04-27-202212:00 PM - last edited on 04-27-202203:01 PM by kh_jenn
In this article we’ll demonstrate how you can implement automatic remediation for security posture violation findings discovered by Netskope Cloud Security Posture Management (CSPM).
Netskope CSPM continuously assesses public cloud deployments to mitigate risk, detect threats, scan and protect sensitive data and monitor for regulatory compliance. Netskope simplifies the discovery of security misconfigurations across your clouds. Netskope Auto-Remediation framework for GCP enables you to automatically mitigate the risk associated with these misconfigurations in your GCP cloud environment.
Cloud scheduler will trigger Pub/Sub(1) topic with payload/message after every interval.
Payload/message will have two parameters:
rule_name: Name of the Rule for which remediation is required.
rule_short_name: This will be the Pub/Sub(2) topic name that will be used by GetNetskopeCSPMResults Cloud Function to push alert details to Remediation Cloud Function.
Pub/Sub(1) will trigger the GetNetskopeCSPMResults cloud function which will perform the below steps:
Pull payload/message from pub/sub(1) topic.
Call Netskope Security Assessment Violation API for given rule_name. If the rule is violated then, extract parameters GCP ProjectID, Resource ID, and Region Name from the alert.
Trigger Pub/Sub(2) topic and push extracted parameters. Pub/Sub(2) topic will pass these parameters to the Remediation cloud function of specified rule_name.
The remediation cloud function will pull information from Pub/Sub(2) and perform remediation.
Check logs of remediation functions in cloud logging.
Currently Supported GCP Auto-remediation Rules
Ensure the default network does not exist in a project
The auto-remediation cloud function deletes the default VPC network.
Ensure "Block Project-wide SSH keys" enabled for VM instances
The auto-remediation cloud function set “block-project-ssh-keys” meta-data value of VM instance to True.
Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less
The auto-remediation cloud function disables the Service Account keys that are created before 90 days
Identities and credentials: Ensure that ServiceAccount has no Admin privileges.
The auto-remediation cloud function removes Service Account entries from members for owner/editor/*Admin role
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
The auto-remediation cloud function removes role binding from policy having role as “Service Account User” or “Service Account Token Creator”
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters
The auto-remediation cloud function set the logging service as “logging.googleapis.com/kubernetes” if not set
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
The auto-remediation cloud function removes exempted members from audit logging service configurations and enable audit logging for all services with log types: DATA_READ, DATA_WRITE, ADMIN_READ, ADMIN_WRITE
Ensure that Cloud SQL database Instances are not open to the world
The auto-remediation cloud function removes a network which has an IP value of “0.0.0.0/0“ from Cloud SQL Instance.
Ensure that Cloud SQL database instance requires all incoming connections to use SSL
The auto-remediation cloud function set “requireSsl” property of cloud SQL instance to True.
Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible
The auto-remediation cloud function removes “allUsers” and “allAuthenticatedUsers” principles from the bindings of bucket policy.
Ensure that SSH access is restricted from the internet
The auto-remediation cloud function removes the entry for source “0.0.0.0/0” from firewall rule source ranges if present
Ensure VPC Flow logs is enabled for every subnet in VPC Network
The auto-remediation cloud function enables flow logging for each subnet region-wise