Clear up of over permissioned IAM accounts on GCP infra in an automated means
CureIAM is an easy-to-use, dependable, and performant engine for Least Privilege Precept Enforcement on GCP cloud infra. It permits DevOps and Safety group to shortly clear up accounts in GCP infra which have granted permissions of greater than what are required. CureIAM fetches the suggestions and insights from GCP IAM recommender, scores them and implement these suggestions routinely on day by day fundamental. It takes care of scheduling and all different facets of operating these enforcement jobs at scale. It’s constructed on high of GCP IAM recommender APIs and Cloudmarker framework.
Key options
Uncover what makes CureIAM scalable and manufacturing grade.
- Config pushed : The complete workflow of CureIAM is config pushed. Skip to Config part to know extra about it.
- Scalable : Its is designed to scale due to its plugin pushed, multiprocess and multi-threaded method.
- Handles Scheduling: Scheduling half is embedded in CureIAM code itself, configure the time, and CureIAM will run day by day at the moment be aware.
- Plugin pushed: CureIAM codebase is totally plugin oriented, which implies, one can plug and play the present plugins or create new so as to add extra performance to it.
- Monitor actionable insights: Each motion that CureIAM takes, is recorded for audit objective, It might probably try this in file retailer and in elasticsearch retailer. In order for you you’ll be able to construct different retailer plugins to push that to different shops for monitoring functions.
- Scoring and Enforcement: Each advice that’s fetch by CureIAM is scored towards varied parameters, after that couple of scores like
safe_to_apply_score,risk_score,over_privilege_score. Every rating serves a special objective. Forsafe_to_apply_scoreidentifies the potential to use advice on automated foundation, primarily based on the edge set inCureIAM.yamlconfig file.
Utilization
Since CureIAM is constructed with python, you’ll be able to run it domestically with these instructions. Earlier than operating be certain to have a configuration file prepared in both of /and so on/CureIAM.yaml, ~/.CureIAM.yaml, ~/CureIAM.yaml, or CureIAM.yaml and there’s Service account JSON file current in present listing with identify ideally cureiamSA.json. This SA non-public key could be named something, however for docker picture construct, it’s most well-liked to make use of this identify. Make you to reference this file in config for GCP cloud.
# Set up needed dependencies
$ pip set up -r necessities.txt# Run CureIAM now
$ python -m CureIAM -n
# Run CureIAM course of as schedular
$ python -m CureIAM
# Test CureIAM assist
$ python -m CureIAM --help
CureIAM could be additionally run inside a docker surroundings, that is utterly non-compulsory and can be utilized for CI/CD with K8s cluster deployment.
# Construct docker picture from dockerfile
$ docker construct -t cureiam . # Run the picture, as schedular
$ docker run -d cureiam
# Run the picture now
$ docker run -f cureiam -m cureiam -n
Config
CureIAM.yaml configuration file is the center of CureIAM engine. All the pieces that engine does it does it primarily based on the pipeline configured on this config file. Let’s break this down in several sections to make this config look easier.
- Let’s configure first part, which is logging configuration and scheduler configuration.
logger:
model: 1disable_existing_loggers: false
formatters:
verysimple:
format: >-
[%(process)s]
%(identify)s:%(lineno)d - %(message)s
datefmt: "%Y-%m-%d %H:%M:%S"
handlers:
rich_console:
class: wealthy.logging.RichHandler
formatter: verysimple
file:
class: logging.handlers.TimedRotatingFileHandler
formatter: easy
filename: /tmp/CureIAM.log
when: midnight
encoding: utf8
backupCount: 5
loggers:
adal-python:
stage: INFO
root:
stage: INFO
handlers:
- rich_console
- file
schedule: "16:00"
This subsection of config makes use of, Wealthy logging module and schedules CureIAM to run day by day at 16:00.
- Subsequent part is configure totally different modules, which we MIGHT use in pipeline. This falls beneath
pluginspart inCureIAM.yaml. You possibly can consider this part as declaration for various plugins.
plugins:
gcpCloud:
plugin: CureIAM.plugins.gcp.gcpcloud.GCPCloudIAMRecommendations
params:
key_file_path: cureiamSA.jsonfilestore:
plugin: CureIAM.plugins.recordsdata.filestore.FileStore
gcpIamProcessor:
plugin: CureIAM.plugins.gcp.gcpcloudiam.GCPIAMRecommendationProcessor
params:
mode_scan: true
mode_enforce: true
enforcer:
key_file_path: cureiamSA.json
allowlist_projects:
- alpha
blocklist_projects:
- beta
blocklist_accounts:
- [email protected]
allowlist_account_types:
- consumer
- group
- serviceAccount
blocklist_account_types:
- None
min_safe_to_apply_score_user: 0
min_safe_to_apply_scor e_group: 0
min_safe_to_apply_score_SA: 50
esstore:
plugin: CureIAM.plugins.elastic.esstore.EsStore
params:
# Change http to https later in case your elastic are utilizing https
scheme: http
host: es-host.com
port: 9200
index: cureiam-stg
username: safety
password: securepassword
Every of those plugins declaration needs to be of this kind:
plugins:
<plugin-name>:
plugin: <class-name-as-python-path>
params:
param1: val1
param2: val2For instance, for plugins CureIAM.shops.esstore.EsStore which is this file and sophistication EsStore. All of the params that are outlined in yaml has to match the declaration in __init__() operate of the identical plugin class.
- As soon as plugins are outlined , subsequent step is to outline the way to outline pipeline for auditing. And it goes like this:
audits:
IAMAudit:
clouds:
- gcpCloud
processors:
- gcpIamProcessor
shops:
- filestore
- esstoreA number of Audits could be created out of this. The one created right here is known as IAMAudit with three plugins in use, gcpCloud, gcpIamProcessor, filestores and esstore. Word these are the identical plugin names outlined in Step 2. Once more that is like defining the pipeline, not truly operating it. Will probably be thought-about for operating with definition in subsequent step.
- Inform
CureIAMto run the Audits outlined in earlier step.
And this makes your complete configuration for CureIAM, you could find the complete pattern right here, this config pushed pipeline idea is inherited from Cloudmarker framework.
Dashboard
The JSON which is listed in elasticsearch utilizing Elasticsearch retailer plugin, can be utilized to generate dashboard in Kibana.
Contribute
[Please do!] We’re in search of any type of contribution to enhance CureIAM’s core funtionality and documentation. When doubtful, make a PR!
Credit
Gojek Product Safety Workforce
Demo
<>
=============
Refactoring
- Breaking down the massive code into a number of small operate
- Transferring all plugins into plugins folder: Esstore, recordsdata, Cloud and GCP.
- Including fixes into zero divide points
- Migration to new main model of elastic
- Change configuration in CureIAM.yaml file
- Examined in python model 3.9.X
Library Updates
Including the model in library to keep away from any again compatibility points.
- Elastic==8.7.0 # beforehand 7.17.9
- elasticsearch==8.7.0
- google-api-python-client==2.86.0
- PyYAML==6.0
- schedule==1.2.0
- wealthy==13.3.5
Docker Information
- Including Docker Compose for native Elastic and Kibana in elastic
- Including .env-ex change .env-ex to .env to earlier than operating the docker
Operating docker compose: docker-compose -f docker_compose_es.yaml up
Options
- Including the potential to run scan with out making use of the advice. By default, if mode_scan is fake, mode_enforce will not be operating.
mode_scan: true
mode_enforce: false
- Flip off the e-mail operate briefly.