Skip to content

allisonis/cloudbuild-sa-activity

1 Branch0 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ich123ich123
initial commit
Feb 24, 2020
8cd6a74 · Feb 24, 2020

History

1 Commit
cloudbuild-source
cloudbuild-source
Feb 24, 2020
.gitignore
.gitignore
Feb 24, 2020
README.md
README.md
Feb 24, 2020
main.tf
main.tf
Feb 24, 2020
providers.tf
providers.tf
Feb 24, 2020
vars.tf
vars.tf
Feb 24, 2020

Repository files navigation

cloudbuild-metadata-activity

Alert Pipeline to catch malicious Cloudbuild executions This is a demo application to capture potentially malicious CloudBuild Requests.

Advanced Stack Driver query that can be used to alert on requests originating from the Google managed CloudBuild service account. This query looks for all logs where the principal contains the partial service account email cloudbuild.gserviceaccount.com that does not originate from GCP IP. This query can only capture malicious requests made from an extneral network.

protoPayload.authenticationInfo.principalEmail:(cloudbuild.gserviceaccount.com)
protoPayload.requestMetadata.callerIp: "." AND NOT (35)

Terraform configurations

In this repostory we configure the following resources to capture StackDriver events.

  • Log Sinks
  • Pub/Sub events
  • Cloud Functions

Requried varaibles:

 variable "project_id" {
  description = "ProjectID target project, required"
  default     = ""
}

variable "entrypoint" {
  description = "Cloud Function entrypoint/handler name"
  default     = "cloudbuild_service_account_alerts"
}

variable "region" {
  description = "Region"
  default     = "us-central1"
}

About

Identify anonymous CloudBuild service account activity.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages