Skip to content
This repository has been archived by the owner on Nov 19, 2023. It is now read-only.

Sample configuration

Jump to bottom
Tom Fitzgerald edited this page Oct 21, 2020 · 4 revisions 
# Config file example.
# All automations are currently in monitor mode by default (dry_run: true), change to "dry_run: false" to enable the action.
# Replace YOUR-ORGANIZATION-ID and YOUR-FOLDER-ID with the values used in the Terraform initialization script.
apiVersion: security-response-automation.cloud.google.com/v1alpha1
kind: Remediation
metadata:
  name: router
spec:
  parameters:
    # Event Threat Detection findings.
    # https://cloud.google.com/security-command-center/docs/how-to-use-event-threat-detection
    etd:
      bad_ip:
        # Create a snapshot of all the disks in a GCE instance.
        - action: gce_create_disk_snapshot
          # The `target` and `exclude` arrays accepts an ancestry pattern that is compared against the incoming project. 
          # The target and exclude patterns are both considered however the excludes takes precedence. 
          # The ancestry pattern allows you to specify granularity at the organization, folder and project levels.
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            # If dry_run: true, runs in monitor mode where changes are only logged and not performed.
            dry_run: true
            # Bad IP specific configuration.
            # THIS PART IS OPTIONAL
            gce_create_snapshot:
              target_snapshot_project_id: target-projectid
              target_snapshot_zone: us-central1-a
      anomalous_iam:
        - action: iam_revoke
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
            anomalous_iam:
              allow_domains:
                - google.com
      ssh_brute_force:
        - action: remediate_firewall
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
            action:
              - disable
    # Security Health Analytics
    sha:
      public_bucket_acl:
        - action: close_bucket
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
      bucket_policy_only_disabled:
        - action: enable_bucket_only_policy
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
      public_sql_instance:
        - action: close_cloud_sql
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
      ssl_not_enforced:
        - action: cloud_sql_require_ssl
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
      sql_no_root_password:
        - action: cloud_sql_update_password
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
      public_ip_address:
        - action: remove_public_ip
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
      open_firewall:
        - action: remediate_firewall
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
            open_firewall:
              remediation_action: disable
      bigquery_public_dataset:
        - action: close_public_dataset
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
      audit_logging_disabled:
        - action: enable_audit_logs
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
      web_ui_enabled:
        - action: disable_dashboard
          target:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/*
          excludes:
            - organizations/YOUR-ORGANIZATION-ID/folders/YOUR-FOLDER-ID/projects/YOUR-PROJECT-TO-EXCLUDE
          properties:
            dry_run: true
Clone this wiki locally