GCP Folder Exclusion for CSA
GCP Folder Exclusion for CSA
Netskope GCP CSA uses a service account to make API calls on customers’ behalf for the compliance auditing. Customer has a GCP resource hierarchy similar to the following:
The service account provided to Netskope may have a role assignment (Project > Browser) at organization scope (testkope01.com, refer image below). However, there might be a scenario where a customer wants to exclude a specific folder(s) (Archive), and all folders/projects underneath that should not show up in the Netskope CSA product, while still maintaining the parent Org role assignment.
IAM Policy Bindings
In GCP, IAM policy bindings manage access control by defining who (identity) has what access (role) for which resource. An IAM policy defines and enforces what roles are granted to which members, and this policy is attached to a resource.
However IAM policy bindings are additive only and cannot deny permissions, such as deny Project > Browser for Archive Folder.
One solution which GCP provides with IAM policy bindings is the ability to set a condition which allows to define and enforce conditional, attribute-based access control for Google Cloud resources. The condition object has the following structure:
"condition": {
"title": ...
"description": ...
"expression": ...
}
The expression field is required. It defines an attribute-based logic expression using a subset of the Common Expression Language (CEL).
For example, allow access only to Cloud Storage buckets whose names start with a specified prefix:
resource.type == "storage.googleapis.com/Bucket" &&
resource.name.startsWith("projects/_/buckets/exampleco-site-assets-")
Resource Tagging
We would be using IAM Policy Binding Condition expression along with resource tagging to achieve the exclusion use-case.
A tag is a key-value pair that is attached to an organization, folder, or project which can conditionally grant IAM roles based on whether a resource has a specific tag.
Other resources inherit tag values from their parent organization, folders, and project, allowing tags to manage access to any Google Cloud resource.
Since this feature is covered by the Pre-GA Offerings Terms of the Google Cloud Platform Terms of Service, please run gcloud components update before any of the below steps.
-
Create tag key for customer organisation
gcloud alpha resource-manager tags keys create CSA --parent=organizations/1234567890
Expected Response:
Waiting for TagKey [CSA] to be created...done. createTime: '2021-02-11T10:55:15.548590Z' etag: Fh4S/yQ37EoMRyqu048tSA== name: tagKeys/830385501964 namespacedName: 1234567890/CSA parent: organizations/1234567890 shortName: CSA updateTime: '2021-02-11T10:55:18.850163Z
Note down the tag key name highlighted. -
Create tag value for tag key created in Step 1:
gcloud alpha resource-manager tags values create NOT --parent=tagKeys/830385501964
Expected Response:
Waiting for TagValue [NOT] to be created...done. createTime: '2021-02-11T11:02:28.552982Z' etag: Xj9So/FDGdu+qtzTyVBXQA== name: tagValues/924420592246 namespacedName: 1234567890/CSA/NOT parent: tagKeys/830385501964 shortName: NOT updateTime: '2021-02-11T11:02:31.087742Z'
Note down the tag value name highlighted. -
Create tag binding at Archive Folder scope
gcloud alpha resource-manager tags bindings create --tag-value=tagValues/924420592246 --parent=//cloudresourcemanager.googleapis.com/folders/0987654321
Where 0987654321 is the folder id of the Archive folder
Expected Response:
done: true response: '@type': type.googleapis.com/google.cloud.resourcemanager.v3.TagBinding name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F0987654321/tagValues/924420592246 parent: //cloudresourcemanager.googleapis.com/folders/0987654321 tagValue: tagValues/924420592246
-
Verify if the TAG BINDING is enforced
gcloud alpha resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/folders/0987654321
Expected Response:
tagBindings: - name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F0987654321/tagValues/924420592246 parent: //cloudresourcemanager.googleapis.com/folders/0987654321 tagValue: tagValues/924420592246
Update Netskope Service Account Permissions
Login to Google Cloud Console and edit Netskope service account’s role assignment at Organisation scope.
-
Navigate to IAM & Admin > IAM page at Organisation scope and locate the email id of the Netskope Service Account:
-
Edit the service account IAM policy binding to add a condition to each of the role assignments (Project > Browser, IAM > Security Reviewer, Bigquery > Bigquery Metadata Viewer, Organization Policy > Organisation Policy Viewer).
-
Navigate to Condition Editor Tab and enter a CEL expression which looks like this:
!(resource.matchTagId('tagKeys/830385501964', 'tagValues/924420592246'))
Here tagKeys/830385501964 is the tag key name and tagValues/924420592246 is the tag value name which had been noted earlier and was enforced on the Archive Folder. -
Click on Save and update the IAM policy.
The unwanted Archive Folder and project/resources underneath will no longer be accessible to the Netskope Service Account and will not show up in CSA scan.