Deployment through lambda? #39
Comments
|
True. Yes, we have one internally. I’ll see what I can do for making that available, or creating a minimized version of it dedicated to Cloudsplaining. Of course, PRs are not expected but are definitely appreciated. What kind of format would you be looking for? Frankly, while I’ve worked on Lambda functions, I’ve never published one with a Terraform module, or crafted one in a way that is easily parameterized. For example, I know that everyone will name their cross account role differently. Would you just want the example function itself, with storing the results in S3, and perhaps the IAM privs to stash it in S3? Let me know. Brainstorming is helpful here. |
|
Honestly, in a perfect world, I'd love to be able to scan, provide exclusions, and get the html format in as a str, when I could just use the function to do whatever i want, upload to a bucket, send alerts blah blah. Just having the ability to run the tool as a script instead of from the CLI. |
|
I completely agree :) we have hundreds of accounts and have been talking about how in order to scale this over years (and once we get to 1000s of accounts if we aren't there already) we need a fully self-service model for both assessment and remediation. The JSON output data file is definitely going to change. Would you want to see this more structured so you could parse, identify diffs, and alert on its contents if desired? All of this input helps drive the roadmap btw so for real, the input is appreciated. (For anyone else out there reading this, please feel free to open up issues and provide input or feature requests, as we consider all of them) |
|
I've only just began evaluating and I'm sure theres a lot more for me to identify. Is there a better place we can discuss (gitter / slack)? Or does the PR chat for you. |
|
Gitter is great. I can be easily contacted on there. |
|
Hi i am also trying to achieve the same thing by running a lambda function to periodically check with a python script. Thanks! |
|
@Kwinnieprince I raised they question but im unsure of this status. As it says "Help Wanted" I'm sure they are looking for someone to take on the load and submit a pull request. I will try to take a look when time arises, but as of now, my cycles are at full capacity. |
|
@getsec @Kwinnieprince - this is next up on my list. I’m out of office from June 1st through June 15th though so I will likely have to address when I get back. I listed it as help wanted because I thought it might be helpful if someone could stitch together some Terraform code so it can be easily deployed as a demo. For example, if it runs as a Lambda function, then it will need an IAM role (just IAM:GetAccountAuthorizationDetails), the S3 bucket, and a few other things. I should have explained that when I placed the help wanted label. If you are interested in helping on that part, I’d appreciate it. I’ll tackle the actual revisions to the python code that are needed so it can be returned as a string etc |
|
Update: I'm still traveling. Will likely wrap this up first week of July, since I am prepping for a conference talk on June 29th. I got a version of this working - like you can leverage a function and return it as a string - but it needs some cleanup. Again, I'll wrap that up first week of July. I appreciate your patience on this, @getsec and @Kwinnieprince. |
|
@kmcquade I will beta test for you within our environments and report back. Sorry for being so absent, I've been very pre-occupied with mergers and GCP security (god help me) |
|
@getsec hah! No worries. I will let you know when it's ready. I'll work on it next week after I'm done with my conference talk on Policy Sentry (feel free to join if you are interested - it's related to this tool as well - https://fwdcloudsec.org/speakers.html#policy-sentry). |
|
@kmcquade Ooooh. I'll make sure to book it in my calendar! Good luck on the talk, I had to give a virtual talk on a SANS webcast to like 1000 people and I was shaking in my boots 👀. |
|
@kmcquade Good talk :D |
|
@getsec @Kwinnieprince thanks for your patience on this issue. I haven't written a Lambda function for it - but I recently made a merge that allows you to get the HTML as a string, per your request. The full example is available here: https://github.com/salesforce/cloudsplaining/blob/master/examples/scripts/scripting_example.py Example snippet - see the line starting with def scripting_example(file):
with open(file) as f:
contents = f.read()
account_authorization_details_cfg = json.loads(contents)
rendered_html_report = scan_account_authorization_details(
account_authorization_details_cfg, DEFAULT_EXCLUSIONS, account_name="example"
)
print(rendered_html_report)I'll release a new version shortly so the feature is available to you. Let me know if you have any questions. |
|
Released in 0.1.5 |
kmcquade
added
user-support
backlog
and removed
enhancement
Hey, have you made this code callable through a python script?
I find value in this tool, but would love to deploy a lambda that runs weekly and dumps these reports in an S3 bucket, since we have lots of AWS accounts, going into each account and running is really a pain.
The text was updated successfully, but these errors were encountered: