gcloud compliance-manager cloud-controls create - create a cloud control

gcloud compliance-manager cloud-controls create(CLOUD_CONTROL :--location=LOCATION--organization=ORGANIZATION)[--categories=[CATEGORIES,…]][--description=DESCRIPTION][--display-name=DISPLAY_NAME][--finding-category=FINDING_CATEGORY][--parameter-spec=[defaultValue=DEFAULTVALUE],[description=DESCRIPTION],[displayName=DISPLAYNAME],[isRequired=ISREQUIRED],[name=NAME],[substitutionRules=SUBSTITUTIONRULES],[validation=VALIDATION],[valueType=VALUETYPE]][--remediation-steps=REMEDIATION_STEPS][--rules=[celExpression=CELEXPRESSION],[description=DESCRIPTION],[ruleActionTypes=RULEACTIONTYPES]][--severity=SEVERITY][--supported-cloud-providers=[SUPPORTED_CLOUD_PROVIDERS,…]][--supported-target-resource-types=[SUPPORTED_TARGET_RESOURCE_TYPES,…]][GCLOUD_WIDE_FLAG …]

CloudControl resource - Identifier. The name of the cloud control, in the formatorganizations/{organization}/locations/{location}/cloudControls/{cloud_control_id}.The only supported location isglobal. The arguments in this groupcan be used to specify the attributes of this resource.

This must be specified.

CLOUD_CONTROL

ID of the cloudControl or fully qualified identifier for the cloudControl.

To set thecloud_control attribute:

• provide the argumentcloud_control on the command line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--location=LOCATION

The location id of the cloudControl resource.

To set thelocation attribute:

• provide the argumentcloud_control on the command line with a fullyspecified name;
• provide the argument--location on the command line.

--organization=ORGANIZATION

The organization id of the cloudControl resource.

To set theorganization attribute:

• provide the argumentcloud_control on the command line with a fullyspecified name;
• provide the argument--organization on the command line.

--categories=[CATEGORIES,…]

The categories for the cloud control.CATEGORIES must beone of:

cc-category-artificial-intelligence

The artificial intelligence category.

cc-category-bcdr

The business continuity and disaster recovery (BCDR) category.

cc-category-data-security

The data security category.

cc-category-encryption

The encryption category.

cc-category-hr-admin-and-processes

The HR, admin, and processes category.

cc-category-identity-and-access-management

The identity and access management category.

cc-category-incident-management

The incident management category.

cc-category-infrastructure

The infrastructure security category.

cc-category-legal-and-disclosures

The legal and disclosures category.

cc-category-logs-management-and-infrastructure

The logs management and infrastructure category.

cc-category-network-security

The network security category.

cc-category-physical-security

The physical security category.

cc-category-privacy

The privacy category.

cc-category-third-party-and-sub-processor-management

The third-party and sub-processor management category.

cc-category-vulnerability-management

The vulnerability management category.

--description=DESCRIPTION

A description of the cloud control. The maximum length is 2000 characters.

--display-name=DISPLAY_NAME

The friendly name of the cloud control. The maximum length is 200 characters.

--finding-category=FINDING_CATEGORY

The finding category for the cloud control findings. The maximum length is 255characters.

--parameter-spec=[defaultValue=DEFAULTVALUE],[description=DESCRIPTION],[displayName=DISPLAYNAME],[isRequired=ISREQUIRED],[name=NAME],[substitutionRules=SUBSTITUTIONRULES],[validation=VALIDATION],[valueType=VALUETYPE]

The parameter specifications for the cloud control.

defaultValue

The default value of the parameter.

boolValue

A boolean value.

numberValue

A double value.

stringListValue

A repeated string.

values

The strings in the list.

stringValue

A string value.

description

The description of the parameter. The maximum length is 2000 characters.

displayName

The friendly name of the parameter. The maximum length is 200 characters.

isRequired

Whether the parameter is required.

name

The name of the parameter.

substitutionRules

The list of parameter substitutions.

attributeSubstitutionRule

The attribute substitution rule.

attribute

The fully qualified proto attribute path, in dot notation. For example:rules[0].cel_expression.resource_types_values.

placeholderSubstitutionRule

The placeholder substitution rule.

attribute

The fully qualified proto attribute path, in dot notation.

validation

The permitted set of values for the parameter.

allowedValues

The permitted set of values for the parameter.

values

The list of allowed values for the parameter.

boolValue

A boolean value.

numberValue

A double value.

stringListValue

A repeated string.

values

The strings in the list.

stringValue

A string value.

intRange

The permitted range for numeric parameters.

max

The maximum permitted value for the numeric parameter (inclusive).

min

The minimum permitted value for the numeric parameter (inclusive).

regexpPattern

The regular expression for string parameters.

pattern

The regex pattern to match the values of the parameter with.

valueType

The parameter value type.

