Profiling your GCP Account with Forseti Security

Profiling and auditing of any system are really important. Getting a holistic view of your GCP(Google Cloud Platform) account like compute instances, buckets, projects, folders, pub/sub topics, network, service accounts etc. will help to improve the efficiency, reduce cost, ease maintenance, improve capacity and sustainability of the platform. Based on this information you can find opportunities to reduce usage of any resources, improve security for any resource etc. Such information will be very helpful while managing and governing your GCP platform and to make it more secure and robust.

Introduction to Forseti Security

We at Hotels.com have GCP deployment which our users are using to carry out their data analysis. However, we don’t have a holistic view of our GCP deployment and have various queries like what are the resources we have in our deployment? Are they really being used? What resource can be accessed by a particular user/group? Can we reduce the number of resources? So we were looking for a tool which can help us answer these queries and Forseti Security helped us to do just that. Forseti Security is an open source tool, which helps you to profile your GCP resources. This tool helps you to understand the resources in your GCP account and also puts that information in Cloud SQL. Using Forseti Security you can compare the policies, send notifications and enforce those policies.

Architecture

Source: https://forsetisecurity.org/docs/latest/concepts/architecture.html

This tool has 5 major components :

  • Inventory: Regularly collects the data from GCP and stores the results in Cloud SQL under the table “forseti_security.gcp_inventory”. In order to refer to the latest inventory information, you can refer to the max value of column: inventory_index_id.
  • Scanner: Periodically compares the policies applied on GCP resources(like Bucket, Location, Firewall, Cloud SQL etc.) with the data collected from Inventory. It stores the scanner information in table “scanner_index”.
  • Explain: Helps to manage the cloud IAM(Identity and Access Management) policies.
  • Enforcer: Uses Google Cloud API to enforce the policies as above, you have set in GCP platform.
  • Notifier: Helps to send notifications to Slack, Cloud Storage or SendGrid as shown in Architecture diagram above.

Installation

Installation of Forseti Security is straightforward.

  • Checkout Forseti Security code from GitHub repository.
git clone https://github.com/GoogleCloudPlatform/forseti-security.git

Now we can install Forseti for both Administrators and Non-administrators.

  • For Admins only, install server only.
cd forseti-security
python install/gcp_installer.py --type=server

This will install the tool only for Admins and can only be accessed from server.

  • For All. Install Both Client and Server.
cd forseti-security
python install/gcp_installer.py

This will install both client and server so that Admin and Non-admin can both access the tool.

Note: It will ask for some optional information about SendGrid API key and Email recipients for sending the notifications.

  • Once the installation is completed, it will run below cron jobs periodically every 2 hours to collect the GCP inventory information.
MODEL_ID=$(/bin/date -u +%Y%m%dT%H%M%S)

forseti inventory create --import_as ${MODEL_ID}

forseti model use ${MODEL_ID}

forseti scanner run

forseti notifier run

Usage

After successful installation of Forseti, you can login to your CloudSQL instance created by Forseti for exploration of GCP inventory. You will find various tables under the Database “forseti_security”. Let’s discuss some of the important tables here.

Note: Some tables will be prefixed by Model ID created by Forseti.

  • Gcp_inventory: This table contains the information about your GCP resources: information about various resources, IAM policies, GCS(Google Cloud Storage) policies, dataset policies etc.
  • Members: Contains information about various members like Domain, Users, Groups, Service accounts etc.
  • Roles: Contains information about the various roles like Title, Stage (BETA/GA), whether its custom role or not and description of role.
  • Role_permissions: This contains the permission corresponding to a particular role.
  • Violations: Contains the information about the policy violation. Like Resource Name, Violation data, Violation type etc.
  • Inventory_index: This contains the information about when the inventory got generated, it’s status, any error messages etc.

Forseti CLI

We can use Forseti tool using it's CLI(Command Line Interface). It has different options like explainer, inventory, config, model, scanner, notifier, and server. We will discuss these in detail here. Let’s get started with Forseti CLI.

Note : login to forseti-client to use forseti CLI.

Inventory

It will gather and keep the details regarding GCP (Google Cloud Platform) resources.

  • Create Inventory: This will create Forseti inventory.
forseti inventory create
  • Check the details of all created inventory
forseti inventory list

This will provide details of all the created inventories. Details include a status of inventory, Objects in inventory, warnings or error (if any), id etc.

  • Data models are a very important piece of Forseti tool. These are Cloud SQL tables which can be queried to get more information about GCP infrastructure.
forseti inventory create --import-as <MODEL_NAME>
  • Get the details about particular inventory
forseti inventory get <id>
  • Delete a particular inventory
forseti inventory delete <id>

Model

It will create the data model on top of created inventory to show the relation between the resources in GCP. Inventory is JSON data but a model is more of relational data which makes querying easier on computed policies.

  • We can create a Data Model based on a particular inventory
forseti model create --inventory-index-id <INVENTORY_INDEX_ID> <MODEL_NAME>

We might get some expected warnings and the status could be PARTIAL_SUCCESS because of these warnings.

Upon creating the data model we can see the tables created in Cloud SQL DB.

