def main(projectsArgumentList, operation, role, members):
if "all" in projectsArgumentList:
projectList = cloudResourceManagerUtils.cloudresourcemanager_get_project_ids(
projectFilter=constants.PROJECT_FILTER)
else:
projectList = projectsArgumentList
print(
"\n\n[INFO] ======================================================================================"
)
print("[INFO] Removing Binding for {0} GCP Projects :".format(
len(projectList)))
for p in projectList:
print("[INFO] {0}".format(p))
print(
"[INFO] ======================================================================================"
)
for projectId in projectList:
print(
"\n\n[INFO] ======================================================================================"
)
print("[INFO] Project: {0}".format(projectId))
for member in members:
print("\n[INFO] Member: {0} - Operation: {1} - role: {2}".format(
member, operation, role))
if operation == "add":
cloudResourceManagerUtils.cloudresourcemanager_add_member_to_project_binding(
projectId, role, member)
elif operation == "remove":
cloudResourceManagerUtils.cloudresourcemanager_remove_member_from_project_binding(
projectId, role, member)
def main(projectsArgumentList):
print "\n\n[INFO] ======================================================================================"
if "all" in projectsArgumentList:
projectList = cloudResourceManagerUtils.cloudresourcemanager_get_project_ids()
else:
projectList = projectsArgumentList
print "\n\n[INFO] Starting CloudSQL Instance Security Audit Report for {0} GCP Projects :".format(len(projectList))
for p in projectList:
print "[INFO] {0}".format(p)
print "[INFO] ======================================================================================"
for project in projectList:
print "\n\n[INFO] ======================================================================================"
print "[INFO] Project: {0}".format(project)
instances = []
try:
instances = cloudSQLUtils.cloudsql_list_instances(project)
print "[INFO] # CloudSQL Instances: {0}".format(len(instances))
print "[INFO] ======================================================================================"
except HttpError as e:
print "[INFO] ======================================================================================"
report(project, "N/A", "N/A")
continue
for instance in instances:
requireSSL = "SSL_NOT_REQUIRED"
if ( "settings" in instance
and "ipConfiguration" in instance['settings']
and "requireSsl" in instance['settings']['ipConfiguration']
and instance['settings']['ipConfiguration']['requireSsl'] ):
requireSSL = "SSL_REQUIRED"
report(project, instance['name'], requireSSL)
# Write the report to file
dateString = dt.datetime.now().strftime("%Y%m%d_%H%M%S")
writeReport(dateString)
def main(projectsArgumentList, region, zone):
print "\n\n[INFO] ======================================================================================"
if "all" in projectsArgumentList:
projectList = resourceManagerUtils.cloudresourcemanager_get_project_ids(
projectFilter=constants.MANAGED_RESOURCE_DELETION_PROJECT_FILTER)
print "[INFO] Projects where resource deletion management is ENABLED (via label {0}):\n[INFO] {1}".format(
constants.MANAGED_RESOURCE_DELETION_LABEL, projectList)
else:
projectList = projectsArgumentList
print "[INFO] Projects provided: {0}".format(projectList)
print "[INFO] ======================================================================================"
for project in projectList:
print "\n\n[INFO] ======================================================================================"
print "[INFO] Project: {0}".format(project)
print "[INFO] Zone: {0}".format(zone)
try:
# Double check that these projects have the label labels.managed-resource-deletion:true
if not resourceManagerUtils.checkIfProjectHasLabel(
project, constants.MANAGED_RESOURCE_DELETION_LABEL,
constants.MANAGED_RESOURCE_DELETION_VALUE):
print "[ERROR] ********** RESOURCE DELETION MANAGEMENT NOT ENABLED **************"
print "[INFO] ======================================================================================"
continue
except HttpError as e:
print "[ERROR] ********** PROJECT NOT FOUND **************"
print "[INFO] ======================================================================================"
continue
print "[INFO] ======================================================================================"
disks = computeUtils.compute_list_disks(project, zone)
checkIfResourcesArePastGracePeriod(disks, "DISK")
instances = computeUtils.compute_list_instances(project, zone)
checkIfResourcesArePastGracePeriod(instances, "INSTANCE")
dataprocClusters = dataprocUtils.dataproc_list_clusters(
project, region)
checkIfResourcesArePastGracePeriod(dataprocClusters,
"DATAPROC CLUSTER")
def main(projectsArgumentList):
if "all" in projectsArgumentList:
projectList = cloudResourceManagerUtils.cloudresourcemanager_get_project_ids(
projectFilter=constants.PROJECT_FILTER)
else:
projectList = projectsArgumentList
print(
"\n\n[INFO] ======================================================================================"
)
print(
"[INFO] Starting Project Security Audit Report for {0} GCP Projects :".
