Constraint templates specify the logic to be used by constraints. This repository contains pre-defined constraint templates that you can implement or modify for your own needs.
You can create and implement your own custom constraint templates. For instructions on how to write constraint templates, see How to write your own constraint templates.
In addition to browsing all Available Templates and Sample Constraints, you can explore these policy bundles:
The repo also contains a number of sample constraints:
| Sample | Template | Description |
|---|---|---|
| allow_appengine_applications_in_australia_and_south_america | Link | Restrict locations (regions) where App Engine applications are deployed. |
| allow_basic_set_of_apis | Link | Only a basic set of APIS |
| allow_dataproc_clusters_in_asia | Link | Checks that Dataproc clusters are in correct regions. |
| allow_only_private_cluster | Link | Verifies all GKE clusters are Private Clusters. |
| allow_some_sql_location | Link | Checks Cloud SQL instance locations against allowed or disallowed locations. |
| allow_some_storage_location | Link | Checks Cloud Storage bucket locations against allowed or disallowed locations. |
| allow_spanner_clusters_in_asia_and_europe | Link | Checks Cloud Spanner locations. |
| allowed-networks | Link | Checks all VM network interfaces are attached to certain VPC networks. |
| allowlist-custom-role-permissions | Link | Custom BigQuery role must only have specific permissions |
| always_violates_all | Link | Testing policy, will always violate. |
| audit_log_all | Link | Checks that all services have all types of audit logs enabled. |
| audit_log_data_read_write | Link | Checks that the defined services have audit logs enabled (ADMIN_READ, DATA_READ, DATA_WRITE). |
| block_serviceaccount_token_creator | Link | Ban any users from being granted Service Account Token Creator access |
| bq_dataset_allowed_locations | Link | Checks in which locations BigQuery datasets exist. |
| bq_table_minimum_maximum_retention | Link | Checks if a BigQuery table violates retention policy. |
| cmek_rotation | Link | Checks multiple CMEK key settings (protection level, algorithm, purpose, rotation period). |
| cmek_rotation | Link | Checks that CMEK rotation policy is in place and is sufficiently short. |
| cmek_rotation_one_hundred_days | Link | Checks that CMEK rotation policy is in place and is sufficiently short. |
| compute-enable-oslogin-project | Link | Verifies that all VMs in a project have OS login enabled. |
| compute_block_ssh_keys | Link | Checks if "Block Project-wide SSH keys" is enabled for VM instances |
| compute_disk_resource_policies_allowlist_one | Link | Checks that Persistent Disks have correct resource policies (eg. snapshot schedules) attached to them. |
| compute_zone_allowlist_one | Link | Checks the instances and Persistent Disks are in desired zones. |
| deny_allusers | Link | Prevent public users from having access to resources via IAM |
| deny_role | Link | Ban any users from being granted Service Account User access |
| deny_some_apis | Link | Deny a set of APIS |
| deny_some_resource_types | Link | Restricts kind of resources that are allowed in your projects. |
| denylist_public_users | Link | Prevent public users from having access to resources via IAM |
| disable_gke_dashboard | Link | Ensure Kubernetes web UI / Dashboard is disabled |
| disable_gke_default_service_account | Link | Ensure default Service account is not used for Project access in Kubernetes Clusters |
| disable_gke_legacy_abac | Link | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
| disable_gke_legacy_endpoints | Link | Checks that legacy metadata endpoints are disabled (disabled by default since GKE 1.12+). |
| dnssec_prevent_rsasha1_ksk | Link | Ensure that RSASHA1 is not used for key-signing key in Cloud DNS |
| dnssec_prevent_rsasha1_zsk | Link | Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS |
| enable-network-firewall-logs | Link | Ensure Firewall logs is enabled for every firewall in VPC Network |
| enable_alias_ip_ranges | Link | Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
| enable_auto_repair | Link | Ensure automatic node repair is enabled on all node pools in a GKE cluster |
| enable_auto_upgrade | Link | Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes |
| enable_gke_master_authorized_networks | Link | Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters |
| enable_gke_shielded_nodes | Link | Checks that GKE is using Shielded nodes (secure boot). |
| enable_gke_stackdriver_kubernetes_engine_monitoring | Link | Ensure Stackdriver Kubernetes Engine Monitoring is enabled |
| enable_gke_stackdriver_logging | Link | Ensure stackdriver logging is enabled on a GKE cluster |
| enable_gke_stackdriver_monitoring | Link | Ensure stackdriver monitoring is enabled on a GKE cluster |
| enable_gke_workload_identity | Link | Ensure Workload Identity is enabled on a GKE cluster |
| enable_network_flow_logs | Link | Ensure VPC Flow logs is enabled for every subnet in VPC Network |
| enable_network_private_google_access | Link | Ensure Private Google Access is enabled for all subnetworks in VPC |
| enforce_naming_convention | Link | Checks defined resources that are supported by Cloud Asset Inventory are named according to regular expression pattern. |
| forbid_external_ip | Link | Checks if Compute Engine instances have public IPs. |
| forbid_ip_forward | Link | Checks if a VM has IP forwarding turned on. |
| gcp-bq-cmek-encryption-v1 | Link | Checks if BigQuery datasets have a CMEK key set. |
| gcp-sql-backup-no-exemptions | Link | Checks that Cloud SQL backups are enabled. |
