Integrate private Forseti Security with Cloud Security Command Center
Contributed by Google employees.
This guide walks you through a private Forseti Security installation on Compute Engine, following enterprise best practices.
This guide shows how to do the following:
- Deploy Forseti in its own virtual private cloud (VPC), not the default VPC.
- Restrict the firewall rules that are preconfigured.
- Optionally, remove the public IP address from Compute Engine instances.
- Configure Cloud SQL to be a private instance.
- Configure Forseti to send violations to Cloud Security Command Center (Cloud SCC).
This guide does not show how to do the following:
- Customize Forseti.
- Configure Forseti beyond the basic setup.
- Configure Forseti Enforcer.
This guide was developed using Forseti version 2.24.0 (release v5.1.0).
Prerequisites
To perform the steps in this tutorial, you need the following:
- Access to a G Suite or Cloud Identity super admin account.
- Access to the Security page in the Google Admin console.
- Access to the Cloud Console.
- Rights to modify IAM permissions at the Organization level.
- A project where you will deploy Forseti. In this tutorial, we use the project name
forseti
. - Editor or owner permissions for the
forseti
project.
Software that you need:
- Terraform 0.12.12 or higher
- Cloud SDK
Installing Forseti
You have two options when following this tutorial:
(Recommended) Clone the installer repository into your local workspace:
Forseti Security: Terraform Google Installer
For a stable build, select the latest
module-release
branch.Use a temporary shell workspace managed by Google:
If you use the Cloud Shell option, be sure to back up your
terraform.tfvars
file at the end of the session.
Regardless of which option you choose for the working environment, the steps below are the same. When the steps below refer to your shell session, this refers to whichever choice of environment you made above.
Preparing the Google Cloud environment
If you do not have a dedicated forseti
project yet, then create one. Navigate to the project
Home page and take note of the Project ID information displayed in
the Project info panel.
In the forseti
project, do the following:
- Go to the VPC Networks page in the Cloud Console.
Create a VPC for Forseti with one subnet. Configure it with the following parameters:
- Private Google access: On
- Flow logs: On (optional)
- Dynamic routing mode: Regional
In the example above, the VPC was created with the name
forseti
and the subnet with the nameforseti-subnet1
. The chosen region isus-east4
. The chosen zone isus-east4-a
. During this step, record the network, subnet, and region names; you will use them in later steps.Remove the default network.
Open your shell session and confirm that you have the required software installed:
terraform -v && gsutil -v && gcloud -v
Sample output:
Terraform v0.12.16 gsutil version: 4.46 Google Cloud SDK 272.0.0
Before the next step, run
gcloud auth list
to ensure that your shell session is authenticated.If your shell session is not yet authenticated, then use the
gcloud auth login
command to authenticate.In your shell, run the following commands to set the configuration context for
gcloud
:gcloud config set project [PROJECT_ID] gcloud config set compute/region [REGION_NAME] gcloud config set compute/zone [ZONE_NAME]
In our example:
gcloud config set project forseti-project-id gcloud config set compute/region us-east4 gcloud config set compute/zone us-east4-a
Run a helper script to create a service account and enable APIs
Before you can run the Terraform module, you must create a service account and enable specific APIs. The Forseti installer
has a helper script that uses gcloud
for this purpose.
Navigate to
terraform-google-forseti/helpers
.Run the
setup.sh
script:./setup.sh -p [PROJECT_ID] -o [ORGANIZATION_ID]
To find your Organization ID, you can use the
gcloud organizations list
command. You will need the Organization ID for subsequent steps, too.This step creates a
credentials.json
file in thehelpers
folder, which you will need in a later step. This file is removed at the end of the installation procedure.
Prepare the Terraform environment
Move the
credentials.json
file to theterraform-google-forseti/examples/install_simple
folder and navigate to that folder:# from the helpers folder mv credentials.json ../examples/install_simple cd ../examples/install_simple
For details, see the installation documentation.
Open the
terraform.tfvars
file with a text editor. This file contains the input provided to the Terraform module.The default
terraform.tfvars
file looks like the following:project_id = "my-project-id" org_id = "11111111" domain = "mydomain.com" region = "us-east4" network = "default" subnetwork = "default" network_project = "" gsuite_admin_email = "admin@mydomain.com" sendgrid_api_key = "" forseti_email_sender = "" forseti_email_recipient = ""
Configure the file as follows:
- Configure
project_id
with your project ID. - Configure the
org_id
with your Organization ID. - Configure the
domain
with your organization's domain. - Configure network and subnetwork and region with the information you recorded when creating the network. In this
example it's
forseti
,forseti-subnet1
andus-east4
respectively.