format(len(projectList)))
for p in projectList:
print("[INFO] {0}".format(p))
print(
"[INFO] ======================================================================================"
)
for projectId in projectList:
print(
"\n\n[INFO] ======================================================================================"
)
print("[INFO] Project: {0}".format(projectId))
members = cloudResourceManagerUtils.cloudresourcemanager_get_project_owners(
projectId)
if members is None:
print("[ERROR] UNABLE TO RETRIEVE PROJECT IAM BINDINGS")
print(
"[INFO] ======================================================================================"
)
else:
print(
"[INFO] ======================================================================================"
)
for member in members:
print("{0}".format(member))
def main(projectsArgumentList, region, zone):
print "\n\n[INFO] ======================================================================================"
if "all" in projectsArgumentList:
projectList = resourceManagerUtils.cloudresourcemanager_get_project_ids(
projectFilter=constants.MANAGED_RESOURCE_DELETION_PROJECT_FILTER)
print "[INFO] Projects where resource deletion management is ENABLED (via label {0}):\n[INFO] {1}".format(
constants.MANAGED_RESOURCE_DELETION_LABEL, projectList)
else:
projectList = projectsArgumentList
print "[INFO] Projects provided: {0}".format(projectList)
print "[INFO] ======================================================================================"
for project in projectList:
print "\n\n[INFO] ======================================================================================"
print "[INFO] Project: {0}".format(project)
print "[INFO] Zone: {0}".format(zone)
try:
# Double check that these projects have the label labels.managed-resource-deletion:true
if not resourceManagerUtils.checkIfProjectHasLabel(
project, constants.MANAGED_RESOURCE_DELETION_LABEL,
constants.MANAGED_RESOURCE_DELETION_VALUE):
print "[ERROR] ********** RESOURCE DELETION MANAGEMENT NOT ENABLED **************"
print "[INFO] ======================================================================================"
continue
except HttpError as e:
print "[ERROR] ********** PROJECT NOT FOUND **************"
print "[INFO] ======================================================================================"
continue
print "[INFO] ======================================================================================"
markInstancesForDeletion(project, zone)
markDisksForDeletion(project, zone)
markDataprocClustersForDeletion(project, region, zone)
def main(projectsArgumentList, zone):
print "\n\n[INFO] ======================================================================================"
if "all" in projectsArgumentList:
projectList = cloudResourceManagerUtils.cloudresourcemanager_get_project_ids(
)
else:
projectList = projectsArgumentList
print "\n\n[INFO] Starting Compute Instance Security Audit Report for {0} GCP Projects :".format(
len(projectList))
for p in projectList:
print "[INFO] {0}".format(p)
print "[INFO] ======================================================================================"
for project in projectList:
print "\n\n[INFO] ======================================================================================"
print "[INFO] Project: {0}".format(project)
instances = []
try:
instances = computeUtils.compute_list_instances(project, zone)
print "[INFO] # of VMs: {0}".format(len(instances))
print "[INFO] ======================================================================================"
except HttpError as e:
print "[INFO] ======================================================================================"
report(project, "N/A", "N/A", "N/A", "N/A", "N/A", "N/A")
continue
#
# TODO: FIX THIS. This is the Project Metadata but enable-oslogin belongs to the Compute Metadata and the key is called commonInstanceMetadata
#
projectOsLogin = "******"
