CFT Scorecard is an open-sourced command line client of Forseti Config Validator and part of the broader Cloud Foundation Toolkit. It provides visibility into misconfigurations and violations of an established set of standards for Google Cloud resources, projects, folders, or even organizations.
There are over 86 distinct Google Cloud resource types, and they're growing. With the move to public cloud, it is easier than ever to federate cloud operations and resource deployment out to many individuals. Along with federation and agility in the deployment of infrastructure, resources, and policy, it has become increasingly difficult to keep policies and standards in order.
In this lab you will configure CFT Scorecard to improve visibility into a Google Cloud project and detect misconfigurations.
This lab highlights the challenges with using the cloud with multiple concurrent users. You will enable the CFT Scorecard and extend its resource configuration monitoring and violation detection capabilities through integration with Cloud Asset Inventory and the open-sourced Policy Library. You will set up the tooling for detecting misconfigurations and over-exposed resources while still allowing other individuals within your team, and ultimately the Google Cloud project, to be agile within established policies.
Setting up CFT Scorecard
Running a CFT Scorecard assessment
Adding new CFT Scorecard policy
Imagine you are the Technical Lead of a 3 person team. Your remote teammates, Alice and Bob, are working very closely with you and deploying many resources into the same shared Google Cloud project as you. After a few weeks of working together, you start to notice a few red flags. You soon discover that both Alice and Bob have cut corners and introduced project configurations that you consider misconfiguration. One misconfiguration exposed a Cloud Storage bucket publicly. This is merely one misconfiguration that you have uncovered, but you fear that there could be many more.
After doing a quick Google search, you come across the Cloud Foundation Toolkit (CFT) Scorecard CLI utility. After a quick read, you decide this can help you administer policies into your Google Cloud environment and determine where misconfigurations are occurring. You decide to give it a try.
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gsutil mb -l us-central1 -p $GOOGLE_PROJECT gs://$CAI_BUCKET_NAME
Creating gs://cai-qwiklabs-gcp-04-a69514b6748f/...
ServiceException: 409 A Cloud Storage bucket named 'cai-qwiklabs-gcp-04-a69514b6748f' already exists. Try another name. Bucket names must be globally unique across all Google Cloud projects, including those outside of your organization.
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gsutil mb -l us-central1 -p $GOOGLE_PROJECT gs://ketan
Creating gs://ketan/...
ServiceException: 409 A Cloud Storage bucket named 'ketan' already exists. Try another name. Bucket names must be globally unique across all Google Cloud projects, including those outside of your organization.
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gsutil mb -l us-central1 -p $GOOGLE_PROJECT gs://ketan080523
Creating gs://ketan080523/...
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gcloud asset export \
--output-path=gs://$CAI_BUCKET_NAME/resource_inventory.json \
--content-type=resource \
--project=$GOOGLE_PROJECT
Export in progress for root asset [projects/qwiklabs-gcp-04-a69514b6748f].
Use [gcloud asset operations describe projects/592851776084/operations/ExportAssets/RESOURCE/3ba3ea53c80a83e9e813fe2f92207c71] to check the status of the operation.
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ echo $?
0
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gcloud asset operations describe projects/592851776084/operations/ExportAssets/RESOURCE/3ba3ea53c80a83e9e813fe2f92207c71metadata:
'@type': type.googleapis.com/google.cloud.asset.v1.ExportAssetsRequest
contentType: RESOURCE
outputConfig:
gcsDestination:
uri: gs://cai-qwiklabs-gcp-04-a69514b6748f/resource_inventory.json
parent: projects/592851776084
name: projects/592851776084/operations/ExportAssets/RESOURCE/3ba3ea53c80a83e9e813fe2f92207c71
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gcloud asset export \
--output-path=gs://$CAI_BUCKET_NAME/iam_inventory.json \
--content-type=iam-policy \
--project=$GOOGLE_PROJECT
Export in progress for root asset [projects/qwiklabs-gcp-04-a69514b6748f].
Use [gcloud asset operations describe projects/592851776084/operations/ExportAssets/IAM_POLICY/9b4f6f3bae519c0626658b448b64c1f8] to check the status of the operation.
