CureIAM: Streamlining IAM Account Management on GCP

Introduction

CureIAM is an efficient and user-friendly solution designed to enforce the Least Privilege Principle within Google Cloud Platform (GCP) infrastructure. By automating the cleanup of over-permissioned IAM accounts, it empowers DevOps and Security teams to swiftly address and rectify excessive permissions granted to accounts. Utilizing GCP’s IAM recommender, CureIAM fetches recommendations, scores them, and applies these insights daily, ensuring consistent enforcement of permissions. Built on GCP IAM recommender APIs and the Cloudmarker framework, CureIAM simplifies IAM management at scale.

Key Features

CureIAM is equipped with a range of features that enhance its scalability and reliability:

• Configuration Driven: The entire operation of CureIAM is driven by a configuration file, allowing for flexible customization. For details, check the Config section below.

• Scalability: With a plugin-based, multi-process, and multi-threaded architecture, CureIAM is built to handle scalability effortlessly.

• Integrated Scheduling: The scheduling functionality is embedded directly within CureIAM. Simply set your desired run time, and it will execute daily at that scheduled time.

• Plugin-Oriented Architecture: The codebase is designed to be fully modular, enabling users to add new functionalities through existing plugins or create custom ones.

• Actionable Insights Tracking: Every action taken by CureIAM is logged for audit purposes. Logs can be stored in file systems or Elasticsearch, and additional plugins can be created for integration with other storage solutions.

• Recommendation Scoring and Enforcement: Each recommendation fetched is scored based on various parameters, including safe_to_apply_score, risk_score, and over_privilege_score. The safe_to_apply_score indicates whether a recommendation can be applied automatically based on thresholds defined in the configuration file.

Usage

CureIAM is built in Python and can be executed locally using the following commands. Before running the tool, ensure you have a configuration file located at either /etc/CureIAM.yaml, ~/.CureIAM.yaml, ~/CureIAM.yaml, or CureIAM.yaml. Additionally, place the Service Account JSON file in the current directory, preferably named cureiamSA.json. You can name this private key file differently, but it is recommended to use this naming convention for Docker image builds. Make sure to reference this file in the GCP configuration.

Local Setup

1. Install Dependencies:

   pip install -r requirements.txt
   

2. Run CureIAM:

   python -m CureIAM -n
   

3. Run as Scheduler:

   python -m CureIAM
   

4. Access Help:

   python -m CureIAM --help
   

CureIAM can also be run in a Docker environment, which is ideal for CI/CD deployments in Kubernetes.

Docker Setup

1. Build the Docker Image:

   docker build -t cureiam .
   

2. Run the Image as Scheduler:

   docker run -d cureiam
   

3. Run the Image Now:

   docker run -f cureiam -m cureiam -n
   

Configuration

The configuration file CureIAM.yaml is the backbone of the CureIAM engine. All operations are dictated by the settings defined in this file. Here’s a breakdown of the key sections:

Logging and Scheduling Configuration

logger:
  version: 1
  disable_existing_loggers: false
  formatters:
    verysimple:
      format: >-
          [%(process)s]
          %(name)s:%(lineno)d - %(message)s
      datefmt: "%Y-%m-%d %H:%M:%S"
  handlers:
    rich_console:
      class: rich.logging.RichHandler
      formatter: verysimple
    file:
      class: logging.handlers.TimedRotatingFileHandler
      formatter: simple
      filename: /tmp/CureIAM.log
      when: midnight
      encoding: utf8
      backupCount: 5
  loggers:
    adal-python:
      level: INFO
  root:
    level: INFO
    handlers:
      - rich_console
      - file
schedule: "16:00"

This section configures logging using the Rich logging module and schedules CureIAM to run daily at 16:00.

Plugin Configuration

plugins:
  gcpCloud:
    plugin: CureIAM.plugins.gcp.gcpcloud.GCPCloudIAMRecommendations
    params:
      key_file_path: cureiamSA.json

  filestore:
    plugin: CureIAM.plugins.files.filestore.FileStore

  gcpIamProcessor:
    plugin: CureIAM.plugins.gcp.gcpcloudiam.GCPIAMRecommendationProcessor
    params:
      mode_scan: true
      mode_enforce: true
      enforcer:
        key_file_path: cureiamSA.json
        allowlist_projects:
          - alpha
        blocklist_projects:
          - beta
        blocklist_accounts:
          - foo@bar.com
        allowlist_account_types:
          - user
          - group
          - serviceAccount
        blocklist_account_types:
          - None
        min_safe_to_apply_score_user: 0
        min_safe_to_apply_score_group: 0
        min_safe_to_apply_score_SA: 50

  esstore:
    plugin: CureIAM.plugins.elastic.esstore.EsStore
    params:
      scheme: http
      host: es-host.com
      port: 9200
      index: cureiam-stg
      username: security
      password: securepassword

In this section, each plugin is declared in a specific format, allowing for easy customization and integration.

Auditing Pipeline Definition

audits:
  IAMAudit:
    clouds:
      - gcpCloud
    processors:
      - gcpIamProcessor
    stores:
      - filestore
      - esstore

This section defines the audit pipeline, named IAMAudit, which utilizes multiple plugins.

Running Audits

run:
  - IAMAudit

This final configuration tells CureIAM to execute the defined audits.

Dashboard

The JSON data indexed in Elasticsearch using the Elasticsearch store plugin can be visualized using Kibana, allowing for effective monitoring and reporting.

Contributing

We welcome contributions of all types to enhance CureIAM’s core functionality and documentation. If you have ideas or improvements, please consider submitting a pull request!

Acknowledgements

Special thanks to the Gojek Product Security Team ❤️ for their contributions to this project.

Recent Updates (May 2023)

Version 0.2.0 Updates:

• Refactoring: The code has been organized into smaller functions for better maintainability.
• Plugin Organization: All plugins have been moved into a designated folder structure.
• Bug Fixes: Resolved zero-division errors and migrated to the latest major version of Elasticsearch.
• Configuration Changes: Updated settings in the CureIAM.yaml file.
• Library Updates: Added versioning to prevent compatibility issues.
  • Elastic: Updated to version 8.7.0
  • Elasticsearch: Updated to version 8.7.0
  • Google API Client: Updated to version 2.86.0
  • PyYAML: Updated to version 6.0
  • Schedule: Updated to version 1.2.0
  • Rich: Updated to version 13.3.5
• Docker Enhancements: Added Docker Compose configuration for local Elasticsearch and Kibana.
• New Features: Introduced the ability to run scans without applying recommendations.

  mode_scan: true
  mode_enforce: false
  

• Email Functionality: Temporarily disabled email notifications.

With these enhancements, CureIAM continues to evolve, offering improved performance and user experience in managing IAM accounts effectively.