If your organization is set up to use shared networks, you can instead use a network in your host project and populate the
network_project
accordingly. Typically, because the Forseti toolset should be contained to Google Cloud, an isolated project/network combination is appropriate. Also note that in this case you would need to pass the-f
flag to the helper script in the previous section.- Configure
Add the following line to the end of the
terraform.tfvars
file:private = true
Your file should look like the following:
project_id = "forseti-project-id" org_id = "111111111111" domain = "example.com" region = "us-east4" network = "forseti" subnetwork = "forseti-subnet1" network_project = "" gsuite_admin_email = "admin@example.com" sendgrid_api_key = "" forseti_email_sender = "" forseti_email_recipient = "" private = true
If you plan to use the SendGrid email service, ensure that you obtain an API key and configure the
sendgrid_api_key
,forseti_email_sender
, andforseti_email_recipient
. We recommend that you use a group alias as the email recipient.Create a bucket to store the Terraform state. The bucket name must be unique. In this tutorial, we use the project ID as the bucket name, but you can use any unique name.
PROJECT=`gcloud config list --format 'value(core.project)'` gsutil mb gs://$PROJECT-tfstate
Take note of the bucket name for subsequent use.
If your organization already uses Terraform, you can use the same backend as your other Terraform scripts, with a separate folder for the Forseti installation.
Open the
backend.tf
file with a text editor. The default contents should look like the following:# terraform { # backend "gcs" { # bucket = "my-project-tfstate" # prefix = "terraform/forseti" # } # }
Uncomment the block above, and populate the
bucket
value with the bucket name from the previous step. The prefix is the folder in which the state will be saved within the bucket. The updated file should look like the following:terraform { backend "gcs" { bucket = "[PROJECT_ID]-tfstate" prefix = "terraform/forseti" } }
Running the installer module
With the prerequisite work done, you can install Forseti.
Initialize and download the required modules:
terraform init
Run the installer module:
terraform apply
At the time of this writing, there is a bug when running with Terraform higher than version 0.12.12
that causes
the following error: tls_private_key.policy_library_sync_ssh is empty tuple
(more info). To work around this issue, open the
main.tf
file and add the following line after the private lines in the module definition:
policy_library_sync_enabled = true
. After this modification, the module will look like the following:
module "forseti-install-simple" {
source = "terraform-google-modules/forseti/google"
version = "~> 5.0.0"
[... REDACTED for brevity ... ]
client_private = var.private
server_private = var.private
policy_library_sync_enabled = true
}
You may see other warnings, such as Warning: Quoted references are deprecated
or Warning: Interpolation-only expressions
are deprecated
. These do not affect the installation, and you should be able to proceed with the installation as expected.
Making Forseti private
At this stage, Forseti is installed, but it is not yet fully private. In this section, you make Forseti private.
In the Cloud Console, ensure that you have the forseti
project selected, and then do the following:
- Go to the Cloud SQL page in the Cloud Console.
Find the row for the
forseti-server-db
instance, click the more icon (three dots) at the end of the row, and then click Edit.Add the private IP address, remove the public IP address, and save the changes.
Note: This is also a good time to ensure that the database is in the same zone as the server VM (optional).
Go to the Firewall rules page and edit the rules of both
forseti-client-allow-ssh-external
andforseti-server-allow-ssh-external
to restrict the source IP ranges to the locaton (on-premises or datacenter range) that you will be connecting from.(Optional) Go to the VM instances page and verify that there is no public IP addresses for the server and client VMs; since we set the
private
flag to true, this should be properly configured.If you remove the public IP addresses, then connections to the instances must be through Cloud Identity-Aware Proxy (IAP), Cloud VPN, or Cloud Interconnect. Cloud IAP provides Google Identity verified proxy tunnel to compute instances without internet access. For details on how to set up Cloud IAP to access a Forseti VM through SSH, see the Cloud IAP documentation.
Configuring Forseti
In this section, you perform the base configuration to get Forseti up and running.
Enable domain-wide delegation
You must be logged in with the super admin account for the steps in this section.
For details of domain-wide delegation, see Enable domain-wide delegation in G Suite in the Forseti documentaton.
- Navigate to IAM & admin > Service Account page on the
forseti
project. Find the
Forseti Server
service account, click the more icon (three dots), and then click Edit. Note the service account address for use in the next section.Click the checkbox to select Enable G Suite Domain-wide Delegation.
Click View Client ID.
Copy the value from the Client ID field and save it for the next step.
You can also copy the client ID from the Edit page if you are unable to copy it from the popover that displays the information.
In the Google Admin Console, go to Manage API client access in Security Settings, and paste the client ID in the client name box.
Authorize the following scopes:
https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/cloudplatformprojects.readonly,https://www.googleapis.com/auth/apps.groups.settings
Enable Cloud SCC with Forseti plugin
In the Forseti project, go to API & Services > Library page, search for the Cloud Security Command Center API (
securitycenter.googleapis.com
), and enable it.Navigate to the Organization level.
Use the menu in the upper-left corner of the Cloud Console to navigate to Security > Security Command Center.
Enable the service.
At the top of the Security Command Center page, click Add Security Sources.