  • Connect to Cloud SQL DB using gcloud command.
gcloud sql connect <db_name> --user=<user_name>

Enter password for above <user_name>

  • Select `forseti_security` Database.
use forseti_security
  • List the tables. You will see the tables created as part of the data model.
show tables
  • List all available data models
forseti model list
  • Use a particular model for Analysis
forseti model use <MODEL_NAME>
  • Check which model is currently being used.
forseti config show
  • Delete the data model
forseti model delete

Upon deleting the model, it will delete the Cloud SQL tables created for that particular data model.

Scanner

Now we can use a scanner to scan the resources. Select the data model which needs to be used and then scan the resources. A scanner will scan the resources based on the rules created in rules folder under Forseti bucket (forseti-server-xxxx/rules/) or copy them to the rules_path listed in forseti_server_conf.yaml. Rules can be defined as YAML or JSON file. You can define the rules to check for any Public buckets or allow traffic from a particular range of IP address etc. More information on rules can be found here.

  • Select the data model
forseti model use <MODEL_NAME>
  • Run the Scanner
forseti scanner run

If the conditions specified in the rules folder will be met then it will output data to Cloud SQL Database (forseti_security) under the table violations.

  • Check sample data as below in Cloud SQL DB :
select * from forseti_security.violations limit 10;

Notifier

It will be used to send the notifications on rules violations. Notifications can be sent to Slack, E-mail or/and cloud storage.

  • Run the notifier
forseti notifier run

Explain

This tool helps to understand the access by resources or member. Who has access to which resources and level of access?

  • Select the data model.
forseti model use <MODEL_NAME>
  • List all the resources in the data model
forseti explainer list_resources

It will display all the resources in data model like bucket, disks, firewall, iam_policy, network, project, service accounts etc.

  • List all the resources under a particular folder.
forseti explainer list_resources --prefix organization/111111111/folder/<folder-name>
  • List all the resources under a particular project.
forseti explainer list_resources --prefix organization/111111111/project/<project-name>
  • List all members of the Data Model
forseti explainer list_members

It will list the members in the Data model like users, service accounts, groups, domain, project editor, project viewer etc.

  • List all roles in data model
forseti explainer list_roles
  • List roles with a particular prefix
forseti explainer list_roles --prefix roles/iam

It will display all the roles with prefix `roles/iam`

  • List the resources which can be accessed by a member
forseti explainer access_by_member user/<user_name>

It will display all the resources which user can access along with the role.

  • Check policy if a user has access to a particular resource.
forseti explainer check_policy project/<project_name> <role_name> user/<user_name>

It will display whether particular user <user_name> has access to project <project_name> via role <role_name>

Server

  • Get the Forseti Server details.
forseti server configuration get
  • Reload Server Configuration
forseti server configuration reload <CONFIG_FILE_PATH>

It will reload the server configuration, where <CONFIG_FILE_PATH> is the path for server configuration yaml file. If it's not specified, the default configuration path (gs://forseti-server-xxx/configs/forseti_conf_server.yaml) will be used.

  • Get the current log level of the server.
forseti server log_level get
  • Set the current log level for the server.
forseti server log_level set <LOG_LEVEL>

Note: LOG_LEVEL could be one of the debug, info, warning or error.

  • Check logs on the server.
  • Connect to server.
gcloud compute --project <project_name> ssh --zone <ZONE> <FORSETI_SERVER_NAME>

Note: Logs can be found at location `/var/logs`

Bucket Details

Installation of Forseti tool will create 3 buckets as follows :

  • forseti-cai-export-XXXX: This bucket contains the CAI (Cloud Asset Inventory)
  • forseti-client-XXXX: This bucket contains client configurations and deployment templates.
  • forseti-server-XXXX: This bucket contains server configuration, deployment template, inventory summary, rules and scanner violations.

Cloud SQL

Switch for different cloud shell.

  • Connect to mysql.
gcloud sql connect <DB_NAME> --user=<USER_NAME>

Specify a password upon prompt.

  • Use the database `forseti_security`
use forseti_security
  • List all tables
show tables

It will list all the tables in `forseti_security` database.

Note: Few tables will be prefixed by “model_name”.

  • Check the GCP inventory details.

Table `gcp_inventory` contains all the details about the GCP Inventory like roles, buckets, datasets, disks, network, firewall, folder etc.

For Example :

  • List all the buckets.
select * from gcp_inventory where resource_type = "bucket"
  • List all folders.
select * from gcp_inventory where resource_type = "folder"
  • List all roles.
select * from gcp_inventory where resource_type = "role"

Note: Other resource_types are a firewall, network, sink, project, organization etc.

  • Check the violations details.

Table `violations` contains the violation details based on rules defined :

  • Check bucket violations :
select id, created_at_datetime, violation_type from violations where violation_type='BUCKET_VIOLATION'
  • Check location violations :
select id, created_at_datetime, violation_type from violations where violation_type='LOCATION_VIOLATION'
  • Check BIGQuery violations :
select id, created_at_datetime, violation_type from violations where violation_type='BIGQUERY_VIOLATION'

Note: other types of violations are FIREWALL_BLACKLIST_VIOLATION, GROUP_VIOLATION, SERVICE_ACCOUNT_KEY_VIOLATION.

Conclusion

We are using this tool to manage our GCP platform and to keep control of the resource we are deploying on GCP infrastructure. This is the tool contributed by Google to the open source community. Request you to please check the official documentation for the latest updates here and GitHub code can be found here.

If you have reached till this point, huge thank you for taking your time and reading out this post. We have spent quite some time with this tool recently so would like to share our experiences here. Request you to please share your feedback in the comments below.