NAME
    gcloud compliance-manager cloud-controls create - create a cloud control

SYNOPSIS
    gcloud compliance-manager cloud-controls create
        (CLOUD_CONTROL : --location=LOCATION --organization=ORGANIZATION)
        [--categories=[CATEGORIES,...]] [--description=DESCRIPTION]
        [--display-name=DISPLAY_NAME] [--finding-category=FINDING_CATEGORY]
        [--parameter-spec=[defaultValue=DEFAULTVALUE],[description=DESCRIPTION],
          [displayName=DISPLAYNAME],[isRequired=ISREQUIRED],[name=NAME],
          [substitutionRules=SUBSTITUTIONRULES],
          [validation=VALIDATION],[valueType=VALUETYPE]]
        [--remediation-steps=REMEDIATION_STEPS]
        [--rules=[celExpression=CELEXPRESSION],
          [description=DESCRIPTION],[ruleActionTypes=RULEACTIONTYPES]]
        [--severity=SEVERITY]
        [--supported-cloud-providers=[SUPPORTED_CLOUD_PROVIDERS,...]]
        [--supported-target-resource-types=[SUPPORTED_TARGET_RESOURCE_TYPES,
          ...]] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    Create a cloud control for a given organization and location.

EXAMPLES
    To create a cloud control my-cloud-control-id in organization
    my-organization-id and location global with a specific rule, run:

        $ gcloud compliance-manager cloud-controls create \
            my-cloud-control-id --organization=my-organization-id \
            --location=global \
            --display-name="My cloud control display name" \
            --description="My cloud control description" \
            --rules='[{"description":"VM IP forwarding
         check","ruleActionTypes":["rule-action-type-detective"],"celExpress\
        ion":{"expression":"resource.canIpForward ==
         false","resourceTypesValues":{"values":["compute.googleapis.com/Ins\
        tance"]}}}]' \

POSITIONAL ARGUMENTS
     CloudControl resource - Identifier. The name of the cloud control, in the
     format
     organizations/{organization}/locations/{location}/cloudControls/{cloud_control_id}.
     The only supported location is global. The arguments in this group can be
     used to specify the attributes of this resource.

     This must be specified.

       CLOUD_CONTROL
          ID of the cloudControl or fully qualified identifier for the
          cloudControl.

          To set the cloud_control attribute:
          ▸ provide the argument cloud_control on the command line.

          This positional argument must be specified if any of the other
          arguments in this group are specified.

       --location=LOCATION
          The location id of the cloudControl resource.

          To set the location attribute:
          ▸ provide the argument cloud_control on the command line with a
            fully specified name;
          ▸ provide the argument --location on the command line.

       --organization=ORGANIZATION
          The organization id of the cloudControl resource.

          To set the organization attribute:
          ▸ provide the argument cloud_control on the command line with a
            fully specified name;
          ▸ provide the argument --organization on the command line.

FLAGS
     --categories=[CATEGORIES,...]
        The categories for the cloud control. CATEGORIES must be one of:

         cc-category-artificial-intelligence
            The artificial intelligence category.
         cc-category-bcdr
            The business continuity and disaster recovery (BCDR) category.
         cc-category-data-security
            The data security category.
         cc-category-encryption
            The encryption category.
         cc-category-hr-admin-and-processes
            The HR, admin, and processes category.
         cc-category-identity-and-access-management
            The identity and access management category.
         cc-category-incident-management
            The incident management category.
         cc-category-infrastructure
            The infrastructure security category.
         cc-category-legal-and-disclosures
            The legal and disclosures category.
         cc-category-logs-management-and-infrastructure
            The logs management and infrastructure category.
         cc-category-network-security
            The network security category.
         cc-category-physical-security
            The physical security category.
         cc-category-privacy
            The privacy category.
         cc-category-third-party-and-sub-processor-management
            The third-party and sub-processor management category.
         cc-category-vulnerability-management
            The vulnerability management category.

     --description=DESCRIPTION
        A description of the cloud control. The maximum length is 2000
        characters.

     --display-name=DISPLAY_NAME
        The friendly name of the cloud control. The maximum length is 200
        characters.

