GCP Execution Modes

pull

Pull mode execution of a policy.

Queries resources from cloud provider for filtering and actions.

properties:
  type:
    enum:
    - pull
required:
- type

gcp-audit

Custodian policy execution on gcp api audit logs events.

Deploys as a Cloud Function triggered by api calls. This allows you to apply your policies as soon as an api call occurs. Audit logs creates an event for every api call that occurs in your gcp account. See GCP Audit Logs for more details.

Default region the function is deployed to is us-central1. In case you want to change that, use the cli --region flag.

properties:
  environment:
    patternProperties:
      ? ''
      : type: string
    type: object
  execution-options:
    patternProperties:
      ? ''
      : oneOf:
        - type: string
        - type: boolean
        - type: number
    type: object
  labels:
    patternProperties:
      ? ''
      : type: string
    type: object
  max-instances:
    type: integer
  memory-size:
    type: integer
  methods:
    items:
      type: string
    type: array
  network:
    type: string
  service-account:
    type: string
  timeout:
    type: string
  type:
    enum:
    - gcp-audit
required:
- methods
- type

gcp-periodic

Deploy a policy as a Cloud Functions triggered by Cloud Scheduler at user defined cron interval via Pub/Sub.

Default region the function is deployed to is us-central1. In case you want to change that, use the cli --region flag.

target-type: pubsub is recommended

properties:
  environment:
    patternProperties:
      ? ''
      : type: string
    type: object
  execution-options:
    patternProperties:
      ? ''
      : oneOf:
        - type: string
        - type: boolean
        - type: number
    type: object
  labels:
    patternProperties:
      ? ''
      : type: string
    type: object
  max-instances:
    type: integer
  memory-size:
    type: integer
  network:
    type: string
  schedule:
    type: string
  service-account:
    type: string
  target-type:
    enum:
    - http
    - pubsub
  timeout:
    type: string
  type:
    enum:
    - gcp-periodic
  tz:
    type: string
required:
- schedule
- type

gcp-scc

Custodian policy execution on GCP Security Command Center (SCC) findings.

Deploys as a Cloud Function triggered by SCC findings. This allows you to apply your policies as soon as a SCC finding occurs. See Security Command Center for more details.

- name: delete-high-severity-firewall-findings
  resource: gcp.firewall
  mode:
    service-account: SERVICE_ACCOUNT_NAME@PROJECT.iam.gserviceaccount.com
    type: gcp-scc
    org: ORG_ID
  filters:
  - type: value
    key: severity
    value: HIGH
  actions:
    - delete

Default region the function is deployed to is us-central1. In case you want to change that, use the cli --region flag.

properties:
  environment:
    patternProperties:
      ? ''
      : type: string
    type: object
  execution-options:
    patternProperties:
      ? ''
      : oneOf:
        - type: string
        - type: boolean
        - type: number
    type: object
  labels:
    patternProperties:
      ? ''
      : type: string
    type: object
  max-instances:
    type: integer
  memory-size:
    type: integer
  network:
    type: string
  org:
    type: integer
  service-account:
    type: string
  timeout:
    type: string
  type:
    enum:
    - gcp-scc
required:
- org
- type