Use GCP Security Command Center’s Security Findings to track GCE disks that are using old Golden Images

by Marcellus Miles — Principal Cloud Architect I, McKinsey & Company

This article is part of a series that focuses on VM-based compute solutions in GCP. In particular, we describe the lifecycle of creating and managing the deployment of Golden Images.

• Part 1: Deploy Golden Images to GCP using Packer and Cloud Build
• Part 2: Update GCP Managed Instance Groups using Cloud Asset Feeds
• Part 3 (this article): Use GCP Security Command Center’s Security Findings to track GCE disks that are using old Golden Images
• Part 4: Integrating vulnerability scanning into your Golden Image Pipeline in GCP

This article leverages existing capabilities of Security Command Center to continuously scan cloud infrastructure for misconfigurations and configuration drift. Organizations that shift left the security of their cloud infrastructure are able to recognize Security Findings before it’s too late. The article extends the first two in the series that speak to Golden Images by shifting left the security of virtual machine disks with automation. The result of the automated scan creates Security Findings in Security Command Center for disks that need remediation.

The focus of this article is on Identify Misconfigurations (1) and Security Findings (2), which are indicated in the diagram below, that showcase the capabilities of Security Command Center. The Python and Terraform in this article create the mentioned Security Findings after scans that Identify Misconfigurations.

Identify misconfigurations (1) and Security Findings (2)

What are Security Command Center assets and Security Findings?

Any GCP Organization can use Security Command Center to collect and track all GCP resources in all projects within a business that the Security Command Center is granted access to. The Asset Inventory capability of Security Command Center used in this article is free with Security Command Center Standard and enables enterprise IT to track their inventory using a cloud-native PaaS. Security Findings are a capability that models potential security risks of an asset.

The findings in Security Command Center include the out-of-box vulnerability findings, and, in the case of this article, custom findings to track out-of-date Golden Images that a disk may be using (attached or not to a Google Compute Engine (GCE) instance).

How do we create Security Findings in Security Command Center?

In the second article in this series, we described how Asset Feeds can be used to trigger scans in real time as new Golden Images are created; however, in this article, we use Cloud Scheduler to scan on a scheduled basis to automatically create findings.

At a high level, we want to do the following (wherever possible, we use Terraform to manage the infrastructure):

1. Create a Cloud Scheduler Job to trigger a Cloud Function on a daily basis.
2. Use a Cloud Function to query the Security Command Center API to search through existing disk assets using old versions of the Golden Image we are interested in tracking.
3. Lastly, create a Security Finding on disk assets using the Google Cloud Python SDK.

Prerequisites

GCP requirements:

1. You have the ability to create GCE Machine Images (see the first article in this series).
2. You have a GCP Organization (required to use Security Command Center).
3. You have access to Security Command Center with its API enabled on the GCP project that will be querying assets and creating findings within a Cloud Function.
4. You have a Service Account running as the identity of the Google Cloud Function (GCF) with the following roles (refer to the IAM). The Terraform in this article creates this for you:
   roles/securitycenter.findingsEditor
   roles/securitycenter.assetsViewer
5. You can create a Security Command Center source (the category our findings will be logged to). The Terraform in this article creates the following required role needed to create sources:
   roles/securitycenter.sourcesAdmin

Terraform requirements:

1. Enable the IAM and Cloud Resource Manager APIs.
2. The account running the TF will need Org Admin (to set the roles required for the GCF SA); alternatively, do this via other means.
3. The account running the TF will need Security Center Sources Admin. Sources at this time cannot be created in the GCP Console.
   roles/securitycenter.sourcesAdmin

Setup

First, create Images and Disks:

• If you follow the instructions in the first article, you will have GCE instances, disks, and images to play with in this article. Or use what you have currently.
• You should have a couple of disks with at least one that is still using an old version of your Golden Image.
• The following is what I had when this article was created:

Second, have access to use Security Command Center Assets:

• Verify that your assets are in the Asset Inventory within Security Command Center.
• The screenshot below shows all three of my disks listed as a Disk asset.
• The disk in the screenshot with the label instance-2 is our bad actor that needs Security Findings created for it, as it is using myorg-golden-ubuntu-v1 instead of the desired myorg-golden-ubuntu-v2.