Shorthand Example:

--parameter-spec=defaultValue={boolValue=boolean,numberValue=float,stringListValue={values=[string]},stringValue=string},description=string,displayName=string,isRequired=boolean,name=string,substitutionRules=[{attributeSubstitutionRule={attribute=string},placeholderSubstitutionRule={attribute=string}}],validation={allowedValues={values=[{boolValue=boolean,numberValue=float,stringListValue={values=[string]},stringValue=string}]},intRange={max=int,min=int},regexpPattern={pattern=string}},valueType=string--parameter-spec=defaultValue={boolValue=boolean,numberValue=float,stringListValue={values=[string]},stringValue=string},description=string,displayName=string,isRequired=boolean,name=string,substitutionRules=[{attributeSubstitutionRule={attribute=string},placeholderSubstitutionRule={attribute=string}}],validation={allowedValues={values=[{boolValue=boolean,numberValue=float,stringListValue={values=[string]},stringValue=string}]},intRange={max=int,min=int},regexpPattern={pattern=string}},valueType=string

JSON Example:

--parameter-spec='[{"defaultValue": {"boolValue": boolean, "numberValue": float, "stringListValue": {"values": ["string"]}, "stringValue": "string"}, "description": "string", "displayName": "string", "isRequired": boolean, "name": "string", "substitutionRules": [{"attributeSubstitutionRule": {"attribute": "string"}, "placeholderSubstitutionRule": {"attribute": "string"}}], "validation": {"allowedValues": {"values": [{"boolValue": boolean, "numberValue": float, "stringListValue": {"values": ["string"]}, "stringValue": "string"}]}, "intRange": {"max": int, "min": int}, "regexpPattern": {"pattern": "string"}}, "valueType": "string"}]'

File Example:

--parameter-spec=path_to_file.(yaml|json)

--remediation-steps=REMEDIATION_STEPS

The remediation steps for the cloud control findings. The maximum length is 400characters.

--rules=[celExpression=CELEXPRESSION],[description=DESCRIPTION],[ruleActionTypes=RULEACTIONTYPES]

The rules that you can enforce to meet your security or compliance intent.

celExpression

The rule's logic expression in Common Expression Language (CEL).

expression

The logical expression in CEL. The maximum length of the condition is 1000characters. For more information, seeCELexpression.

resourceTypesValues

The resource instance types on which this expression is defined. The format is<SERVICE_NAME>/<type>. For example:compute.googleapis.com/Instance.

values

The strings in the list.

description

The rule description. The maximum length is 2000 characters.

ruleActionTypes

The functionality that's enabled by the rule.

Shorthand Example:

--rules=celExpression={expression=string,resourceTypesValues={values=[string]}},description=string,ruleActionTypes=[string]--rules=celExpression={expression=string,resourceTypesValues={values=[string]}},description=string,ruleActionTypes=[string]

JSON Example:

--rules='[{"celExpression": {"expression": "string", "resourceTypesValues": {"values": ["string"]}}, "description": "string", "ruleActionTypes": ["string"]}]'

File Example:

--rules=path_to_file.(yaml|json)

--severity=SEVERITY

The severity of the findings that are generated by the cloud control.SEVERITY must be one of:

critical

A critical vulnerability is easily discoverable by an external actor,exploitable, and results in the direct ability to execute arbitrary code,exfiltrate data, and otherwise gain additional access and privileges to cloudresources and workloads. Examples include publicly accessible unprotected userdata and public SSH access with weak or no passwords.

A critical threat is a threat that can access, modify, or delete data or executeunauthorized code within existing resources.

high

A high-risk vulnerability can be easily discovered and exploited in combinationwith other vulnerabilities to gain direct access and the ability to executearbitrary code, exfiltrate data, and otherwise gain additional access andprivileges to cloud resources and workloads. An example is a database with weakor no passwords that is only accessible internally. This database could easilybe compromised by an actor that had access to the internal network.

A high-risk threat is a threat that can create new computational resources in anenvironment but can't access data or execute code in existing resources.

low

A low-risk vulnerability hampers a security organization's ability to detectvulnerabilities or active threats in their deployment, or prevents the rootcause investigation of security issues. An example is monitoring and logs beingdisabled for resource configurations and access.

A low-risk threat is a threat that has obtained minimal access to an environmentbut can't access data, execute code, or create resources.

medium

A medium-risk vulnerability can be used by an actor to gain access to resourcesor privileges that enable them to eventually (through multiple steps or acomplex exploit) gain access and the ability to execute arbitrary code orexfiltrate data. An example is a service account with access to more projectsthan it should have. If an actor gains access to the service account, they couldpotentially use that access to manipulate a project the service account was notintended to.

A medium-risk threat can cause operational impact but might not access data orexecute unauthorized code.

--supported-cloud-providers=[SUPPORTED_CLOUD_PROVIDERS,…]

The supported cloud providers.SUPPORTED_CLOUD_PROVIDERSmust be one of:

aws

Amazon Web Services (AWS).

azure

Microsoft Azure.

gcp

Google Cloud.

--supported-target-resource-types=[SUPPORTED_TARGET_RESOURCE_TYPES,…]

The target resource types that are supported by the cloud control.SUPPORTED_TARGET_RESOURCE_TYPES must be one of:

target-resource-crm-type-folder

The target resource is a folder.

target-resource-crm-type-org

The target resource is a Google Cloud organization.

target-resource-crm-type-project

The target resource is a project.

target-resource-type-application

The target resource is an application in App Hub.

Run$gcloud help for details.