cloud-guardrails-and-landing-zones.md

Landing Zones for Cloud

• Google Cloud PBMM Landing Zone: https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
• AWS Secure Environment Accelerator: https://github.com/aws-samples/aws-secure-environment-accelerator
• Azure Landing Zones for Canadian Public Sector: https://github.com/Azure/CanadaPubSecALZ/

Policy Governance Compliance Audit Automation

• Google Cloud Security Command Center Premium - Compliance tab - requires additional automation on evidence capture
• https://aws.amazon.com/audit-manager/

Google Cloud Landing Zones

• https://github.com/cloud-quickstart/gcp-landing-zone (GCP Java SDK in progress)
• https://cloud.google.com/architecture/landing-zones
• https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding (Terraform)
• Google Cloud PBMM Landing Zone: https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit (Kubernetes Config Controller)
• https://cloud.google.com/anthos-config-management/docs/tutorials/landing-zone

Guardrails for Cloud

Guardrail	CSP	Reference	Details	Links
IAM modification	Google		"Use Google Cloud's operations suite to set up alerts that will notify you when a SetIamPolicy() API call is made. This will send an alert when anyone modifies any IAM policy."	https://cloud.google.com/resource-manager/docs/super-admin-best-practices

https://wiki.gccollab.ca/index.php?title=GC_Cloud_Infocentre&mobileaction=toggle_view_desktop

Azure Cloud Guardrails

https://github.com/Azure/GuardrailsSolutionAccelerator/blob/main/docs/controls.md#guardrail-12-configuration-of-cloud-marketplaces https://learn.microsoft.com/en-us/defender-cloud-apps/connect-google-gcp

Google Cloud Guardrails

https://github.com/canada-ca/accelerators_accelerateurs-gcp

https://github.com/canada-ca/cloud-guardrails-gcp/tree/main/guardrails-validation

https://github.com/canada-ca/cloud-guardrails/tree/master/EN

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding

https://cloud.google.com/docs/security/infrastructure/design

https://cloud.google.com/architecture/security-foundations

https://cloud.google.com/vpc-service-controls/docs/secure-data-exchange

https://cloud.google.com/security/compliance/offerings#/regions=Canada

AWS Cloud Guardrails

https://github.com/aws-samples/aws-secure-environment-accelerator

https://d1.awsstatic.com/events/reinvent/2019/AWS_Control_Tower_versus_AWS_Landing_Zone_GPSTEC203.pdf

Azure Cloud Guardrails

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/governance/blueprints/samples/caf-migrate-landing-zone/deploy.md

https://github.com/Azure/devops-governance

DOD

https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf

https://repo1.dso.mil/dsawg-devsecops/kubernetes-srg/k8-srg-artifacts/-/tree/master

Public Sector

https://cloud.google.com/blog/topics/public-sector/announcing-google-public-sector

SSO

Active directory

• https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-configuring-single-sign-on

Compliance and Governance

• https://cloudonair.withgoogle.com/events/compliance-with-confidence

TODO

GCP workspaces rules

https://admin.google.com/ac/ax