Deploy our infrastructure with Terraform

At this point, you should now have assets in the inventory, with at least one asset using our out-of-date Golden Image. We can now deploy the infrastructure and Python that creates the Security Findings.

We are using Terraform in this article to deploy our cloud resources. Within variables.tf, take note of the image_family. The value of image_family must match the image family that we are interested in scanning for. After the Cloud Function is deployed, it can take any image family as an input parameter.

The Terraform resource for google_scc_source will create a Security Command Center “source” (refer to documentation for source management). Do take note, the source will not show up in the GCP Console until the first finding is logged using that source.

For example, in this screenshot, you can see the custom source “Golden Image Scanner,” which shows a count of 15 Security Findings. After you run the Python in this article, you will have something similar. Keep in mind that sources cannot be created in the GCP Console.

Here is the service account for our Cloud Function with the necessary IAM to create findings and search the assets:

main.tf

Here is our Cloud Function that will run the Python to scan our assets and create the findings:

Following is the Cloud Scheduler authorized to call our function on a daily basis. It’s important to note that Base64 encodes the JSON that is sent to the function. This is where the image_family is sent as input to the Cloud Function above. This scheduler scans for that family on a daily basis.

And here is the full main.tf in a single file:

Create Security Findings with Python

The Python below is only the minimum, and the strategy that you implement in your code for managing findings may be different. This demonstrates the creation of a finding for the purposes of this article. An alternative (requiring more code) could be to instead update and track existing findings.

Below is the requirements.txt file, which is used by Cloud Functions to install dependencies. This should go in the root of a new directory that will be pushed to a git repository.

functions-framework
google-cloud-securitycenter
google-cloud-logging

Now for the main.py file. This file and the requirements.txt above are the only two files required in your git repository for the Cloud Function to run.

What does main.py below do?

1. First, we have our imports and two helper functions.
2. Next, we have the Cloud Function entry point function def scan(request). This function is an HTTP trigger, so it will take JSON as input. There is parameter checking for required properties for the function to work.
3. We then use the securitycenter Python SDK to do a list_assets with a custom filter. Asset filters are detailed in the documentation. The important thing here is that we are looking for only Golden Image assets matching the image_family from earlier and not other image assets.
4. With the results of that filter query, we do another query for all disks assets that are using the latest version of our Golden Image asset. Keep in mind, the step above queried image assets, this step gives us the disk assets (attached or not to GCE instances).
5. Lastly, with our disks that are using an older version of our Golden Image, we can then create a Security Command Center Security Finding.
6. Throughout the code, we are printing to stdout so that Cloud Logging can give us additional insights:

After running the Python above, we see our findings on the relevant disk asset screenshot below. Also in the screenshot, the finding Category column is set to USING DATED GOLDEN IMAGE. This category along with the Source can have any value that we choose. When they are created, we set the state to Finding.State.ACTIVE. You can extend this code to flip that state to Finding.State.INACTIVE if it was once ACTIVE and now using the latest Golden Image (refer to findings documentation).

Conclusion

This article described how to use Security Command Center to create Security Findings on assets so staff can respond and remediate disks in Google Cloud that are using out-of-date Golden Images. The reason we do this is so that the security of your VMs is kept up to date with the latest patches and improvements available from your Golden Images.

Here are a few closing thoughts:

• The same Cloud Function (with minor changes) can be used to chain to Asset Feeds in the second article of this series for instantaneous notifications.
• Creating new findings and resolving existing ones is possible by extending the Python in this article.
• Security Command Center does require a bit of effort to set up. In an existing organization with good security policies, you should coordinate with the security team to permit the Cloud Function in this article to have access to query and search the Asset Inventory.