“Securing Google Cloud with CFT Scorecard”
CFT Scorecard adalah klien baris perintah sumber terbuka dari Forseti Config Validator dan bagian dari Cloud Foundation Toolkit yang lebih luas. Ini memberikan visibilitas ke kesalahan konfigurasi dan pelanggaran terhadap serangkaian standar yang ditetapkan untuk resource, project, folder, atau bahkan organisasi Google Cloud.
Ada lebih dari 86 jenis resource Google Cloud yang berbeda, dan terus bertambah. Dengan perpindahan ke cloud publik, semakin mudah untuk menyatukan operasi cloud dan penyebaran sumber daya ke banyak individu. Seiring dengan federasi dan ketangkasan dalam penyebaran infrastruktur, sumber daya, dan kebijakan, semakin sulit untuk menjaga agar kebijakan dan standar tetap teratur.
Task 1. Set up the environment
- Open Cloud Shell and set a couple of environment variables to begin:
gcloud services enable cloudasset.googleapis.com \
gcloud beta services identity create --service=cloudasset.googleapis.com --project=$GOOGLE_PROJECT
gcloud projects add-iam-policy-binding ${GOOGLE_PROJECT} \
--member=serviceAccount:service-$(gcloud projects list --filter="$GOOGLE_PROJECT" --format="value(PROJECT_NUMBER)")@gcp-sa-cloudasset.iam.gserviceaccount.com \
- Clone Policy
git clone https://github.com/forseti-security/policy-library.git
- You realize Policy Library enforces policies that are located in the policy-library/policies/constraints folder, in which case you can copy a sample policy from the samples directory into the constraints directory.
cp policy-library/samples/storage_denylist_public.yaml policy-library/policies/constraints/
- Create the bucket that will hold the data that Cloud Asset Inventory (CAI) will export:
gsutil mb -l us-central1 -p $GOOGLE_PROJECT gs://$CAI_BUCKET_NAME
Task 2. Collect data using Cloud Asset Inventory (CAI)
- Use the command below to create the data:
# Export resource data
gcloud asset export \
--output-path=gs://$CAI_BUCKET_NAME/resource_inventory.json \
--content-type=resource \
# Export IAM data
gcloud asset export \
--output-path=gs://$CAI_BUCKET_NAME/iam_inventory.json \
--content-type=iam-policy \
# Export org policy data
gcloud asset export \
--output-path=gs://$CAI_BUCKET_NAME/org_policy_inventory.json \
--content-type=org-policy \
# Export access policy data
gcloud asset export \
--output-path=gs://$CAI_BUCKET_NAME/access_policy_inventory.json \
--content-type=access-policy \
Task 3. Analyze CAI data with CFT scorecard
- You need to download the CFT scorecard application and make it executable:
curl -o cft https://storage.googleapis.com/cft-cli/latest/cft-linux-amd64
# make executable
chmod +x cft
- Now that you have configured everything, go ahead and run the CFT scorecard application:
./cft scorecard --policy-path=policy-library/ --bucket=$CAI_BUCKET_NAME
Task 4. Add more constraints to CFT scorecard
- You forgot about IAM! Add the following constraint to ensure you are entirely aware who has the
role aside from your allowlisted user:
# Add a new policy to blacklist the IAM Owner Role
cat > policy-library/policies/constraints/iam_allowlist_owner.yaml << EOF
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
name: allowlist_owner
description: List any users granted Owner
severity: high
target: ["organizations/**"]
exclude: []
mode: allowlist
assetType: cloudresourcemanager.googleapis.com/Project
role: roles/owner
- "serviceAccount:admiral@qwiklabs-services-prod.iam.gserviceaccount.com"
- Rerun CFT scorecard:
./cft scorecard --policy-path=policy-library/ --bucket=$CAI_BUCKET_NAME
- Set two extra variables to help with the new constraint creation:
export USER_ACCOUNT="$(gcloud config get-value core/account)"
export PROJECT_NUMBER=$(gcloud projects describe $GOOGLE_PROJECT --format="get(projectNumber)")
- Create the following constraint that will allowlist all the valid accounts:
# Add a new policy to allowlist the IAM Editor Role
cat > policy-library/policies/constraints/iam_identify_outside_editors.yaml << EOF
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
name: identify_outside_editors
description: list any users outside the organization granted Editor
severity: high
target: ["organizations/**"]
exclude: []
mode: allowlist
assetType: cloudresourcemanager.googleapis.com/Project
role: roles/editor
- "user:$USER_ACCOUNT"
- "serviceAccount:**$PROJECT_NUMBER**gserviceaccount.com"
- "serviceAccount:$GOOGLE_PROJECT**gserviceaccount.com"
- Rerun CFT scorecard:
./cft scorecard --policy-path=policy-library/ --bucket=$CAI_BUCKET_NAME
Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Securing Google Cloud with CFT Scorecard. Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.