Clear up of over permissioned IAM accounts on GCP infra in an automated means
CureIAM is an easy-to-use, dependable, and performant engine for Least Privilege Precept Enforcement on GCP cloud infra. It permits DevOps and Safety group to shortly clear up accounts in GCP infra which have granted permissions of greater than what are required. CureIAM fetches the suggestions and insights from GCP IAM recommender, scores them and implement these suggestions routinely on day by day fundamental. It takes care of scheduling and all different facets of operating these enforcement jobs at scale. It’s constructed on high of GCP IAM recommender APIs and Cloudmarker framework.
Uncover what makes CureIAM scalable and manufacturing grade.
- Config pushed : The complete workflow of CureIAM is config pushed. Skip to Config part to know extra about it.
- Scalable : Its is designed to scale due to its plugin pushed, multiprocess and multi-threaded method.
- Handles Scheduling: Scheduling half is embedded in CureIAM code itself, configure the time, and CureIAM will run day by day at the moment be aware.
- Plugin pushed: CureIAM codebase is totally plugin oriented, which implies, one can plug and play the present plugins or create new so as to add extra performance to it.
- Monitor actionable insights: Each motion that CureIAM takes, is recorded for audit objective, It might probably try this in file retailer and in elasticsearch retailer. In order for you you’ll be able to construct different retailer plugins to push that to different shops for monitoring functions.
- Scoring and Enforcement: Each advice that’s fetch by CureIAM is scored towards varied parameters, after that couple of scores like
over_privilege_score. Every rating serves a special objective. For
safe_to_apply_scoreidentifies the potential to use advice on automated foundation, primarily based on the edge set in
Since CureIAM is constructed with python, you’ll be able to run it domestically with these instructions. Earlier than operating be certain to have a configuration file prepared in both of
/and so on/CureIAM.yaml,
CureIAM.yaml and there’s Service account JSON file current in present listing with identify ideally
cureiamSA.json. This SA non-public key could be named something, however for docker picture construct, it’s most well-liked to make use of this identify. Make you to reference this file in config for GCP cloud.
# Set up needed dependencies
$ pip set up -r necessities.txt
# Run CureIAM now
$ python -m CureIAM -n
# Run CureIAM course of as schedular
$ python -m CureIAM
# Test CureIAM assist
$ python -m CureIAM --help
CureIAM could be additionally run inside a docker surroundings, that is utterly non-compulsory and can be utilized for CI/CD with K8s cluster deployment.
# Construct docker picture from dockerfile
$ docker construct -t cureiam .
# Run the picture, as schedular
$ docker run -d cureiam
# Run the picture now
$ docker run -f cureiam -m cureiam -n
CureIAM.yaml configuration file is the center of CureIAM engine. All the pieces that engine does it does it primarily based on the pipeline configured on this config file. Let’s break this down in several sections to make this config look easier.
- Let’s configure first part, which is logging configuration and scheduler configuration.
%(identify)s:%(lineno)d - %(message)s
datefmt: "%Y-%m-%d %H:%M:%S"
This subsection of config makes use of,
Wealthy logging module and schedules CureIAM to run day by day at
- Subsequent part is configure totally different modules, which we MIGHT use in pipeline. This falls beneath
CureIAM.yaml. You possibly can consider this part as declaration for various plugins.
- [email protected]
min_safe_to_apply_scor e_group: 0
# Change http to https later in case your elastic are utilizing https
Every of those plugins declaration needs to be of this kind:
For instance, for plugins
CureIAM.shops.esstore.EsStore which is this file and sophistication
EsStore. All of the params that are outlined in yaml has to match the declaration in
__init__() operate of the identical plugin class.
- As soon as plugins are outlined , subsequent step is to outline the way to outline pipeline for auditing. And it goes like this:
A number of Audits could be created out of this. The one created right here is known as
IAMAudit with three plugins in use,
esstore. Word these are the identical plugin names outlined in Step 2. Once more that is like defining the pipeline, not truly operating it. Will probably be thought-about for operating with definition in subsequent step.
CureIAMto run the Audits outlined in earlier step.
[Please do!] We’re in search of any type of contribution to enhance CureIAM’s core funtionality and documentation. When doubtful, make a PR!
Gojek Product Safety Workforce
- Breaking down the massive code into a number of small operate
- Transferring all plugins into plugins folder: Esstore, recordsdata, Cloud and GCP.
- Including fixes into zero divide points
- Migration to new main model of elastic
- Change configuration in CureIAM.yaml file
- Examined in python model 3.9.X
Including the model in library to keep away from any again compatibility points.
- Elastic==8.7.0 # beforehand 7.17.9
- Including Docker Compose for native Elastic and Kibana in elastic
- Including .env-ex change .env-ex to .env to earlier than operating the docker
Operating docker compose: docker-compose -f docker_compose_es.yaml up
- Including the potential to run scan with out making use of the advice. By default, if mode_scan is fake, mode_enforce will not be operating.
- Flip off the e-mail operate briefly.