Skip to content

A lightweight integration to stream GKE Control Plane Audit Logs into Security Command Center

License

Notifications You must be signed in to change notification settings

GoogleCloudPlatform/gke-2-scc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GKE-2-SCC

Lightweight integration to ingest GKE Audit Logs into Security Command Center via EventArc and Cloud Functions Gen 2.

Google Disclaimer

This is not an officially supported Google product

Overview

GKE control plane Audit logs currently do not directly integrate with Security Command Center. Many organizations would like to leverage these audit logs to gain insight into the security posture of their clusters. This integration enables the following use cases for customers:

  • Improve their security posture: SCC provides a centralized view of security events across all of a customer's Google Cloud resources, including GKE clusters. By streaming audit logs from GKE into SCC, customers can gain a more complete understanding of the activity happening in their clusters and identify potential security threats more quickly.
  • Simplify their security operations: SCC provides a variety of features to help customers manage their security operations, such as threat detection, incident response, and compliance reporting. By streaming audit logs from GKE into SCC, customers can take advantage of these features to improve their overall security posture.
  • Meet compliance requirements: Many compliance regulations require organizations to collect and retain audit logs for their IT systems. By streaming audit logs from GKE into SCC, customers can meet these requirements more easily and efficiently.

Here are some specific examples of how customers can benefit from streaming audit logs from GKE into SCC:

  • Detect suspicious activity: SCC can use audit logs to detect suspicious activity in GKE clusters, such as unauthorized access attempts, privilege escalations, and data exfiltration. This can help customers to identify and respond to security threats more quickly.
  • Investigate incidents: If a security incident does occur, SCC can provide customers with the audit logs they need to investigate the incident and determine the root cause. This can help customers to remediate the incident and prevent it from happening again.
  • Demonstrate compliance: SCC can help customers to demonstrate compliance with various regulations by providing them with reports on their audit logs. This can save customers time and effort when they are audited by regulatory bodies.

Required permissions to deploy

  • roles/editor
  • roles/owner
  • roles/orgpolicy.policyAdmin (if you need to disable org policies)

Dependencies (to run the devcontainer)

Dependencies (these are pre-packaged into devcontainer)

  • terraform ~> 1.5
  • terragrunt ~> v0.46.3
  • go 1.19
  • terraform-docs

Required GCP APIs

All GCP APIs required for this solution are documented in ./live/shared.hcl. By default, terragrunt run-all apply will enable each of these APIs

Organization Policies

The Org Policy constraints which could prevent this solution from being deployed are documented in ./live/shared.hcl. If your deployment is being blocked, set skip = false ./live/prod/org-policies/terragrunt.hcl#L15 and rerun terragrunt run-all apply -refresh=false. Please note that you must have permissions to remove Orgnization Policies from your project in order for this to work.

How to deploy

# Build and start the VS Code devcontainer which includes all the required tooling to depoy
devcontainer build && devcontainer open

# Log in to gcloud cli to authenticate Terraform
gcloud auth login --update-adc
# Generate the Terraform plan and review before deploying into your project
terragrunt run-all plan -refresh=false

# Deploy the integration
terragrunt run-all apply -refresh=false

Architecture

Architecture

Example SCC Finding

Kubectl Exec Finding Kubectl Exec Finding 2 Kubectl Exec Finding

About

A lightweight integration to stream GKE Control Plane Audit Logs into Security Command Center

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published