     --finding-category=FINDING_CATEGORY
        The finding category for the cloud control findings. The maximum length
        is 255 characters.

     --parameter-spec=[defaultValue=DEFAULTVALUE],[description=DESCRIPTION],[displayName=DISPLAYNAME],[isRequired=ISREQUIRED],[name=NAME],[substitutionRules=SUBSTITUTIONRULES],[validation=VALIDATION],[valueType=VALUETYPE]
        The parameter specifications for the cloud control.

         defaultValue
            The default value of the parameter.

             boolValue
                A boolean value.

             numberValue
                A double value.

             stringListValue
                A repeated string.

                 values
                    The strings in the list.

             stringValue
                A string value.

         description
            The description of the parameter. The maximum length is 2000
            characters.

         displayName
            The friendly name of the parameter. The maximum length is 200
            characters.

         isRequired
            Whether the parameter is required.

         name
            The name of the parameter.

         substitutionRules
            The list of parameter substitutions.

             attributeSubstitutionRule
                The attribute substitution rule.

                 attribute
                    The fully qualified proto attribute path, in dot notation.
                    For example: rules[0].cel_expression.resource_types_values.

             placeholderSubstitutionRule
                The placeholder substitution rule.

                 attribute
                    The fully qualified proto attribute path, in dot notation.

         validation
            The permitted set of values for the parameter.

             allowedValues
                The permitted set of values for the parameter.

                 values
                    The list of allowed values for the parameter.

                     boolValue
                        A boolean value.

                     numberValue
                        A double value.

                     stringListValue
                        A repeated string.

                         values
                            The strings in the list.

                     stringValue
                        A string value.

             intRange
                The permitted range for numeric parameters.

                 max
                    The maximum permitted value for the numeric parameter
                    (inclusive).

                 min
                    The minimum permitted value for the numeric parameter
                    (inclusive).

             regexpPattern
                The regular expression for string parameters.

                 pattern
                    The regex pattern to match the values of the parameter
                    with.

         valueType
            The parameter value type.

        Shorthand Example:

            --parameter-spec=defaultValue={boolValue=boolean,numberValue=float,stringListValue={values=[string]},stringValue=string},description=string,displayName=string,isRequired=boolean,name=string,substitutionRules=[{attributeSubstitutionRule={attribute=string},placeholderSubstitutionRule={attribute=string}}],validation={allowedValues={values=[{boolValue=boolean,numberValue=float,stringListValue={values=[string]},stringValue=string}]},intRange={max=int,min=int},regexpPattern={pattern=string}},valueType=string --parameter-spec=defaultValue={boolValue=boolean,numberValue=float,stringListValue={values=[string]},stringValue=string},description=string,displayName=string,isRequired=boolean,name=string,substitutionRules=[{attributeSubstitutionRule={attribute=string},placeholderSubstitutionRule={attribute=string}}],validation={allowedValues={values=[{boolValue=boolean,numberValue=float,stringListValue={values=[string]},stringValue=string}]},intRange={max=int,min=int},regexpPattern={pattern=string}},valueType=string

        JSON Example:

            --parameter-spec='[{"defaultValue": {"boolValue": boolean, "numberValue": float, "stringListValue": {"values": ["string"]}, "stringValue": "string"}, "description": "string", "displayName": "string", "isRequired": boolean, "name": "string", "substitutionRules": [{"attributeSubstitutionRule": {"attribute": "string"}, "placeholderSubstitutionRule": {"attribute": "string"}}], "validation": {"allowedValues": {"values": [{"boolValue": boolean, "numberValue": float, "stringListValue": {"values": ["string"]}, "stringValue": "string"}]}, "intRange": {"max": int, "min": int}, "regexpPattern": {"pattern": "string"}}, "valueType": "string"}]'

        File Example:

            --parameter-spec=path_to_file.(yaml|json)

     --remediation-steps=REMEDIATION_STEPS
        The remediation steps for the cloud control findings. The maximum
        length is 400 characters.