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gcloud asset operations describe projects/592851776084/operations/ExportAssets/IAM_POLICY/9b4f6f3bae519c0626658b448b64c1f8
metadata:
'@type': type.googleapis.com/google.cloud.asset.v1.ExportAssetsRequest
contentType: IAM_POLICY
outputConfig:
gcsDestination:
uri: gs://cai-qwiklabs-gcp-04-a69514b6748f/iam_inventory.json
parent: projects/592851776084
name: projects/592851776084/operations/ExportAssets/IAM_POLICY/9b4f6f3bae519c0626658b448b64c1f8
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gcloud asset export \
--output-path=gs://$CAI_BUCKET_NAME/org_policy_inventory.json \
--content-type=org-policy \
--project=$GOOGLE_PROJECT
Export in progress for root asset [projects/qwiklabs-gcp-04-a69514b6748f].
Use [gcloud asset operations describe projects/592851776084/operations/ExportAssets/ORG_POLICY/235a349731fecea0f30ab670e549def8] to check the status of the operation.
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ ^C
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gcloud asset operations describe projects/592851776084/operations/ExportAssets/ORG_POLICY/235a349731fecea0f30ab670e549def8
metadata:
'@type': type.googleapis.com/google.cloud.asset.v1.ExportAssetsRequest
contentType: ORG_POLICY
outputConfig:
gcsDestination:
uri: gs://cai-qwiklabs-gcp-04-a69514b6748f/org_policy_inventory.json
parent: projects/592851776084
name: projects/592851776084/operations/ExportAssets/ORG_POLICY/235a349731fecea0f30ab670e549def8
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gcloud asset export \
--output-path=gs://$CAI_BUCKET_NAME/access_policy_inventory.json \
--content-type=access-policy \
--project=$GOOGLE_PROJECT
Export in progress for root asset [projects/qwiklabs-gcp-04-a69514b6748f].
Use [gcloud asset operations describe projects/592851776084/operations/ExportAssets/ACCESS_POLICY/cb1219281326c8e310ebfb16029a16d0] to check the status of the operation.
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ gcloud asset operations describe projects/592851776084/operations/ExportAssets/ACCESS_POLICY/cb1219281326c8e310ebfb16029a16d0
metadata:
'@type': type.googleapis.com/google.cloud.asset.v1.ExportAssetsRequest
contentType: ACCESS_POLICY
outputConfig:
gcsDestination:
uri: gs://cai-qwiklabs-gcp-04-a69514b6748f/access_policy_inventory.json
parent: projects/592851776084
name: projects/592851776084/operations/ExportAssets/ACCESS_POLICY/cb1219281326c8e310ebfb16029a16d0
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ curl -o cft https://storage.googleapis.com/cft-cli/latest/cft-linux-amd64
# make executable
chmod +x cft
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 88.5M 100 88.5M 0 0 95.1M 0 --:--:-- --:--:-- --:--:-- 95.1M
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ ./cft scorecard --policy-path=policy-library/ --bucket=$CAI_BUCKET_NAME
Generating CFT scorecard
WARNING: Unable to read inventory file : org_policy_inventory.json storage: object doesn't exist
1 total issues found
Operational Efficiency: 0 issues found
----------
Security: 1 issues found
----------
denylist_public_users: 1 issues
- //storage.googleapis.com/fun-bucket-qwiklabs-gcp-04-a69514b6748f is publicly accessible
Reliability: 0 issues found
----------
Other: 0 issues found
----------
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ # Add a new policy to blacklist the IAM Owner Role
cat > policy-library/policies/constraints/iam_allowlist_owner.yaml << EOF
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
name: allowlist_owner
annotations:
description: List any users granted Owner
spec:
severity: high
match:
target: ["organizations/**"]
exclude: []
parameters:
mode: allowlist
assetType: cloudresourcemanager.googleapis.com/Project
role: roles/owner
members:
EOF - "serviceAccount:admiral@qwiklabs-services-prod.iam.gserviceaccount.com"
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ echo $?
