Access Control for Sensitive Data Using Policy Tags in GCP

Question

Pulumi · Accepted Answer

In Google Cloud Platform (GCP), you can control access to sensitive data by utilizing Data Catalog Policy Tags. Policy Tags are used to categorize data based on sensitivity levels and enforce access control policies consistently across your organization. Data Catalog is a fully managed and scalable metadata management service that enables organizations to discover, manage, and analyze data assets.

When a Policy Tag is applied to a BigQuery column, administrators can set up access policies to control who can view data associated with that Policy Tag. For example, you might create a Policy Tag for "PII" (Personally Identifiable Information) and then apply that tag to any column containing PII data. When IAM policies are assigned to these Policy Tags, you can restrict access to only those users or groups who require access to PII data for their role.

To implement this in Pulumi using Python, we will create a taxonomy, define policy tags within that taxonomy, and then bind IAM roles to those policy tags to control access.

Here is a Pulumi program written in Python that demonstrates how to set up a taxonomy, create policy tags under that taxonomy, and apply IAM bindings to a policy tag to enforce access control:

```python
import pulumi
import pulumi_gcp as gcp

# Create a Taxonomy – a group of policy tags that will be used to organize similar tags together.
taxonomy = gcp.datacatalog.Taxonomy("taxonomy",
    description="Data taxonomy for sensitive data categories.",
    activated_policy_types=["FINE_GRAINED_ACCESS_CONTROL"],
    display_name="Sensitive Data Taxonomy")

# Create a Policy Tag – this policy tag will be used to control access to PII data.
policy_tag_pii = gcp.datacatalog.PolicyTag("policyTagPii",
    taxonomy=taxonomy.id,
    display_name="PII",
    description="Policy Tag for columns containing Personally Identifiable Information (PII)."
)

# Bind an IAM policy to the policy tag granting access to an IAM member (user/group/service account).
policy_tag_iam_binding = gcp.datacatalog.PolicyTagIamBinding("policyTagIamBinding",
    policy_tag=policy_tag_pii.id,
    role="roles/datacatalog.tagTemplateUser",
    members=["user:jane@example.com"]
)

# Export the URLs so that it can easily be retrieved and used.
pulumi.export("taxonomy_id", taxonomy.id)
pulumi.export("policy_tag_pii_id", policy_tag_pii.id)
```

In this program:
- We create a `Taxonomy` using the `gcp.datacatalog.Taxonomy` resource. This resource groups related `PolicyTag` instances under a common categorization. (See [Taxonomy documentation](https://www.pulumi.com/registry/packages/gcp/api-docs/datacatalog/taxonomy/)).
  
- We then create a `PolicyTag` within that taxonomy for PII data using the `gcp.datacatalog.PolicyTag` resource. The `display_name` and `description` help identify the purpose of this tag. (See [PolicyTag documentation](https://www.pulumi.com/registry/packages/gcp/api-docs/datacatalog/policytag/)).

- After defining our policy tag, we use `gcp.datacatalog.PolicyTagIamBinding` to associate an IAM role with the policy tag. This role determines the level of access that the specified members will have to data columns with this policy tag applied. In the provided example, the role of `roles/datacatalog.tagTemplateUser` is granted to the user `jane@example.com`, allowing her to use the policy tag in acquiring metadata about a column and its data. (See [PolicyTagIamBinding documentation](https://www.pulumi.com/registry/packages/gcp/api-docs/datacatalog/policytagiambinding/)).

By defining IAM bindings for the policy tags, you can effectively manage permissions at a fine-grained level, ensuring that sensitive information is only accessible by authorized personnel.

Remember, Pulumi automates the orchestration of infrastructure as code, and this example is just one illustration of how you can use it for data governance in GCP. Be sure to tailor role assignments and policy structures as per your organization's need and security guidelines.