README
¶
Security Response Automation
Cloud Functions to take automated actions on threat and vulnerability findings.
Note
This project is currently under development and is not yet ready for users. Stay tuned!
Getting Started
This repository contains libraries to perform common actions and a set of Cloud
Functions that use these libraries. For example
revoke_external_grants_folders.go shows how you can revoke IAM grants that
match a specific criteria.
Installing IAM revoker sample
We'll enable a few needed services first then use Terraform for the rest.
$ gcloud auth application-default login
$ project=[project ID where the Cloud Function will be installed]
$ for service in cloudresourcemanager pubsub cloudfunctions;
do gcloud services enable $service.googleapis.com --project=$project;
done
$ terraform init
$ terraform apply
TIP: Instead of entering variables every time you can create terraform.tfvars
file and input key value pairs there, i.e.
automation-project="aerial-jigsaw-235219".
If at any point you want to revert the changes we've made just run terraform destroy .
Test
$ go test ./...
Documentation
¶
Overview ¶
Package exec is the entry point for security automation Cloud Functions.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RevokeExternalGrantsFolders ¶
RevokeExternalGrantsFolders is the entry point for IAM revoker Cloud Function.
This Cloud Function will be triggered when Event Threat Detection detects an anomalous IAM grant. Once triggered this function will attempt to revoke the external members added to the policy if they match the provided list of disallowed domains. Additionally this method will only remove members if the project they were added to is within the specified folders. This configuration allows you to take a remediation action only on specific members and folders. For example, you may have a folder "development" where users can experiment without strict policies. However in your "production" folder you may want to revoke any grants that ETD finds as long as they match the domains you specify.
Permissions required ¶
By default the service account used can only revoke projects that are found within the folder ID specified within `action-revoke-member-folders.tf`.
func SnapshotDisk ¶
SnapshotDisk is the entry point for the auto creation of GCE snapshots Cloud Function.
This Cloud Function will respond to Event Threat Detection **bad IP** findings. Once a bad IP finding is received this Cloud Function will look for any existing disk snapshots for the affected instance. If there are recent snapshots then no action is taken. If we have not taken a snapshot recently, take a new snapshot for each disk within the instance.
Permissions required ¶
By default the service account can only be used to create snapshots for the projects specified in `action-snaphot-disk.tf`
TODO: Support assigning roles at the folder and organization level.
Types ¶
This section is empty.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package clients holds client libraries used by security automation Cloud Functions.
|
Package clients holds client libraries used by security automation Cloud Functions. |
|
stubs
Package stubs provides testable stubs for clients.
|
Package stubs provides testable stubs for clients. |
|
Package cloudfunctions provides the implementation of automated actions.
|
Package cloudfunctions provides the implementation of automated actions. |
|
Package entities holds commonly used methods used in security automation.
|
Package entities holds commonly used methods used in security automation. |