Using SCC Custom Findings and Asset Inventory Feeds to auto-remediate non-compliant GCP resources
The problem
At the time of this writing the GCP native capabilities to enforce settings to resources via organizational policies (both canned and custom) is limited to a list of asset types. There is a way to enforce rules using Policy as Code but that requires the enforcement of IaC pipeline.
Also from a detection point of view even when in addition to out of the box Security Command Center detectors we can implement Security Health Analytics custom modules the list of supported asset types doesn’t include some resources like App Engine. For some edge cases you need a way to enforce custom rules, manage the state of the resources in SCC and be able to use IaC to manage this configuration.
The proposed solution
This custom solution shows automatic remediation use case: how to detect in SCC that Identity Aware Proxy (IAP) is enabled on App Engine and if not enabled automatically change the ingress setting to internal only to revert non-compliant configurations in near-real time
In this case making sure IAP is enabled will implement zero-trust access model to backend applications or at least set the ingress policy to internal.
The enforcement point will be set at the folder or project level but can also be set to a single project (especially for testing)
This example Terraform modules and Python(Cloud Function) code demonstrates how to leverage a custom solution based on Cloud Asset Inventory feeds, Cloud Functions and Security Command Center to identify non-compliant GCP resources and auto-remediate it to make them compliant with a well defined security posture
The example provided shows how to remediate App Engine services without IAP and change its ingress setting to Internal Only and create a custom findings published to SCC(The code can be extended to include more assets and custom remediation logic to cover a broader set of resources).
A corresponding source code repo has been created with comprehensive implementation code. Thanks a lot to Aman Puri for helping to bring this design into actually working code!
To run the code the following prerequisite is required:
- The organization ID
- A Google Cloud project created with the following APIS enabled:
- cloudresourcemanager.googleapis.com
- serviceusage.googleapis.com
- The folder ID (only required in case of calling the folder level asset feed)
Here is the example for calling the modules:
Organization level remediation:
module “asset-feed-remediation-organization” {
source = “./modules/app-engine-remediation/organization-level-feed”
project_id = var.project_id
organization_id = var.organization_id
name = var.name
region = var.region
source_dir = var.source_dir
}
Folder level remediation:
module “asset-feed-remediation-folder” {
source = “./modules/app-engine-remediation/folder-level-feed”
folder_id = var.folder_id #Only required when creating a folder level feed
project_id = var.project_id
organization_id = var.organization_id
name = var.name
region = var.region
source_dir = var.source_dir
}
Project level remediation:
module “asset-feed-remediation-project” {
source = “./modules/app-engine-remediation/project-level-feed”
project_id = var.project_id
organization_id = var.organization_id
name = var.name
region = var.region
source_dir = var.source_dir
}
Test the solution
Create/update any non-compliant resource: App Engine without IAP
Codebase
The codebase includes the following components:
- Terraform code to create the necessary infrastructure, including the Cloud Function, Pub/Sub topic, and Security Command Center notification config.
- Python code for the Cloud Function that processes the Asset Inventory feed and performs the remediation actions.
- README file with instructions on how to deploy and use the solution.
