Google Git
Sign in
apache / beam / master / . / infra / security
tree: 196ae4482ff43d7d8161a0f59d5128d7ce8712a7 [path history] [tgz]
  1. config.yml
  2. log_analyzer.py
  3. README.md
  4. requirements.txt
infra/security/README.md

GCP Security Analyzer

This document describes the implementation of a security analyzer for Google Cloud Platform (GCP) resources. The analyzer is designed to enhance security monitoring within our GCP environment by capturing critical events and generating alerts for specific security-sensitive actions.

How It Works

  1. Log Sinks: The system uses GCP Log Sinks to capture specific security-related log entries. These sinks are configured to filter for events like IAM policy changes or service account key creation.
  2. Log Storage: The filtered logs are routed to a dedicated Google Cloud Storage (GCS) bucket for persistence and analysis.
  3. Report Generation: A scheduled job runs weekly, executing the log_analyzer.py script.
  4. Email Alerts: The script analyzes the logs from the past week, compiles a summary of security events, and sends a report to a configured email address.

Configuration

The behavior of the log analyzer is controlled by a config.yml file. Here’s an overview of the configuration options:

  • project_id: The GCP project ID where the resources are located.
  • bucket_name: The name of the GCS bucket where logs will be stored.
  • logging: Configures the logging level and format for the script.
  • sinks: A list of log sinks to be created. Each sink has the following properties:
    • name: A unique name for the sink.
    • description: A brief description of what the sink monitors.
    • filter_methods: A list of GCP API methods to include in the filter (e.g., SetIamPolicy).
    • excluded_principals: A list of service accounts or user emails to exclude from monitoring, such as CI/CD service accounts.

Example Configuration (config.yml)

project_id: your-gcp-project-id
bucket_name: your-log-storage-bucket

sinks:
  - name: iam-policy-changes
    description: Monitors changes to IAM policies.
    filter_methods:
      - "SetIamPolicy"
    excluded_principals:
      - "ci-cd-account@your-project.iam.gserviceaccount.com"

Usage

The log_analyzer.py script provides two main commands for managing the security analyzer.

Initializing Sinks

To create or update the log sinks in GCP based on your config.yml file, run the following command:

python log_analyzer.py --config config.yml initialize

This command ensures that the log sinks are correctly configured to capture the desired security events.

Generating Weekly Reports

To generate and send the weekly security report, run this command:

python log_analyzer.py --config config.yml generate-report

This is typically run as a scheduled job (GitHub Action) to automate the delivery of weekly security reports.