     --rules=[celExpression=CELEXPRESSION],[description=DESCRIPTION],[ruleActionTypes=RULEACTIONTYPES]
        The rules that you can enforce to meet your security or compliance
        intent.

         celExpression
            The rule's logic expression in Common Expression Language (CEL).

             expression
                The logical expression in CEL. The maximum length of the
                condition is 1000 characters. For more information, see CEL
                expression
                (https://cloud.google.com/security-command-center/docs/compliance-manager-write-cel-expressions).

             resourceTypesValues
                The resource instance types on which this expression is
                defined. The format is <SERVICE_NAME>/<type>. For example:
                compute.googleapis.com/Instance.

                 values
                    The strings in the list.

         description
            The rule description. The maximum length is 2000 characters.

         ruleActionTypes
            The functionality that's enabled by the rule.

        Shorthand Example:

            --rules=celExpression={expression=string,resourceTypesValues={values=[string]}},description=string,ruleActionTypes=[string] --rules=celExpression={expression=string,resourceTypesValues={values=[string]}},description=string,ruleActionTypes=[string]

        JSON Example:

            --rules='[{"celExpression": {"expression": "string", "resourceTypesValues": {"values": ["string"]}}, "description": "string", "ruleActionTypes": ["string"]}]'

        File Example:

            --rules=path_to_file.(yaml|json)

     --severity=SEVERITY
        The severity of the findings that are generated by the cloud control.
        SEVERITY must be one of:

         critical
            A critical vulnerability is easily discoverable by an external
            actor, exploitable, and results in the direct ability to execute
            arbitrary code, exfiltrate data, and otherwise gain additional
            access and privileges to cloud resources and workloads. Examples
            include publicly accessible unprotected user data and public SSH
            access with weak or no passwords.

            A critical threat is a threat that can access, modify, or delete
            data or execute unauthorized code within existing resources.
         high
            A high-risk vulnerability can be easily discovered and exploited in
            combination with other vulnerabilities to gain direct access and
            the ability to execute arbitrary code, exfiltrate data, and
            otherwise gain additional access and privileges to cloud resources
            and workloads. An example is a database with weak or no passwords
            that is only accessible internally. This database could easily be
            compromised by an actor that had access to the internal network.

            A high-risk threat is a threat that can create new computational
            resources in an environment but can't access data or execute code
            in existing resources.
         low
            A low-risk vulnerability hampers a security organization's ability
            to detect vulnerabilities or active threats in their deployment, or
            prevents the root cause investigation of security issues. An
            example is monitoring and logs being disabled for resource
            configurations and access.

            A low-risk threat is a threat that has obtained minimal access to
            an environment but can't access data, execute code, or create
            resources.
         medium
            A medium-risk vulnerability can be used by an actor to gain access
            to resources or privileges that enable them to eventually (through
            multiple steps or a complex exploit) gain access and the ability to
            execute arbitrary code or exfiltrate data. An example is a service
            account with access to more projects than it should have. If an
            actor gains access to the service account, they could potentially
            use that access to manipulate a project the service account was not
            intended to.

            A medium-risk threat can cause operational impact but might not
            access data or execute unauthorized code.

     --supported-cloud-providers=[SUPPORTED_CLOUD_PROVIDERS,...]
        The supported cloud providers. SUPPORTED_CLOUD_PROVIDERS must be one
        of:

         aws
            Amazon Web Services (AWS).
         azure
            Microsoft Azure.
         gcp
            Google Cloud.

     --supported-target-resource-types=[SUPPORTED_TARGET_RESOURCE_TYPES,...]
        The target resource types that are supported by the cloud control.
        SUPPORTED_TARGET_RESOURCE_TYPES must be one of:

         target-resource-crm-type-folder
            The target resource is a folder.
         target-resource-crm-type-org
            The target resource is a Google Cloud organization.
         target-resource-crm-type-project
            The target resource is a project.
         target-resource-type-application
            The target resource is an application in App Hub.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

API REFERENCE
    This command uses the cloudsecuritycompliance/v1 API. The full
    documentation for this API can be found at:
    https://cloud.google.com/security-command-center#compliance-management