Select the Forseti Cloud SCC Connector plugin.
Click the Visit Forseti Security to sign up button to get started.
Follow the steps to enable the extension. First, select your organization.
Follow the instructions on the screen. When asked for a service account, use the Forseti Server service account. Choose the
forseti
project.Copy the
source_id
for later use. Thesource_id
is in this format, as shown in the screenshot above:organizations/[ORGANIZATION_ID]/sources/[SOURCE_ID]
Navigate to the Organization IAM page and ensure that the service account has the Security Center Findings Editor role.
If you did not re-use the Forseti Server service account and created a new service account for Cloud SCC, you need to grant Security Center Findings Editor role for both the Foresti Server service acconut and the newly created service account for Cloud SCC.
Configuring the CSCC integration in Forseti
Now you can edit the Terraform files to enable CSCC integration.
Ensure that you are in the
terraform-google-forseti/examples/install_simple
folder for the next steps.Add the following line to the bottom of the
terraform.tfvars
file:cscc_violations_enabled = "true" cscc_source_id = "organizations/[ORGANIZATION_ID]/sources/[SOURCE]"
The
cscc_source_id
is the value ofsource_id
that you copied in the previous section.Your file should look like the following:
project_id = "forseti-project-id" org_id = "111111111111" domain = "example.com" region = "us-east4" network = "forseti" subnetwork = "forseti-subnet1" network_project = "" gsuite_admin_email = "admin@example.com" sendgrid_api_key = "" forseti_email_sender = "" forseti_email_recipient = "" private = true cscc_violations_enabled = "true" cscc_source_id = "organizations/[ORGANIZATION_ID]/sources/[SOURCE]"
To tell the module how to to use the values set in the previous steps, you edit the
variables.tf
andmain.tf
files.Add the following to the bottom of the
variables.tf
file:variable "cscc_violations_enabled" { description = "enables integraton with Cloud Security Command Center" type = bool default = false } variable "cscc_source_id" { description = "Source ID to be used in the Cloud Security Command Center configuration" default = "" }
In the
main.tf
file, find themodule "forseti-install-simple"
line; this is a code block surrounded by{}
. Inside this code block, add the following lines:cscc_violations_enabled = var.cscc_violations_enabled cscc_source_id = var.cscc_source_id
After the modification, the module will look like the following:
module "forseti-install-simple" { source = "terraform-google-modules/forseti/google" version = "~> 5.0.0" [... REDACTED for brevity ... ] client_private = var.private server_private = var.private cscc_violations_enabled = var.cscc_violations_enabled cscc_source_id = var.cscc_source_id }
Run
terraform apply
again:terraform apply
Validate the configuration
To validate that the configuration was properly applied, do the following:
List the buckets:
gsutil ls
Find the
forseti-server
bucket.View the relevant part of configuration file:
gsutil cat gs://forseti-server-[id]/configs/forseti_conf_server.yaml | grep cscc -A6
The output should look similar to the following:
cscc: enabled: true # Cloud SCC uses a source_id. It is unique per # organization and must be generated via a self-registration process. # The format is: organizations/ORG_ID/sources/SOURCE_ID source_id: organizations/[ORGANIZATION_ID]/sources/[SOURCE]
For further validation, you can trigger a notification manually and verify that it shows up in the Security Command Center page:
Use SSH to connect to the Forseti server VM:
forseti-server-vm
.Reload the server configuration:
forseti server configuration reload gs://forseti-server-[id]/configs/forseti_conf_server.yaml
Create an inventory:
forseti inventory create
At the end of this step, the output gives an inventory ID; copy it for the next step.
{ "errors": 0, "warnings": 31, "step": "bucket/test-function-http-tpc6nm6zh2", "finalMessage": false, "lastError": "", "id": "1556128018126591", # <== This is the inventory ID. "lastWarning": "" }
Sometimes the installation procedure does not complete as expected, in which case the VM might give the following error:
forseti: command not found
If you receive this error, you have three options:
- Restart the Forseti Server VM, because a known issue might have prevented the process from starting correctly.
- Destroy the installation, ensure that the project is clean, and run
terraform apply
again. - Follow the steps detailed here in the Forseti Server VM to install it locally.
Create a model based on the inventory, and configure Forseti to use it:
forseti model create --inventory_index_id [INVENTORY_ID] [MODEL_NAME] forseti model use [MODEL_NAME]
Run Forseti Scanner:
forseti scanner run
Run Forseti Notifier:
forseti notifier run
Check the output for any violations.
Validate that the Forseti violations are shown as findings in the Cloud Security Command Center page.
Conclusion
This gives you a production-ready base intallation of Forseti. However, it's important to note that you still need to create an organizaton-specific configuration. Typically, you need to refine the base rules to remove the noise and catch use-cases that are specific to your organization (for example, allow firewall rules opening SSH and RDP traffic only for your defined IP ranges).
See the Forseti documentation on how to create your own rules.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.