3.0-3.2'
 import Gcp_CIS_130_33 from './gcp-cis-1.3.0-3.3'
@@ -105,6 +106,7 @@ export default [
   Gcp_CIS_130_212,
   Gcp_CIS_130_213,
   Gcp_CIS_130_214,
+  Gcp_CIS_130_215,
   Gcp_CIS_130_31,
   Gcp_CIS_130_32,
   Gcp_CIS_130_33,
diff --git a/src/gcp/cis-1.3.0/tests/gcp-cis-1.3.0-2.x.test.ts b/src/gcp/cis-1.3.0/tests/gcp-cis-1.3.0-2.x.test.ts
@@ -16,6 +16,7 @@ import Gcp_CIS_130_210 from '../rules/gcp-cis-1.3.0-2.10'
 import Gcp_CIS_130_211 from '../rules/gcp-cis-1.3.0-2.11'
 import Gcp_CIS_130_212 from '../rules/gcp-cis-1.3.0-2.12'
 import Gcp_CIS_130_213 from '../rules/gcp-cis-1.3.0-2.13'
+import Gcp_CIS_130_215 from '../rules/gcp-cis-1.3.0-2.15'
 import { initRuleEngine } from '../../../utils/test'
 
 const Gcp_CIS_130_24_Filter =
@@ -83,11 +84,16 @@ export interface Asset {
   id: string
 }
 
+export interface AccessApprovals {
+  id: string
+}
+
 export interface QuerygcpProject {
   id: string
   logSinks?: LogSink[]
   logBuckets?: LogBucket[]
   assets?: Asset[]
+  accessApprovals?: AccessApprovals[]
 }
 
 export interface AuditLogConfig {
@@ -1309,4 +1315,44 @@ describe('CIS Google Cloud Platform Foundations: 1.3.0', () => {
       await test213Rule(false, Result.FAIL)
     })
   })
+
+  describe('GCP CIS 2.15 Ensure \'Access Approval\' is Enabled', () => {
+    const test215Rule = async (
+      hasService: boolean,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Arrange
+      const data: CIS2xQueryResponse = {
+        querygcpProject: [
+          {
+            id: cuid(),
+            accessApprovals: hasService? [
+              {
+                id: cuid(),
+              },
+            ]
+            : undefined,
+          },
+        ],
+        
+      }
+
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Gcp_CIS_130_215 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when the Access Approval is enabled', async () => {
+      await test215Rule(true, Result.PASS)
+    })
+
+    test('Security Issue when the Assets Access Approval is disabled', async () => {
+      await test215Rule(false, Result.FAIL)
+    })
+  })
 })