projectComputeResource = computeUtils.compute_get_project(project)
if "commonInstanceMetadata" in projectComputeResource and "items" in projectComputeResource[
'commonInstanceMetadata']:
for item in projectComputeResource['commonInstanceMetadata'][
'items']:
if (item['key'] == "enable-oslogin"
and re.match(constants.TRUE_REGEX, item['value'])):
projectOsLogin = "******"
for instance in instances:
serialPorts = "SERIAL_PORTS_DISABLED"
projectWideSSHKeys = "PROJECT_SSH_KEYS_ALLOWED"
ipForwarding = "IP_FORWARDING_DISABLED"
serviceAccountAPIAccess = "LIMITED_SCOPES"
osLogin = projectOsLogin
if "metadata" in instance and "items" in instance['metadata']:
for item in instance['metadata']['items']:
if (item['key'] == "serial-port-enable"
and re.match(constants.TRUE_REGEX, item['value'])):
serialPorts = "SERIAL_PORTS_ENABLED"
elif (item['key'] == "block-project-ssh-keys"
and re.match(constants.TRUE_REGEX, item['value'])):
projectWideSSHKeys = "PROJECT_SSH_KEYS_BLOCKED"
elif (item['key'] == "enable-oslogin"
and re.match(constants.TRUE_REGEX, item['value'])):
osLogin = "******"
# "Enabling OS Login on instances disables metadata-based SSH key configurations on those instances"
# https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin
# Not clear if enabling oslogin at project level has the same effect, hence it is not considered in this condition
if osLogin == "VM_OS_LOGIN_ENABLED":
projectWideSSHKeys = osLogin
# Boolean Value, not String like the one in Metadata
if ("canIpForward" in instance and instance["canIpForward"]):
ipForwarding = "IP_FORWARDING_ENABLED"
if "serviceAccounts" in instance:
for serviceAccount in instance['serviceAccounts']:
if "https://www.googleapis.com/auth/cloud-platform" in serviceAccount[
'scopes']:
serviceAccountAPIAccess = "FULL_SCOPES"
report(project, instance['name'], serialPorts, projectWideSSHKeys,
osLogin, ipForwarding, serviceAccountAPIAccess)
# Write the report to file
dateString = dt.datetime.now().strftime("%Y%m%d_%H%M%S")
writeReport(dateString)
def main(projectsArgumentList, requestedShutdownSchedule, zone):
print "\n\n[INFO] ======================================================================================"
if "all" in projectsArgumentList:
projectList = cloudResourceManagerUtils.cloudresourcemanager_get_project_ids(
projectFilter=constants.MANAGED_INSTANCE_SHUTDOWN_PROJECT_FILTER)
print "[INFO] Projects where Compute Instance shutdown management is ENABLED (via {0}):\n[INFO] {1}".format(
constants.MANAGED_INSTANCE_SHUTDOWN_LABEL, projectList)
else:
projectList = projectsArgumentList
print "[INFO] Projects provided: {0}".format(projectList)
print "[INFO] ======================================================================================"
for project in projectList:
print "\n\n[INFO] ======================================================================================"
print "[INFO] Project: {0}".format(project)
print "[INFO] Zone: {0}".format(zone)
instances = []
try:
# Double check that these projects have the label labels.managed-vm-shutdown:true
if not cloudResourceManagerUtils.checkIfProjectHasLabel(
project, constants.MANAGED_INSTANCE_SHUTDOWN_LABEL,
constants.MANAGED_INSTANCE_SHUTDOWN_DEFAULT_VALUE):
print "[ERROR] ********** COMPUTE INSTANCE SHUTDOWN MANAGEMENT NOT ENABLED **************"
print "[INFO] ======================================================================================"
continue
instances = computeUtils.compute_list_instances(project, zone)
print "[INFO] # of Compute Instances: {0}".format(len(instances))
print "[INFO] ======================================================================================"
except HttpError as e:
print "[ERROR] ********** PROJECT NOT FOUND **************"
print "[INFO] ======================================================================================"
continue
for instance in instances:
