This is a beta release. This product might be changed in backward-incompatible ways and is not subject to any SLA or deprecation policy.
Developed in partnership with ClearDATA, Real-Time Enforcer automatically remediates non-compliant configurations in targeted Google Cloud Platform (GCP) resources.
Real-Time Enforcer uses a Stackdriver log export
that filters for Audit Log entries that create or update resources, and sends those log entries to a
Pub/Sub topic. The forseti-enforcer-gcp
service account
is subscribed to that topic and evaluates each incoming log message and attempts to map it to a recognized resource.
If it is recognized, Real-Time Enforcer will evaluate the resource against
an Open Policy Agent (OPA) instance and remediate based on defined
policies stored in a Cloud storage bucket.
Logs are written to Stackdriver in the same project that Real-Time Enforcer is running on, and can be found
using the Global
resource filter.
cloud-foundation-forseti
Service AccountThe cloud-foundation-forseti
service account is used to set up the Real-Time Enforcer Terraform module.
For Real-Time Enforcer to work properly, the cloud-foundation-forseti
service account
requires the following permissions:
Granted at the organization level
roles/iam.organizationRoleAdmin
roles/logging.configWriter
Granted at the project level
roles/pubsub.admin
forseti-enforcer-gcp
Service AccountThe forseti-enforcer-gcp
service account gives Real-Time Enforcer application access to subscribe to the
Pub/Sub subscription for messages, and access to modify resources for policy enforcement.
The forseti-enforcer-gcp
service account requires the following permissions:
Granted at the organization level
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.datasets.update
cloudsql.instances.get
cloudsql.instances.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
serviceusage.services.use
Granted at the project level
roles/storage.objectViewer
roles/logging.logWriter