>

Setting up Cloud SCC tools

This page provides information about how to prepare your Google Cloud Platform (GCP) project to install the Cloud Security Command Center (Cloud SCC) tools app package. These apps add new functionality that show how you can use Cloud SCC in your organization.

These apps demonstrate how to develop integrations or add-ons to the Cloud SCC platform. If you're a third-party security solution developer, or if you need something more specific for your organization, you might find these example apps particularly useful.

Overview

The Cloud SCC tools package includes the following components:

Hello World

Hello World is a small app that calls the Cloud SCC API to get an organization's assets or security provider findings. This app uses Cloud Functions to integrate with Cloud SCC APIs and trigger security workflows based on Cloud SCC queries:

  • Log query parameters and results.
  • Disable firewall rules that allow SSH connections to an instance.
  • Remove access to a Cloud Storage bucket.
  • Create a snapshot for each disk that belongs to an instance.

Hello World also includes a small library of example Cloud Functions that enable you to programmatically trigger the following actions with Cloud Pub/Sub messages:

  • Repair firewall
  • Snapshot VM
  • Change bucket ACL

You can use the Hello World app code as a starting point for other behaviors like:

  • Use Cloud Scheduler to periodically call a Cloud Pub/Sub topic and trigger a security workflow.
  • Store query results in a database or send it to another system as a notification.
  • Add a new Cloud Functions function to call another Google API.

Creator

The Creator app queries Cloud SCC data at regular intervals and sends the results to a Notifications Cloud Pub/Sub Topic. The Creator app provides examples of how to use the filter, readTime, and compareDuration parameters of the Cloud SCC API.

Query Builder

The Query Builder app enables you to create and schedule advanced, multi-step queries on Cloud SCC data using a web application interface. Query results can be sent to a Notifications Cloud Pub/Sub Topic where other apps can consume them. You can also configure Query Builder to add Cloud SCC security marks to query results.

For example, you could schedule a query to periodically look for network firewalls with port 22 allowed. You could then use Query Builder to mark the results in Cloud SCC and notify your security team so they can take appropriate action.

Notifier

The Notifier app subscribes to a Notifications Cloud Pub/Sub Topic and sends notifications to a configured channel, like email or SMS. The Notifier app refers to Cloud SCC query results from other apps, like the Creator and Query Builder apps.

You can develop your own application to subscribe to the same Notifications Cloud Pub/Sub Topic, and customize how you handle the messages you get. For example, you could process the results and send them to one of your organization's internal systems, or store the results for further analysis in a database that you specify.

Audit Logs

The Audit Logs app can ingest Cloud Audit Logs logs through export sinks and create Cloud SCC security findings. This app includes integration of Access Transparency alerts and Binary Authorization alerts for Blocked Deployments and Break Glass scenarios.

This app creates single and aggregated log types:

  • Single log types create a Cloud SCC finding for each occurrence found:
    • Google Kubernetes Engine Binary Authorization
    • Access Transparency
    • Compute Engine
    • Cloud Storage
    • Service Networking
  • Aggregated log types group findings within a Cloud Dataflow period and then creates a Cloud SCC finding:
    • Cloud Identity and Access Management (Cloud IAM)

Splunk Connector

The Splunk Connector app uses the Cloud SCC API to export an organization's assets and findings. You can configure the app to filter Cloud SCC data to limit the data that's exported. For example, you could search for only findings of a specific type. The app runs on a schedule and delivers results to a Cloud Pub/Sub Topic that's connected to a Splunk Server Addon.

Setup scripts

The Cloud SCC tools package includes a set of companion scripts and utilities. The scripts and utilities are used during installation to create the necessary GCP infrastructure for each app and help deploy the apps.

These scripts do things like:

  • Create projects
  • Create service accounts
  • Generate SSL certificates
  • Deploy apps

This guide includes detailed instructions about how to execute the commands to install the Cloud SCC tools using the setup scripts.

Figure 1 provides a high-level overview of the Cloud SCC tools, not including the setup scripts:

Cloud SCC Tools overview diagram.
Figure 1. Diagram of the Cloud SCC tools with a description of how each tool interacts with Cloud SCC.