shutdownDecision = False
shutdownSchedule = constants.SHUTDOWN_SCHEDULE_NOT_SET
# Check the status of the instance.
# It can be one of the following values:
# PROVISIONING, STAGING, RUNNING, STOPPING, STOPPED, SUSPENDING, SUSPENDED, and TERMINATED.
instanceResource = computeUtils.compute_get_instance(
project, zone, instance['name'])
if "labels" in instanceResource and constants.SHUT_DOWN_SCHEDULE_LABEL in instanceResource[
'labels']:
shutdownSchedule = instanceResource['labels'][
constants.SHUT_DOWN_SCHEDULE_LABEL]
# Shut down only if a schedule has been set and the schedule allows the VM to be shutdown
shutdownDecision = (
instanceResource['status'] == "RUNNING"
and shutdownSchedule != constants.SHUTDOWN_SCHEDULE_NOT_SET
and shutdownSchedule != constants.DO_NOT_SHUTDOWN_VALUE
and shutdownSchedule == requestedShutdownSchedule)
print '\n[INFO] Instance {0} - Status: {1}'.format(
instance['name'], instanceResource['status'])
print '[INFO] Instance {0} - Shutdown Schedule: {1}'.format(
instance['name'], shutdownSchedule)
print '[INFO] Instance {0} - Shutdown Decision: {1}'.format(
instance['name'], shutdownDecision)
if shutdownDecision:
print '[INFO] Instance {0} - Stopping instance'.format(
instance['name']
), #The comma avoids a new line after the print
operation = computeUtils.compute_stop_instance(
project, zone, instance['name'])
computeUtils.compute_wait_for_operation(
project, zone, operation['name'])
instanceResource = computeUtils.compute_get_instance(
project, zone, instance['name'])
print '[INFO] Instance {0} - Status: {1}\n'.format(
instance['name'], instanceResource['status'])
def main(projectsArgumentList):
if "all" in projectsArgumentList:
projectList = cloudResourceManagerUtils.cloudresourcemanager_get_project_ids(
projectFilter=constants.PROJECT_FILTER)
else:
projectList = projectsArgumentList
print(
"\n\n[INFO] ======================================================================================"
)
print(
"[INFO] Starting Project Security Audit Report for {0} GCP Projects :".
format(len(projectList)))
for p in projectList:
print("[INFO] {0}".format(p))
print(
"[INFO] ======================================================================================"
)
for projectId in projectList:
print(
"\n\n[INFO] ======================================================================================"
)
print("[INFO] Project: {0}".format(projectId))
iamBindings = cloudResourceManagerUtils.cloudresourcemanager_get_project_iam_bindings(
projectId)
if iamBindings is None:
print("[ERROR] UNABLE TO RETRIEVE PROJECT IAM BINDINGS")
print(
"[INFO] ======================================================================================"
)
else:
print(
"[INFO] ======================================================================================"
)
for binding in iamBindings:
# Check for USER accounts which have Service Account roles assigned
check_violations(
projectId, binding, globalVars["SVC_ACC_ROLES_REGEX"],
globalVars["USER_WITH_SVC_ACC_ROLE_VIOLATION"],
globalVars["USER_ACCOUNT_REGEX"])
# Check for Service Accounts with Admin roles assigned
check_violations(projectId, binding,
globalVars["ADMIN_ROLE_REGEX"],
globalVars["SVC_ACC_ADMIN_VIOLATION"],
globalVars["SVC_ACC_REGEX"].format(projectId))
# Ideally check for specific admin permissions within the roles
#
# Retrieving this information makes the script 10 times slower than not doing it
#
#orgPolicy = cloudResourceManagerUtils.cloudresourcemanager_get_project_organisation_policy(projectId)
#print "\n**********************\nORG POLICY:\n***************************\n{0}".format(json.dumps(orgPolicy))
# Write the report to file
dateString = dt.datetime.now().strftime("%Y%m%d_%H%M%S")
