GCP Folder Exclusion for CSA

GCP Folder Exclusion for CSA

Netskope GCP CSA uses a service account to make API calls on customers’ behalf for the compliance auditing. Customer has a GCP resource hierarchy similar to the following:

The service account provided to Netskope may have a role assignment (Project > Browser) at organization scope (testkope01.com, refer image below). However, there might be a scenario where a customer wants to exclude a specific folder(s) (Archive), and all folders/projects underneath that should not show up in the Netskope CSA product, while still maintaining the parent Org role assignment. 

IAM Policy Bindings

In GCP, IAM policy bindings manage access control by defining who (identity) has what access (role) for which resource. An IAM policy defines and enforces what roles are granted to which members, and this policy is attached to a resource.

However IAM policy bindings are additive only and cannot deny permissions, such as deny Project > Browser for Archive Folder.

One solution which GCP provides with IAM policy bindings is the ability to set a condition which allows  to define and enforce conditional, attribute-based access control for Google Cloud resources. The condition object has the following structure:

"condition": {
    "title": ...
    "description": ...
    "expression": ...
}

The expression field is required. It defines an attribute-based logic expression using a subset of the Common Expression Language (CEL)

For example, allow access only to Cloud Storage buckets whose names start with a specified prefix:

resource.type == "storage.googleapis.com/Bucket" &&
resource.name.startsWith("projects/_/buckets/exampleco-site-assets-")

Resource Tagging

We would be using IAM Policy Binding Condition expression along with resource tagging to achieve the exclusion use-case.

A tag is a key-value pair that is attached to an organization, folder, or project which can conditionally grant IAM roles based on whether a resource has a specific tag.

Other resources inherit tag values from their parent organization, folders, and project, allowing tags to manage access to any Google Cloud resource.

Since this feature is covered by the Pre-GA Offerings Terms of the Google Cloud Platform Terms of Service, please run gcloud components update before any of the below steps.

  1. Create tag key for customer organisation

    gcloud alpha resource-manager tags keys create CSA 
    --parent=organizations/1234567890

    Expected Response:

    Waiting for TagKey [CSA] to be created...done.                                                                             
    
    createTime: '2021-02-11T10:55:15.548590Z'
    
    etag: Fh4S/yQ37EoMRyqu048tSA==
    
    name: tagKeys/830385501964
    
    namespacedName: 1234567890/CSA 
    
    parent: organizations/1234567890
    
    shortName: CSA
    
    updateTime: '2021-02-11T10:55:18.850163Z
    Note down the tag key name highlighted.
  2. Create tag value for tag key created in Step 1:

    gcloud alpha resource-manager tags values create NOT
    
    --parent=tagKeys/830385501964

    Expected Response:

    Waiting for TagValue [NOT] to be created...done.                                                                           
    
    createTime: '2021-02-11T11:02:28.552982Z'
    
    etag: Xj9So/FDGdu+qtzTyVBXQA==
    
    name: tagValues/924420592246
    
    namespacedName: 1234567890/CSA/NOT
    
    parent: tagKeys/830385501964
    
    shortName: NOT
    
    updateTime: '2021-02-11T11:02:31.087742Z'
    Note down the tag value name highlighted.
  3. Create tag binding at Archive Folder scope 

    gcloud alpha resource-manager tags bindings create
    
    --tag-value=tagValues/924420592246 
    
    --parent=//cloudresourcemanager.googleapis.com/folders/0987654321

    Where 0987654321 is the folder id of the Archive folder

    Expected Response:

    done: true
    
    response:
    
      '@type': type.googleapis.com/google.cloud.resourcemanager.v3.TagBinding
    
      name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F0987654321/tagValues/924420592246
    
      parent: //cloudresourcemanager.googleapis.com/folders/0987654321
    
      tagValue: tagValues/924420592246
  4. Verify if the TAG BINDING is enforced

    gcloud alpha resource-manager tags bindings list
    
    --parent=//cloudresourcemanager.googleapis.com/folders/0987654321

    Expected Response:

    tagBindings:
    
    - name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F0987654321/tagValues/924420592246
    
    parent: //cloudresourcemanager.googleapis.com/folders/0987654321
    
    tagValue: tagValues/924420592246

Update Netskope Service Account Permissions

Login to Google Cloud Console and edit Netskope service account’s role assignment at Organisation scope.

  1. Navigate to IAM & Admin > IAM page at Organisation scope and locate the email id of the Netskope Service Account:

  2. Edit the service account  IAM policy binding to add a condition to each of the role assignments (Project > Browser, IAM > Security Reviewer, Bigquery > Bigquery Metadata Viewer, Organization Policy > Organisation Policy Viewer).

  3. Navigate to Condition Editor Tab and enter a CEL expression which looks like this:

    !(resource.matchTagId('tagKeys/830385501964', 'tagValues/924420592246'))
    Here tagKeys/830385501964 is the tag key name and tagValues/924420592246 is the tag value name which had been noted earlier and was enforced on the Archive Folder.
  4. Click on Save and update the IAM policy.

    The unwanted Archive Folder and project/resources underneath will no longer be accessible to the Netskope Service Account and will not show up in CSA scan.

Share this Doc

GCP Folder Exclusion for CSA

Or copy link

In this topic ...