Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bots GCP cloud bots (#1) Jul 8, 2019
docs/pictures add main image (#4) Jul 11, 2019
dome9CloudBots/bots
README.md Readme update (#5) Jul 11, 2019
email_message.json
handle_event.py GCP cloud bots (#1) Jul 8, 2019
main.py
requirements.txt GCP cloud bots (#1) Jul 8, 2019
send_events_and_errors.py GCP cloud bots (#1) Jul 8, 2019
send_logs.py GCP cloud bots (#1) Jul 8, 2019

README.md

CloudBots is an automatic remediation solution for public cloud platforms (GCP, AWS, and Azure)

What are Dome9 CloudBots?

Dome9 CloudBots are an autoremediation solution for GCP, built on top of the CloudGuard Dome9 Continuous Compliance capabilities.

They can also be used standalone, without Dome9, to remedy issues in AWS and Azure accounts. Details are included how to configure and trigger them.

Flow Diagram

Flow Diagram

The Bots

Refer to this file for a list of the bots, what each one does, and an example of a rule that could be used to trigger it.

Onboarding

Download ZIP

  1. Download ZIP (The GCP Function will require the content zipped).
  2. If you cloned the repository make sure to Zip the contents.

Create GCP Service Account for cloudbots

  1. In the GCP console, navigate to IAM & admin, and then select Service accounts.
  2. Click CREATE SERVICE ACCOUNT to add a service account.
  3. Enter a name (e.g., Dome9-cloudbots)
  4. In the Service Account ID field, the name of the service account will be used for the Cloud Function (in the previous step).
  5. Click Create.

Configure SendGrid

SendGrid (sendgrid.com) is a third-party email service. It has different tiers and pricing. It is used by GCP to distribute emails. See here for more info.

  1. Navigate to sendgrid.com
  2. Create a new account, following the instructions on the site.
  3. Navigate to Settings, and then select API Keys.
  4. Click Create API Key.
  5. Enter a name for the key (e.g., Dome9-cloudbots, an select Full Access.
  6. Click Create Key, then copy the value of the key.
  7. Click Done.

Create a GCP Function with the CloudBots

  1. Navigate to Cloud Functions.
  2. Click CREATE FUNCTION.
  3. Enter a name for the function (e.g., Dome9-Cloudbot).
  4. Make sure the Trigger is HTTP.
  5. In the Source Code section, select ZIP upload.
  6. In the Runtime section, select Python 3.7.
  7. In the ZIP file section, browse to the location of zip file created before.
  8. In the Stage bucket section, click Browse.
  9. Click +, enter a name for the bucket, and then click CREATE.
  10. In the Function to execute section, enter main.
  11. Click Environment variables, networking, timeouts and more at the bottom of the navigation menu, on the left.
  12. In the Service account field, select the account created above.
  13. In the Environment variables section, click Add variable, and add the following variables:
    1. SEND_GRID_API_CLIENT - enter to SendGrid API Key, created above.
    2. OUPTPUT_EMAIL - the email recipient (for notification emails, generated with SendGrid).
    3. SEND_LOGS - set to True to send log information to Dome9, for troubleshooting; False to disable this (default is True).
  14. Click CREATE to create the function for the cloudbots.

Webhook for Function

The cloudbot function in GCP is triggered from Dome9 using a webhook. For this, the URL of the function is required.

  1. Click on the Cloud Function you created.
  2. Copy the URL for Dome9 Notification.

Multiple Accounts

You can use CloudBots for several GCP projects, but install it in only one project. The other projects will be accessed from the first by granting IAM permissions.

  1. Create a GCP Function in one of the GCP projects, following the steps above.
  2. For each of the other projects, navigate to IAM & admin, and select IAM.
    1. Click ADD.
    2. In the New members field, enter the service account created above.
    3. Select the Project Editor role.
    4. Click SAVE.

Configure Dome9

On Dome9 add remediation tags to rules in a Compliance ruleset.

See also

CloudGuard Dome9 Compliance

Continuous Compliance

Notification Policies

Configure a Dome9 Compliance Ruleset

CloudBots are triggered by findings discovered by Dome9 Compliance rulesets. You must configure a ruleset to trigger the CloudBots.

Follow these steps in your Dome9 account to tag the compliance rules & rulesets to use bots as a remediation step.

  1. In the Dome9 console, navigate to the Rulesets page in the Compliance & Governance menu.

  2. Select the rules for which you want to add a remediation step.

  3. In the Compliance Section add a row with the following string: AUTO: <bot-name> <params> where bot-name is the name of the bot, and params is a list of arguments for the bot (if any).

    For example, AUTO: vm_instance_stop will run the bot to stop a VM instance.

Configure a Dome9 Continuous Compliance policy

Once the rules in the ruleset have been tagged for remediation, set up a Continuous Compliance policy to run the ruleset, and send findings the GCP function webhook.

  1. Navigate to the Policies page in the Compliance & Governance menu.
  2. Click ADD POLICY (on the right).
  3. Select the account from the list, then click NEXT, this will be the one account in which the bots are deployed.
  4. Select the ruleset from the list, then click NEXT.
  5. Click ADD NOTIFICATION.
  6. Select Webhook integration and enter the URL for the Function, as described above Webhook for Function, and then click SAVE.

Note: Dome9 will send event messages to the webhook for new findings. To send events for previous findings, follow these steps:

  1. Navigate to the Policies page.
  2. Find the ruleset and account in the list, and hover over the right of the row, then click on the Send All Alerts icon.
  3. Select the webhook Notification Type option, and the Notification Policy (the one created above), then click SEND. Dome9 will send event messages to the GCP function webhook.

Log Collection for Troubleshooting

The cloudbots send log information to Dome9, that is used for troubleshooting. By default, this is enabled for all bots. You can disable this in your GCP account. Select the function, and set the environment variable SEND_LOGS to False. This will apply to all bots in the account. By default, this is set to True, enabling logs.

Each account is controlled by the variable for the function configured in that account.

You can’t perform that action at this time.