| gcp-sql-backup-with-exemptions | Link | Checks that Cloud SQL backups are enabled. |
| gcp-sql-maintenance-window-v1 | Link | Checks that every Cloud SQL instance has a specified maintenance window set. |
| gcp_lb_forwarding_rule_allowlist | Link | Verifies load balancer forwarding rules against allowed values. |
| gke-cluster-allowed-locations | Checks which zones are allowed/disallowed for GKE clusters. | |
| gke-cluster-enable-logging | Link | Ensure Kubernetes Clusters have logging enabled. |
| gke-cluster-version | Link | Checks if a GKE cluster is using a master version type other than 1.12.10-gke.17. |
| gke-enable-binary-authorization | Link | |
| gke_allowed_node_service_account_scope_default | Link | Checks that certain service account scopes are not assigned to nodes. |
| gke_cluster_location | Link | |
| gke_container_optimized_os | Link | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters |
| gke_enable_private_endpoint | Link | Enable a private endpoint for the cluster to be accessible from an internal network only. |
| gke_restrict_client_auth_methods | Link | Checks that client certificate and password authentication methods are disabled for GKE clusters. |
| gke_restrict_pod_traffic | Link | Checks that GKE clusters have a Network Policy installed. |
| gke_restrict_pod_traffic | Link | Checks that GKE clusters have a Network Policy installed. |
| glb_external_ip_allowlist | Link | Checks if Global Load Balancers have external IPs. |
| iam-restrict-service-account-key-age-ninety-days | Link | Checks if service account keys are older than 90 days. |
| iam-restrict-service-account-key-age-one-hundred-days | Link | Checks if service account keys are older than 100 days. |
| iam_allow_roles | Only the roles in this list are allowed. All other roles trigger violation. | |
| iam_ban_roles | Only the roles in this list trigger violation. All other roles allowed. | |
| iam_restrict_service_account_creation | Link | Checks if any service accounts have been created. |
| iam_restrict_service_account_key_type | Link | Checks if any service accounts have user created keys. |
| network_restrict_default | Link | Restrict default networks with open firewall rules |
| only_my_domain | Link | Only allow members from my domain to be added to IAM roles |
| prevent-public-ip-cloudsql | Link | Prevents a public IP from being assigned to a Cloud SQL instance. |
| require_bq_table_iam | Link | Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers. |
| require_bucket_policy_only | Link | Checks if Cloud Storage buckets have Bucket Only Policy turned on. |
| require_dnssec | Link | Checks that DNSSEC is enabled for a Cloud DNS managed zone. |
| require_global_routing | Link | Checks that every VPC is in global routing mode. |
| require_labels | Link | Checks that labels are set for all resources (or a subset of resources) and that they match a certain regular expression pattern. |
| require_members_and_domains_owner | Link | Trigger violations if the following members and domains are absent in roles/owner |
| require_sql_ssl | Link | Checks if Cloud SQL instances have SSL turned on. |
| restrict-firewall-rule-allow-ingress-demo | Link | Checks that every firewall rule matches certain settings. |
| restrict-firewall-rule-rdp-world-open | Link | Checks for open firewall rules allowing RDP from the internet. |
| restrict-firewall-rule-ssh-world-open | Link | Checks for open firewall rules allowing SSH from the internet. |
| restrict-firewall-rule-world-open | Link | Checks for open firewall rules allowing ingress from the internet. |
| restrict-firewall-rule-world-open-tcp-udp-all-ports | Link | Checks for open firewall rules allowing TCP/UDP from the internet. |
| restrict-gmail-bigquery-dataset | Link | Enforce corporate domain by banning gmail.com addresses access to BigQuery datasets |
| restrict-googlegroups-bigquery-dataset | Link | Enforce corporate domain by banning googlegroups.com addresses access to BigQuery datasets |
| restrict_gmail | Link | Enforce corporate domain by banning gmail.com addresses |
| restrict_owner_role | Link | Only my domain members are allowed to have the Owner role on projects |
| service_accounts_only | Link | Checks that members that have been granted IAM roles belong to allowlisted domains. |
| service_versions | Link | Limit the number App Engine application versions simultaneously running. installed. |
| sql-world-readable | Link | Checks if Cloud SQL instances are world readable. |
| sql_allowed_authorized_networks_allowlist | Link | Checks Cloud SQL master authorized networks list against a allowlist. |
| sql_type_deny_sqlserver | Link | Checks for allowed or disallowed Cloud SQL instance types. |
| storage_bucket_minimum_maximum_retention | Link | |
| storage_cmek_encryption | Link | Checks if Cloud Storage buckets have CMEK turned on. |
| storage_logging | Link | Ensure storage logs are delivered to a separate bucket |
| vpc_sc_allowlist_regions | Link | Checks that only allowed geographical regions are allowed in VPC Service Controls perimeters. |
| vpc_sc_ensure_access_levels | Link | Checks if a VPC Service Controls perimeter has desired access levels set. |
| vpc_sc_ensure_project | Link | Checks if a VPC Service Controls perimeter has correct projects in them. |
| vpc_sc_ensure_services | Link | Checks is a VPC Service Controls perimeter has correct services set. |
| vpc_sc_ip_range | Link | Checks the CIDR notation size in VPC Service Controls access levels. |
| vpc_sc_project_perimeter_allowlist | Link | Checks that only allowed VPC Service Controls perimeters exists. |
| vpc_sc_project_perimeter_denylist | Link | Older, deprecated version of above policy. |
| vpc_sc_project_perimeter_whitelist | Link |