component_settings.proto 6.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171
  1. // Copyright 2020 Google LLC
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. syntax = "proto3";
  15. package google.cloud.securitycenter.settings.v1beta1;
  16. import "google/api/field_behavior.proto";
  17. import "google/api/resource.proto";
  18. import "google/protobuf/timestamp.proto";
  19. import "google/api/annotations.proto";
  20. option cc_enable_arenas = true;
  21. option csharp_namespace = "Google.Cloud.SecurityCenter.Settings.V1Beta1";
  22. option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/settings/v1beta1;settings";
  23. option java_multiple_files = true;
  24. option java_outer_classname = "ComponentSettingsProto";
  25. option java_package = "com.google.cloud.securitycenter.settings.v1beta1";
  26. option php_namespace = "Google\\Cloud\\SecurityCenter\\Settings\\V1beta1";
  27. option ruby_package = "Google::Cloud::SecurityCenter::Settings::V1beta1";
  28. // Component Settings for Security Command Center
  29. message ComponentSettings {
  30. option (google.api.resource) = {
  31. type: "securitycenter.googleapis.com/ComponentSettings"
  32. pattern: "organizations/{organization}/components/{component}/settings"
  33. pattern: "folders/{folder}/components/{component}/settings"
  34. pattern: "projects/{project}/components/{component}/settings"
  35. pattern: "projects/{project}/locations/{location}/clusters/{cluster}/components/{component}/settings"
  36. pattern: "projects/{project}/regions/{region}/clusters/{cluster}/components/{component}/settings"
  37. pattern: "projects/{project}/zones/{zone}/clusters/{cluster}/components/{component}/settings"
  38. };
  39. // Settings for each detector.
  40. message DetectorSettings {
  41. // ENABLE to enable component, DISABLE to disable and INHERIT to inherit
  42. // setting from ancestors.
  43. ComponentEnablementState state = 1;
  44. }
  45. // The relative resource name of the component settings.
  46. // Formats:
  47. // * `organizations/{organization}/components/{component}/settings`
  48. // * `folders/{folder}/components/{component}/settings`
  49. // * `projects/{project}/components/{component}/settings`
  50. // * `projects/{project}/locations/{location}/clusters/{cluster}/components/{component}/settings`
  51. // * `projects/{project}/regions/{region}/clusters/{cluster}/components/{component}/settings`
  52. // * `projects/{project}/zones/{zone}/clusters/{cluster}/components/{component}/settings`
  53. string name = 1;
  54. // ENABLE to enable component, DISABLE to disable and INHERIT to inherit
  55. // setting from ancestors.
  56. ComponentEnablementState state = 2;
  57. // Output only. The service account to be used for security center component.
  58. // The component must have permission to "act as" the service account.
  59. string project_service_account = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
  60. // Settings for detectors. Not all detectors must have settings present at
  61. // each and every level in the hierarchy. If it is not present the setting
  62. // will be inherited from its ancestors folders, organizations or the
  63. // defaults.
  64. map<string, DetectorSettings> detector_settings = 4;
  65. // Output only. An fingerprint used for optimistic concurrency. If none is provided
  66. // on updates then the existing metadata will be blindly overwritten.
  67. string etag = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
  68. // Output only. The time these settings were last updated.
  69. google.protobuf.Timestamp update_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
  70. // Component specific settings. This must match the component value.
  71. oneof specific_settings {
  72. // Container Threate Detection specific settings
  73. // For component, expect CONTAINER_THREAT_DETECTION
  74. ContainerThreatDetectionSettings container_threat_detection_settings = 41;
  75. // Event Threat Detection specific settings
  76. // For component, expect EVENT_THREAT_DETECTION
  77. EventThreatDetectionSettings event_threat_detection_settings = 42;
  78. // Security Health Analytics specific settings
  79. // For component, expect SECURITY_HEALTH_ANALYTICS
  80. SecurityHealthAnalyticsSettings security_health_analytics_settings = 44;
  81. // Web Security Scanner specific settings
  82. // For component, expect WEB_SECURITY_SCANNER
  83. WebSecurityScanner web_security_scanner_settings = 40;
  84. }
  85. }
  86. // User specified settings for Web Security Scanner
  87. message WebSecurityScanner {
  88. }
  89. // User specified settings for KTD
  90. message ContainerThreatDetectionSettings {
  91. }
  92. // User specified settings for ETD
  93. message EventThreatDetectionSettings {
  94. }
  95. // User specified settings for Security Health Analytics
  96. message SecurityHealthAnalyticsSettings {
  97. // Settings for "NON_ORG_IAM_MEMBER" scanner.
  98. message NonOrgIamMemberSettings {
  99. // User emails ending in the provided identities are allowed to have IAM
  100. // permissions on a project or the organization. Otherwise a finding will
  101. // be created.
  102. // A valid identity can be:
  103. // * a domain that starts with "@", e.g. "@yourdomain.com".
  104. // * a fully specified email address that does not start with "@", e.g.
  105. // "abc@gmail.com"
  106. // Regular expressions are not supported.
  107. // Service accounts are not examined by the scanner and will be omitted if
  108. // added to the list.
  109. // If not specified, only Gmail accounts will be considered as non-approved.
  110. repeated string approved_identities = 1;
  111. }
  112. // Settings for "ADMIN_SERVICE_ACCOUNT" scanner.
  113. message AdminServiceAccountSettings {
  114. // User-created service accounts ending in the provided identities are
  115. // allowed to have Admin, Owner or Editor roles granted to them. Otherwise
  116. // a finding will be created.
  117. // A valid identity can be:
  118. // * a partilly specified service account that starts with "@", e.g.
  119. // "@myproject.iam.gserviceaccount.com". This approves all the service
  120. // accounts suffixed with the specified identity.
  121. // * a fully specified service account that does not start with "@", e.g.
  122. // "myadmin@myproject.iam.gserviceaccount.com".
  123. // Google-created service accounts are all approved.
  124. repeated string approved_identities = 1;
  125. }
  126. // Settings for "NON_ORG_IAM_MEMBER" scanner.
  127. NonOrgIamMemberSettings non_org_iam_member_settings = 1;
  128. // Settings for "ADMIN_SERVICE_ACCOUNT" scanner.
  129. AdminServiceAccountSettings admin_service_account_settings = 2;
  130. }
  131. // Valid states for a component
  132. enum ComponentEnablementState {
  133. // No state specified, equivalent of INHERIT
  134. COMPONENT_ENABLEMENT_STATE_UNSPECIFIED = 0;
  135. // Disable the component
  136. DISABLE = 1;
  137. // Enable the component
  138. ENABLE = 2;
  139. // Inherit the state from resources parent folder or organization.
  140. INHERIT = 3;
  141. }