0
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ ./cft scorecard --policy-path=policy-library/ --bucket=$CAI_BUCKET_NAME
Generating CFT scorecard
2023/08/06 00:36:41 spec.match.target is deprecated and will be removed in a future release. Use spec.match.ancestries instead
2023/08/06 00:36:41 spec.match.exclude is deprecated and will be removed in a future release. Use spec.match.excludedAncestries instead
WARNING: Unable to read inventory file : org_policy_inventory.json storage: object doesn't exist
2 total issues found
Other: 1 issues found
----------
allowlist_owner: 1 issues
- IAM policy for //cloudresourcemanager.googleapis.com/projects/592851776084 grants roles/owner to serviceAccount:qwiklabs-gcp-04-a69514b6748f@qwiklabs-gcp-04-a69514b6748f.iam.gserviceaccount.com
Operational Efficiency: 0 issues found
----------
Security: 1 issues found
----------
denylist_public_users: 1 issues
- //storage.googleapis.com/fun-bucket-qwiklabs-gcp-04-a69514b6748f is publicly accessible
Reliability: 0 issues found
----------
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ export USER_ACCOUNT="$(gcloud config get-value core/account)"
export PROJECT_NUMBER=$(gcloud projects describe $GOOGLE_PROJECT --format="get(projectNumber)")
Your active configuration is: [cloudshell-5571]
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ # Add a new policy to allowlist the IAM Editor Role
cat > policy-library/policies/constraints/iam_identify_outside_editors.yaml << EOF
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
name: identify_outside_editors
annotations:
description: list any users outside the organization granted Editor
spec:
severity: high
match:
target: ["organizations/**"]
exclude: []
parameters:
mode: allowlist
assetType: cloudresourcemanager.googleapis.com/Project
role: roles/editor
members:
EOF - "serviceAccount:$GOOGLE_PROJECT**gserviceaccount.com"m"
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ ./cft scorecard --policy-path=policy-library/ --bucket=$CAI_BUCKET_NAME
Generating CFT scorecard
2023/08/06 00:37:17 spec.match.target is deprecated and will be removed in a future release. Use spec.match.ancestries instead
2023/08/06 00:37:17 spec.match.exclude is deprecated and will be removed in a future release. Use spec.match.excludedAncestries instead
2023/08/06 00:37:17 spec.match.target is deprecated and will be removed in a future release. Use spec.match.ancestries instead
2023/08/06 00:37:17 spec.match.exclude is deprecated and will be removed in a future release. Use spec.match.excludedAncestries instead
WARNING: Unable to read inventory file : org_policy_inventory.json storage: object doesn't exist
3 total issues found
Operational Efficiency: 0 issues found
----------
Security: 1 issues found
----------
denylist_public_users: 1 issues
- //storage.googleapis.com/fun-bucket-qwiklabs-gcp-04-a69514b6748f is publicly accessible
Reliability: 0 issues found
----------
Other: 2 issues found
----------
identify_outside_editors: 1 issues
- IAM policy for //cloudresourcemanager.googleapis.com/projects/592851776084 grants roles/editor to user:qwiklabs.lab.user@gmail.com
allowlist_owner: 1 issues
- IAM policy for //cloudresourcemanager.googleapis.com/projects/592851776084 grants roles/owner to serviceAccount:qwiklabs-gcp-04-a69514b6748f@qwiklabs-gcp-04-a69514b6748f.iam.gserviceaccount.com
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ mkdir output
student_01_9a47ad5b3296@cloudshell:~ (qwiklabs-gcp-04-a69514b6748f)$ cd output
student_01_9a47ad5b3296@cloudshell:~/output (qwiklabs-gcp-04-a69514b6748f)$ gs://cai-qwiklabs-gcp-04-a69514b6748f/iam_inventory.json
-bash: gs://cai-qwiklabs-gcp-04-a69514b6748f/iam_inventory.json: No such file or directory
student_01_9a47ad5b3296@cloudshell:~/output (qwiklabs-gcp-04-a69514b6748f)$ gs://cai-qwiklabs-gcp-04-a69514b6748f/iam_inventory.json .
-bash: gs://cai-qwiklabs-gcp-04-a69514b6748f/iam_inventory.json: No such file or directory
student_01_9a47ad5b3296@cloudshell:~/output (qwiklabs-gcp-04-a69514b6748f)
No comments:
Post a Comment