Announcing Project Lockdown

What is Project Lockdown?

Project Lockdown is a collection of serverless functions that are invoked when specific Cloud Logging events occur. For example, a user in your GCP organization makes a GCS bucket publicly facing because they are having issues viewing objects and can’t figure out why they can’t connect. This is a common scenario we encounter at ScaleSec when working with customers. With Project Lockdown, a Cloud Logging sink captures that event and sends it to a Pub/Sub topic that invokes the Cloud Function. The Cloud Function then evaluates the target GCS bucket for public IAM members and can remove them if configured to do so.

Core Features

• Read-only by default. Project Lockdown will only remediate resources in your GCP organization if you specifically configure it to have write access. By default, Project Lockdown will only review the resources and log its findings.
• Custom least privilege IAM roles. The Cloud Functions in Project Lockdown use custom roles assigned to a per-function identity. Each custom role has only the permissions it needs and nothing more.
• Robust Logging and Alerting. Each Cloud Function logs every API called to Cloud Logging in addition to publishing a JSON formatted message to a Pub/Sub topic. This Pub/Sub topic captures every message published from Project Lockdown and you can easily forward those events to your SIEM, slack or teams, email with SendGrid, and many others.
• Deployed via HashiCorp Terraform. Each set of GCP resources for every remediation scenario can be deployed with a single terraform apply. Project Lockdown takes advantage of the new for_each module feature in terraform v.13 to provision multiple identical copies of the same resources with minimal code required.
• Low-cost and quick. During preliminary testing, Project Lockdown was able to react, analyze, and remediate GCP resources in under 5 seconds - about the time it takes for the console to refresh and load. Each GCP organization is unique with the amount of resources, IAM bindings, or events generated but we are confident this solution will be beneficial for your environment.

What does it remediate?

Probably the most important question on your mind is: What does it remediate? Project Lockdown will grow as GCP releases new functionality and currently supports:

• Stopping GCE instances that are created or started with the compute engine default service account.
• Removing public IAM members from BigQuery Datasets when they are assigned.
• Removing public IAM members from BigQuery Tables when they are assigned.
• Removing public IAM members from GCE Images when they are assigned.
• Removing public IAM members from GCS Buckets when they are assigned.
• Updating TLS 1.0 configurations on SSL policies to TLS 1.1 when created or assigned.

One of the objectives of Project Lockdown was to fill in the gaps where GCP does not currently offer controls and guardrails to establish best practices. For example, GCP has an Organization policy constraint constraints/sql.restrictPublicIp that removes the ability to attach a public IP to a Cloud SQL instance. As there is already a control in place to stop this anti-pattern, we did not prioritize this remediation scenario. Over time we will add remediation functionality to cover as many high risk events as possible. For more in depth information about each scenario currently supported by Project Lockdown, visit our readme.

Conclusion

Project Lockdown is available today at no cost from our GitHub repository. Take it for a spin and feel free to provide feedback via a GitHub issue, or reach out on any of our socials via Twitter, LinkedIn, or directly on our website. We look forward to hearing your feedback!