writeReport(dateString)
def main(projectsArgumentList, zone):
print "\n\n[INFO] ======================================================================================"
if "all" in projectsArgumentList:
projectList = cloudResourceManagerUtils.cloudresourcemanager_get_project_ids(
projectFilter=constants.MANAGED_INSTANCE_SCHEDULE_PROJECT_FILTER)
print "[INFO] Projects where Compute Instance scheduling is ENABLED (via {0}):\n[INFO] {1}".format(
constants.MANAGED_INSTANCE_SCHEDULE_LABEL, projectList)
else:
projectList = projectsArgumentList
print "[INFO] Projects provided: {0}".format(projectList)
print "[INFO] ======================================================================================"
for project in projectList:
print "\n\n[INFO] ======================================================================================"
print "[INFO] Project: {0}".format(project)
print "[INFO] Zone: {0}".format(zone)
instances = []
try:
# If the projects have been given in the command line, check whether they are managed or not
if not cloudResourceManagerUtils.checkIfProjectHasLabel(
project, constants.MANAGED_INSTANCE_SCHEDULE_LABEL,
constants.MANAGED_INSTANCE_SCHEDULE_DEFAULT_VALUE):
print "[ERROR] ********** Compute Instance Scheduling NOT enabled **************"
print "[INFO] ======================================================================================"
continue
instances = computeUtils.compute_list_instances(project, zone)
print "[INFO] # of Compute Instances: {0}".format(len(instances))
print "[INFO] ======================================================================================"
except HttpError as e:
print "[ERROR] ********** PROJECT NOT FOUND **************"
print "[INFO] ======================================================================================"
continue
for instanceResource in instances:
print "\n\n[INFO] Instance: {0}".format(instanceResource['name'])
# Check the status of the instance. It can be one of the following values:
# PROVISIONING, STAGING, RUNNING, STOPPING, STOPPED, SUSPENDING, SUSPENDED, and TERMINATED.
currentStatus = instanceResource['status']
print "[INFO] Status: {0}".format(currentStatus)
# TODO: Allow more than one Start-up and Shutdown Schedules (Weekdays/Weekends, etc)
# Get Shutdown and Startup schedules from the instance metadata
activityWindow = get_instance_activity_window(
project, zone, instanceResource, constants.ACTIVITY_WINDOW_KEY)
# Check the target status given the current time and the schedule and decide what actions are required: STOP/START/WAIT
# print "[INFO] Checking Activity Window: {0}".format(activityWindow)
if activityWindow != None:
scheduleCheck = check_instance_activity_window(
instanceResource, activityWindow)
if currentStatus == "RUNNING" and not scheduleCheck: # Outside of Activity Window
if check_instance_dependencies(
project, zone, instanceResource,
constants.SHUTDOWN_DEPENDENCIES_KEY):
computeUtils.compute_perform_operation_on_instance(
project, zone, instanceResource["name"],
computeUtils.COMPUTE_STOP_OPERATION,
computeUtils.OPERATION_RUNNING)
else:
print "[INFO] Shutdown Dependency found. No action taken at this time"
elif currentStatus == "TERMINATED" and scheduleCheck: # Within Acivity Window
if check_instance_dependencies(
project, zone, instanceResource,
constants.STARTUP_DEPENDENCIES_KEY):
computeUtils.compute_perform_operation_on_instance(
project, zone, instanceResource["name"],
computeUtils.COMPUTE_START_OPERATION,
computeUtils.OPERATION_RUNNING)
else:
print "[INFO] Start Up Dependency found. No action taken at this time"
else:
print "[INFO] No action required at this time"