@@ -32,21 +32,6 @@ option (google.api.resource_definition) = {
3232 pattern : "organizations/{organization}/locations/{location}"
3333};
3434
35- // Regulatory Control Responsibility Type
36- enum RegulatoryControlResponsibilityType {
37- // Unspecified. Invalid state.
38- REGULATORY_CONTROL_RESPONSIBILITY_TYPE_UNSPECIFIED = 0 ;
39-
40- // Google responsibility.
41- GOOGLE = 1 ;
42-
43- // Customer responsibility.
44- CUSTOMER = 2 ;
45-
46- // Shared responsibility.
47- SHARED = 3 ;
48- }
49-
5035// The enforcement mode of the cloud control.
5136enum EnforcementMode {
5237 // Default value. This value is unused.
@@ -243,8 +228,11 @@ enum TargetResourceType {
243228 TARGET_RESOURCE_TYPE_APPLICATION = 4 ;
244229}
245230
246- // Framework is a collection of CloudControls which represents
247- // industry/GCP/Customer defined
231+ // A Framework is a collection of CloudControls to address security and
232+ // compliance requirements. Frameworks can be used for prevention, detection,
233+ // and auditing. They can be either built-in, industry-standard frameworks
234+ // provided by GCP/AZURE/AWS (e.g., NIST, FedRAMP) or custom frameworks created
235+ // by users.
248236message Framework {
249237 option (google.api.resource ) = {
250238 type : "cloudsecuritycompliance.googleapis.com/Framework"
@@ -253,16 +241,6 @@ message Framework {
253241 singular : "framework"
254242 };
255243
256- // The details of the cloud control group included in the framework.
257- message CloudControlGroupDetails {
258- // The inline definition will be replaced with a reference to the
259- // CloudControlGroup resource in future.
260- oneof kind {
261- // The cloud control group included in the framework.
262- CloudControlGroup cloud_control_group = 1 ;
263- }
264- }
265-
266244 // The type of the framework.
267245 enum FrameworkType {
268246 // Default value. This value is unused.
@@ -300,11 +278,6 @@ message Framework {
300278 // Output only. The type of the framework. The default is TYPE_CUSTOM.
301279 FrameworkType type = 6 [(google.api.field_behavior ) = OUTPUT_ONLY ];
302280
303- // Optional. The details of the cloud control groups included in the
304- // framework.
305- repeated CloudControlGroupDetails cloud_control_group_details = 7
306- [(google.api.field_behavior ) = OPTIONAL ];
307-
308281 // Optional. The details of the cloud controls directly added without any
309282 // grouping in the framework.
310283 repeated CloudControlDetails cloud_control_details = 8
@@ -321,55 +294,10 @@ message Framework {
321294 // Output only. target resource types supported by the Framework.
322295 repeated TargetResourceType supported_target_resource_types = 11
323296 [(google.api.field_behavior ) = OUTPUT_ONLY ];
324- }
325-
326- // CloudControlGroup is an optional entity within a Framework that helps
327- // customers organize their CloudControls.
328- message CloudControlGroup {
329- // CloudControlGroupType is the type of the CloudControlGroup.
330- enum CloudControlGroupType {
331- // Default value. This value is unused.
332- CLOUD_CONTROL_GROUP_TYPE_UNSPECIFIED = 0 ;
333-
334- // The CloudControlGroup is a built-in group provided by GCP.
335- BUILT_IN = 1 ;
336-
337- // The CloudControlGroup is a custom group created by the user.
338- CUSTOM = 2 ;
339- }
340-
341- // Required. The name of the cloud control group in the format:
342- // “organizations/{organization}/locations/{location}/
343- // cloudControlGroups/{cloud-control-group}”
344- string name = 1 [(google.api.field_behavior ) = REQUIRED ];
345-
346- // Optional. The description of the cloud control group.The maximum length is
347- // 2000 characters.
348- string description = 2 [(google.api.field_behavior ) = OPTIONAL ];
349-
350- // Optional. Output only. The type of the cloud control group. Default is
351- // TYPE_CUSTOM.
352- CloudControlGroupType type = 3 [
353- (google.api.field_behavior ) = OPTIONAL ,
354- (google.api.field_behavior ) = OUTPUT_ONLY
355- ];
356-
357- // Optional. The control identifier used to fetch the findings. This is same
358- // as the control report name.
359- string control_id = 4 [(google.api.field_behavior ) = OPTIONAL ];
360297
361- // Required. The details of the cloud controls to be referred to in the
362- // framework.
363- repeated CloudControlDetails cloud_control_details = 5
364- [(google.api.field_behavior ) = REQUIRED ];
365-
366- // Optional. Major revision of the cloud control group.
367- int64 major_revision_id = 6 [(google.api.field_behavior ) = OPTIONAL ];
368-
369- // Optional. The industry-defined Control assciated with the cloud controls in
370- // this group.
371- // organizations/{organization}/locations/{location}/controls/{control_id}
372- string control = 8 [(google.api.field_behavior ) = OPTIONAL ];
298+ // Output only. The supported enforcement modes of the framework.
299+ repeated EnforcementMode supported_enforcement_modes = 13
300+ [(google.api.field_behavior ) = OUTPUT_ONLY ];
373301}
374302
375303// CloudControlDetails contains the details of a CloudControl.
