Announcing Project Lockdown

Announcing Project Lockdown - GCP Automated Remediation Suite

Announcing Project Lockdown

Announcing Project Lockdown

Today we are announcing a new open source security tool to help keep your GCP environment more secure. Project Lockdown is a collection of automated remediation Cloud Functions that react to high risk events in real time. Our goal with Project Lockdown is to continually update its capabilities to stay current with the ever changing cloud landscape. In this article, we will highlight some key features to provide you with insight into what we think will be a strong tool in your GCP security portfolio.

Project Lockdown - GCP Automated Remediation Suite by ScaleSec

Project Lockdown - GCP Automated Remediation Suite by ScaleSec

What is Project Lockdown?

Project Lockdown is a collection of serverless functions that are invoked when specific Cloud Logging events occur. For example, a user in your GCP organization makes a GCS bucket publicly facing because they are having issues viewing objects and can’t figure out why they can’t connect. This is a common scenario we encounter at ScaleSec when working with customers. With Project Lockdown, a Cloud Logging sink captures that event and sends it to a Pub/Sub topic that invokes the Cloud Function. The Cloud Function then evaluates the target GCS bucket for public IAM members and can remove them if configured to do so.

Core Features

  • Read-only by default. Project Lockdown will only remediate resources in your GCP organization if you specifically configure it to have write access. By default, Project Lockdown will only review the resources and log its findings.
  • Custom least privilege IAM roles. The Cloud Functions in Project Lockdown use custom roles assigned to a per-function identity. Each custom role has only the permissions it needs and nothing more.
  • Robust Logging and Alerting. Each Cloud Function logs every API called to Cloud Logging in addition to publishing a JSON formatted message to a Pub/Sub topic. This Pub/Sub topic captures every message published from Project Lockdown and you can easily forward those events to your SIEM, slack or teams, email with SendGrid, and many others.
  • Deployed via HashiCorp Terraform. Each set of GCP resources for every remediation scenario can be deployed with a single terraform apply. Project Lockdown takes advantage of the new for_each module feature in terraform v.13 to provision multiple identical copies of the same resources with minimal code required.
  • Low-cost and quick. During preliminary testing, Project Lockdown was able to react, analyze, and remediate GCP resources in under 5 seconds - about the time it takes for the console to refresh and load. Each GCP organization is unique with the amount of resources, IAM bindings, or events generated but we are confident this solution will be beneficial for your environment.

What does it remediate?

Probably the most important question on your mind is: What does it remediate? Project Lockdown will grow as GCP releases new functionality and currently supports:

One of the objectives of Project Lockdown was to fill in the gaps where GCP does not currently offer controls and guardrails to establish best practices. For example, GCP has an Organization policy constraint constraints/sql.restrictPublicIp that removes the ability to attach a public IP to a Cloud SQL instance. As there is already a control in place to stop this anti-pattern, we did not prioritize this remediation scenario. Over time we will add remediation functionality to cover as many high risk events as possible. For more in depth information about each scenario currently supported by Project Lockdown, visit our readme.

Conclusion

Project Lockdown is available today at no cost from our GitHub repository. Take it for a spin and feel free to provide feedback via a GitHub issue, or reach out on any of our socials via Twitter, LinkedIn, or directly on our website. We look forward to hearing your feedback!

A Conversation on Leading Teams

CEO Marsha Wilson and Marc Marling discuss leadership style, Trusted Advisor, and consulting EQ on the Corporate Thought podcast.

Previous article

Here for you

Have questions? Leverage our expertise to help you meet your business goals with a strong security posture.

Join us

ScaleSec is a well-connected, fully remote team. We thrive in the great undocumented beyond. We’re hiring in most US metros.

Get in touch

Considering cloud? Want to optimize and transform your existing digital portfolio?
Reach out to us.

Gap Assessment

Get perspective. Address security comprehensively.

Prepare for compliance.

ScaleSec
San Diego, CA 92120, United States

619-SCALE15

© 2020 ScaleSec. All rights reserved. | Privacy Policy