Before you begin

To complete this guide, you need the following:

  • An active GCP Organization with Cloud SCC enabled.
  • An active Cloud Billing account.
  • The project ID that you want to use to access the Cloud SCC API. This project must have the securitycenter.googleapis.com API enabled.
  • The following Cloud Identity and Access Management (Cloud IAM) roles at the organization level:
    • Billing Account User - roles/billing.user
    • DNS Administrator - roles/dns.admin
    • Organization Administrator - roles/resourcemanager.organizationAdmin
    • Organization Role Administrator - roles/iam.organizationRoleAdmin
    • Organization Role Viewer - roles/iam.organizationRoleViewer
    • Project Creator - roles/resourcemanager.projectCreator
    • Pub/Sub Publisher - roles/pubsub.publisher
    • Security Center Admin - roles/securitycenter.admin
    • Service Account Admin - roles/iam.serviceAccountAdmin
    • Service Account Key Admin - roles/iam.serviceAccountKeyAdmin
    • Service Management Administrator - roles/servicemanagement.admin

Installing Cloud SCC tools

To install the Cloud SCC tools, complete the steps below to prepare your environment. After you complete this guide, you can install each tool independently by following the README that's included with the tool.

You must use Cloud Shell to install the tools. Cloud Shell provides command-line access to your GCP resources directly from your browser.

Get the tools package

Run the following commands to download the tools package and set up a working directory:

  1. Go to the GCP Console.
    Go to the GCP Console page
  2. Click Activate Cloud Shell.
  3. Get the name of the tools version you want to use. These are stored with a timestamp, so you need to display the Cloud Storage bucket contents.

    # list available versions
    gsutil ls gs://cloud-scc-beta-example-apps-download/
    
  4. Set environment variables for your working directory and the tools version you want to download.

    1. The Cloud SCC tools release version:

      # the Cloud SCC tools release version you want to download, for example 3.4.0
      export VERSION=[RELEASE_VERSION]
      
    2. The filename for the tools version:

      # the filename for the tools version you want to download,
      # for example 3.4.0-20190418T152241Z-001.zip
      export FILENAME=[FILENAME]
      
    3. The path for your working directory:

      # directory to unzip the installation zip files
      export WORKING_DIR=${HOME}/scc-tools-install
      
  5. Create your working directory:

    # create the working directory
    mkdir $WORKING_DIR
    
  6. Go to the working directory:

    # go to the working directory
    cd $WORKING_DIR
    
  7. Download the Cloud SCC tools files by running:

    gsutil cp gs://cloud-scc-beta-example-apps-download/${FILENAME} .
    
  8. Unzip the Cloud SCC tools files:

    unzip -qo ${FILENAME} -d .
    
  9. Complete setup by following the steps in the README-[VERSION].pdf included in the download.

After you complete the README, you'll be ready to install any of the Cloud SCC tools using the tool installation guides.

Installation guides

The tools package you downloaded contains a README that includes installation instructions for each app:

  • Hello World: scc-hello-world-README-$[VERSION].pdf
  • Creator: scc-creator-README-$[VERSION].pdf
  • Query Builder: scc-query-builder-README-$[VERSION].pdf
  • Notifier: scc-notifier-README-$[VERSION].pdf
  • Audit Logs: scc-audit-logs-README-$[VERSION].pdf
  • Splunk Connector: scc-connector-README-$[VERSION].pdf

After you install an app, you can find more information about the app in its user guide:

  • Hello World: scc-hello-world-USER_GUIDE-$[VERSION].pdf
  • Creator: scc-creator-USER_GUIDE-$[VERSION].pdf
  • Query Builder: scc-query-builder-USER_GUIDE-$[VERSION].pdf
  • Notifier: scc-notifier-USER_GUIDE-$[VERSION].pdf
  • Audit Logs: scc-audit-logs-USER_GUIDE-$[VERSION].pdf
  • Splunk Connector: scc-connector-USER_GUIDE-$[VERSION].pdf
Hai trovato utile questa pagina? Facci sapere cosa ne pensi:

Invia feedback per...

Cloud Security Command Center
Hai bisogno di assistenza? Visita la nostra pagina di assistenza.