Drata

You may have resources within GCP that should always be ignored by Drata's compliance automation tests. Sometimes these are new resource that spin up each day. The exclusion label functionality will allow you to exclude these resources with a label within GCP.

Exclusion labels currently apply to the following resource types. Drata will continue to expand the use of exclusion labels.

- Buckets
- Virtual machines
- Kubernets clusters
- CloudSQL DBs

When labeling Kubernetes clusters, the exclude label takes about an hour to propagate to the node level. If Test 118 - Infrastructure Instance CPU Monitored is run before the label propagates to the node level, the test will fail. See the snippet below from GCP documentation.

1. When labeling Kubernetes clusters, the exclude label takes about an hour to propagate to the node level. If Test 118 - Infrastructure Instance CPU Monitored is run before the label propagates to the node level, the test will fail. See the snippet below from GCP documentation.
 
 User-uploaded Image

Excluding GCP Buckets with labels.

1. Select the bucket you wish to exclude in <a href="https://console.cloud.google.com/storage/browser?project=drata-acme&amp;prefix=" rel="nofollow noopener noreferrer" target="_blank">Cloud Storage</a>.

1. Excluding GCP Buckets with labels.
 1. Select the bucket you wish to exclude in <a href="https://console.cloud.google.com/storage/browser?project=drata-acme&amp;prefix=" rel="nofollow noopener noreferrer" target="_blank">Cloud Storage</a>.

c. Look for the <code>Labels</code> field in the configuration panel and click the <code>edit</code> icon.

d. Edit the label and put <code>drataexclude</code> in the key field. You can add the rationale behind excluding this bucket in the value field (no spaces can be included in the rationale). Save your changes.

2. Excluding VM instances with labels.

a. Select the Instance you wish to exclude in the <a href="https://console.cloud.google.com/compute/instances?project=drata-acme" rel="nofollow noopener noreferrer" target="_blank">Compute Engine</a> workflow.

c. Scroll down until you see <code>Labels</code> , go ahead and <code>Add Label</code> once found.

d. Edit the label and put <code>drataexclude</code> in the key field. You can add the rationale behind excluding this bucket in the value field (no spaces allowed).

3. Excluding Kubernetes Clusters with labels.

a. Select the cluster you wish to exclude in the <a href="https://console.cloud.google.com/kubernetes/list?project=drata-acme" rel="nofollow noopener noreferrer" target="_blank">Kubernetes Engine</a> workflow.

b. Scroll down until you see the <code>Labels</code>, under Metadata. Click the <code>Edit</code> icon.

c. Click <code>Add Label</code> and put <code>drataexclude</code> in the key field. You can add the rationale behind excluding this bucket in the value field (no spaces allowed).

   a. Go to SQL and click on the DB name you want to exclude.

   c. Scroll down to the "Labels" section. Click the arrow to the right to expand this "Labels" section. Click "Add Label."

d. Put <code>drataexclude</code> in the key field. You can add the rationale behind excluding this DB in the value field (no spaces allowed).

HERE'S HOW