Skip to content
This repository has been archived by the owner on Aug 4, 2023. It is now read-only.
/ gcp_threat_detection_auto_remediation Public archive

This repo contains all you need to begin automating Event Threat Detection findings.

License

View license
12 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ScaleSec/gcp_threat_detection_auto_remediation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Terraform - Automated Event Driven Security Remediation

GitHub Super-Linter

The Terraform module and Cloud Function is used to demonstrate the concepts discussed in this Article. This repo contains all you need to begin automating remediations for Event Threat Detection findings.

Prerequisites

Due to changes in the GCP provider, you can only deploy Cloud Functions with Terraform when using a Service Account. See Github Issue.

The service account running terraform must have the following permissions:

At the organization level:

  • Organization Role Administrator
  • Logs Configuration Writer
  • Organization Administrator

At the project level:

  • Pub/Sub Admin
  • Cloud Functions Admin
  • Storage Admin
  • Service Account Admin
  • Service Account User

Usage

  1. Clone Repository Locally.
git clone [email protected]:ScaleSec/gcp_threat_detection_auto_remediation.git
  1. Change directory into the newly cloned repository.
cd gcp_threat_detection_auto_remediation
  1. Create a terraform.tfvars file - Replace values before running command.
cat > terraform.tfvars <<EOF
  org_id                       = "<<replace with your org id>>"
  project                      = "<<replace with your project id>>"
EOF
  1. Authenticate your Google Cloud Service Account in one of ways defined in the Terraform Documentation.
gcloud auth activate-service-account

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/yourSAKey.json
  1. Run the following Terraform commands:
terraform init
terraform plan
terraform apply
  1. To test the Cloud Function:
  • Add a @gmail.com IAM member to your project with the role Project Editor.
  • Refresh the IAM page and the previously added IAM member should be removed.
  • Navigate to the Cloud Functions page in the Cloud Console and select the function deployed via terraform.
  • Click the 'View Logs' Button to view the outputs of the function.

Inputs

Name Description Type Default Required
org_id The ID of the Organization to provision resources. string - yes
project The ID of the project where the pub/sub topic will be installed. string - yes
region The location of resources string us-east1 no
name Prefix for resource naming string etd no
org_sink_filter The Log Filter to apply to the Org Level export. string resource.type:threat_detector resource.labels.detector_name=iam_anomalous_grant no

Outputs

Name Description
topic_name The name of the pub/sub topic where logs are sent to.
project The Project which hosts the pub/sub topic and subscription resources.
organization_sink_writer The Service Account associated with the organization sink.
function_name The Cloud Function that performs the IAM administration.

Limitation of Liability

Please view the License for limitations of liability.

About

This repo contains all you need to begin automating Event Threat Detection findings.

Resources

Readme

License

View license
Activity
Custom properties

Stars

12 stars

Watchers

14 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages