This bundle can be installed via kpt:
export BUNDLE=healthcare-baseline-v1
kpt pkg get https://github.com/GoogleCloudPlatform/policy-library.git ./policy-library
kpt fn source policy-library/samples/ | \
kpt fn eval - --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
kpt fn sink policy-library/policies/constraints/
| Constraint | Control | Description |
|---|---|---|
| allow_appengine_applications_in_australia_and_south_america | security | Restrict locations (regions) where App Engine applications are deployed. |
| allow_basic_set_of_apis | security | Only a basic set of APIS |
| allow_dataproc_clusters_in_asia | security | Checks that Dataproc clusters are in correct regions. |
| allow_some_sql_location | security | Checks Cloud SQL instance locations against allowed or disallowed locations. |
| allow_some_storage_location | security | Checks Cloud Storage bucket locations against allowed or disallowed locations. |
| allow_spanner_clusters_in_asia_and_europe | security | Checks Cloud Spanner locations. |
| audit_log_all | security | Checks that all services have all types of audit logs enabled. |
| bq_dataset_allowed_locations | security | Checks in which locations BigQuery datasets exist. |
| deny_allusers | security | Prevent public users from having access to resources via IAM |
| denylist_public_users | security | Prevent public users from having access to resources via IAM |
| enable-network-firewall-logs | security | Ensure Firewall logs is enabled for every firewall in VPC Network |
| enable_gke_stackdriver_logging | security | Ensure stackdriver logging is enabled on a GKE cluster |
| enable_network_flow_logs | security | Ensure VPC Flow logs is enabled for every subnet in VPC Network |
| gke-cluster-allowed-locations | security | Checks which zones are allowed/disallowed for GKE clusters. |
| only_my_domain | security | Only allow members from my domain to be added to IAM roles |
| prevent-public-ip-cloudsql | security | Prevents a public IP from being assigned to a Cloud SQL instance. |
| require_bq_table_iam | security | Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers. |
| require_bucket_policy_only | security | Checks if Cloud Storage buckets have Bucket Only Policy turned on. |
| sql-world-readable | security | Checks if Cloud SQL instances are world readable. |