@@ -408,8 +336,12 @@ message Parameter {
408336 ParamValue parameter_value = 2 [(google.api.field_behavior ) = REQUIRED ];
409337}
410338
411- // A CloudControl is a GCP-provided parameterized concept which is used to
412- // satisfy a Security or Compliance intent.
339+ // A CloudControl is the fundamental unit encapsulating the rules
340+ // to meet a specific security or compliance intent. It can contain
341+ // various rule types (like Organization Policies, CEL expressions, etc.)
342+ // enabling different enforcement modes (Preventive, Detective, Audit).
343+ // CloudControls are often parameterized for reusability and can be either
344+ // BUILT_IN (provided by Google) or CUSTOM (defined by the user).
413345message CloudControl {
414346 option (google.api.resource ) = {
415347 type : "cloudsecuritycompliance.googleapis.com/CloudControl"
@@ -689,125 +621,3 @@ message OperationMetadata {
689621 // Output only. API version used to start the operation.
690622 string api_version = 7 [(google.api.field_behavior ) = OUTPUT_ONLY ];
691623}
692-
693- // Represents a Regulatory control.
694- message Control {
695- // Family of the control. E.g. Access Control
696- enum Family {
697- // Unspecified. Invalid state.
698- FAMILY_UNSPECIFIED = 0 ;
699-
700- // Access Control
701- AC = 1 ;
702-
703- // Awareness and Training
704- AT = 2 ;
705-
706- // Audit and Accountability
707- AU = 3 ;
708-
709- // Certification, Accreditation and Security Assessments
710- CA = 4 ;
711-
712- // Configuration Management
713- CM = 5 ;
714-
715- // Contingency Planning
716- CP = 6 ;
717-
718- // Identification and Authentication
719- IA = 7 ;
720-
721- // Incident Response
722- IR = 8 ;
723-
724- // Maintenance
725- MA = 9 ;
726-
727- // Media Protection
728- MP = 10 ;
729-
730- // Physical and Environmental Protection
731- PE = 11 ;
732-
733- // Security Planning
734- PL = 12 ;
735-
736- // Personnel Security
737- PS = 13 ;
738-
739- // Risk Assessment
740- RA = 14 ;
741-
742- // System Services and Acquisition
743- SA = 15 ;
744-
745- // System and Communications Protection
746- SC = 16 ;
747-
748- // System and Information Integrity
749- SI = 17 ;
750-
751- // Supply Chain Risk Management
752- SR = 18 ;
753- }
754-
755- // Output only. The name of a Control. Format:
756- // 'organizations/{organization}/locations/{location}/controls/{control}''
757- string name = 1 [(google.api.field_behavior ) = OUTPUT_ONLY ];
758-
759- // Output only. display_name
760- string display_name = 3 [(google.api.field_behavior ) = OUTPUT_ONLY ];
761-
762- // Output only. The description of the control.
763- string description = 4 [(google.api.field_behavior ) = OUTPUT_ONLY ];
764-
765- // Output only. Group where the control belongs. E.g. Access Control.
766- Family family = 5 [(google.api.field_behavior ) = OUTPUT_ONLY ];
767-
768- // Output only. Regulatory Family of the control E.g. Access Control
769- ControlFamily control_family = 6 [(google.api.field_behavior ) = OUTPUT_ONLY ];
770-
771- // Output only. The control comes under whoose responsibility e.g. GOOGLE,
772- // CUSTOMER or SHARED.
773- RegulatoryControlResponsibilityType responsibility_type = 7
774- [(google.api.field_behavior ) = OUTPUT_ONLY ];
775-
776- // Output only. Google responsibility description of regulatory control.
777- string google_responsibility_description = 8
778- [(google.api.field_behavior ) = OUTPUT_ONLY ];
779-
780- // Output only. Google responsibility implementation of regulatory control.
781- string google_responsibility_implementation = 9
782- [(google.api.field_behavior ) = OUTPUT_ONLY ];
783-
784- // Output only. Customer responsibility description of regulatory control.
785- string customer_responsibility_description = 10
786- [(google.api.field_behavior ) = OUTPUT_ONLY ];
787-
788- // Output only. Customer responsibility implementation of regulatory control.
789- string customer_responsibility_implementation = 11
790- [(google.api.field_behavior ) = OUTPUT_ONLY ];
791-
792- // Output only. Description of shared Responsibility between Google and
793- // Customer in implementing this control
794- string shared_responsibility_description = 12
795- [(google.api.field_behavior ) = OUTPUT_ONLY ];
796-
797- // Output only. Link to the public documentation related to this control
798- string additional_content_uri = 13
799- [(google.api.field_behavior ) = OUTPUT_ONLY ];
800-
801- // Output only. The Frameworks that include this CloudControl
802- repeated string related_frameworks = 14
803- [(google.api.field_behavior ) = OUTPUT_ONLY ];
804- }
805-
806- // Regulatory Family of the control
807- message ControlFamily {
808- // ID of the regulatory control family.
809- string family_id = 1 ;
810-
811- // Display name of the regulatory control family.
812- string display_name = 2 ;
813- }
0 commit comments