- What are CloudGuard CloudBots?
- Flow Diagram
- Deploy the CloudBots
- Log Collection for Troubleshooting
- What are CloudGuard CloudBots?
CloudGuard CloudBots are an autoremediation solution for GCP, built on top of the CloudGuard CloudGuard Continuous Compliance capabilities.
They can also be used standalone, without Dome9, to remedy issues in AWS and Azure accounts. Details are included how to configure and trigger them.
Refer to this file for a list of the bots, what each one does, and an example of a rule that could be used to trigger it.
To use the CloudBots, you have to set up your GCP project, and your CloudGuard account.
Follow these steps to configure your GCP Projects:
- Create a custom role for the CloudBots Cloud Function
- Create a Service Account for the CloudBots
- download the CloudBots zip file
- Optionally, configure SendGrid to forward notifications by email
- Create a GCP Function for the CloudBots
-
In GCP portal, go to IAM & Admin -> Roles
-
Choose Create Role
-
Enter a title for the role (like 'CloudGuard-CloudBots-Role')
-
Choose Role launch stage to be General Availability
-
Click on Add permissions*
-
Add the permissions from the file CloudGuard-CloudBots-Role.json
-
Press CREATE
-
In GCP portal, go to IAM & Admin -> Service Accounts
-
Choose Create Service Account
-
Enter a name for the service account (like 'CloudGuard-CloudBots-ServiceAccount')
-
Press on Create and Continue
-
Choose the role you created in the previous step
-
Press Continue and the then Done
- Download the CloudBots zip file from this repository (The GCP Function will require the content zipped).
- If you cloned the repository, zip the contents.
SendGrid (sendgrid.com) is a third-party email service. It has different tiers and pricing. It is used by GCP to distribute emails. See here for more info.
This step is optional.
- Navigate to sendgrid.com
- Create a new account, following the instructions on the site.
- Navigate to Settings, and then select API Keys.
- Click Create API Key.
- Enter a name for the key (e.g., Dome9-cloudbots, an select Full Access.
- Click Create Key, then copy the value of the key.
- Click Done.
-
Navigate to Cloud Functions.
-
Click CREATE FUNCTION.
-
Choose a name for the function.
-
Select a region for the function.
-
Set Trigger Type as HTTP.
-
Check Allow unauthenticated invocations option.
-
Press SAVE.
-
Expand RUNTIME, BUILD, CONNECTIONS AND SECURITY SETTINGS.
-
Make sure the Runtime Service Account is set to the service account you created earlier.
-
In the Runtime Environment Variables section, click on ADD VARIABLE and add the following variables:
- (optional) SEND_GRID_API_CLIENT - enter the SendGrid API Ket that was created above.
- (optional) OUTPUT_EMAIL - the email recipient (for notification emails, generated with SendGrid).
- SEND_LOGS - set to True to send log information to CloudGuard for troubleshooting; set to False to disable this (default is True).
-
Press NEXT.
-
Set Runtime as Python 3.7.
-
In the ENTRY POINT section enter 'main'.
-
In SOURCE CODE, choose ZIP Upload.
-
Choose the zip file that was created above.
-
Choose a Stage Bucket (or create a new one if necessary).
-
Click on DEPLOY.
The cloudbot function in GCP is triggered from CloudGuard using a webhook. For this, the URL of the function is required.
- Click on the Cloud Function you created.
- Go to TRIGGER section.
- Copy the Trigger URL.
You can use CloudBots for several GCP projects, but install it in only one project. The other projects will be accessed from the first by granting IAM permissions.
- Create a GCP Function in one of the GCP projects, following the steps above.
- For each of the other projects, navigate to IAM & admin, and select
IAM.
- Click ADD.
- In the New members field, enter the service account created above.
- Select the Project Editor role.
- Click SAVE.
- Click ADD.
On CloudGuard add remediation tags to rules in a Compliance ruleset.
See also
CloudBots are triggered by findings discovered by CloudGuard Compliance rulesets. You must configure a ruleset to trigger the CloudBots.
Follow these steps in your CloudGuard account to tag the compliance rules & rulesets to use bots as a remediation step.
-
In the CloudGuard web app, navigate to the Rulesets page in the Compliance & Governance menu.
-
Select or create a ruleset that will be used for the cloudbots.
-
Select the rules for which you want to add a remediation step.
-
In the Compliance Section add a row with the following string:
AUTO: <bot-name> <params>where bot-name is the name of the bot, and params is a list of arguments for the bot (if any).For example,
AUTO: vm_instance_stopwill run the bot to stop a VM instance.
Once the rules in the ruleset have been tagged for remediation, set up a Continuous Compliance policy to run the ruleset, and send findings the GCP function webhook.
- Navigate to the Policies page in the Compliance & Governance menu.
- Click ADD POLICY (on the right).
- Select the account from the list, then click NEXT, this will be the one account in which the bots are deployed.
- Select the ruleset from the list, then click NEXT.
- Click ADD NOTIFICATION.
- Select Send to HTTP Endpoint and enter the URL for the Function, as described above Webhook for Function, and then click SAVE.
Note: CloudGuard will send event messages to the webhook for new findings. To send events for previous findings, follow these steps:
- Navigate to the Policies page.
- Find the ruleset and account in the list, and hover over the right of the row, then click on the Send All Alerts icon.
- Select the webhook Notification Type option, and the Notification Policy (the one created above), then click SEND. CloudGuard will send event messages to the GCP function webhook.
The cloudbots send log information to CloudGuard, that is used for troubleshooting. By default, this is enabled for all bots. You can disable this in your GCP account. Select the function, and set the environment variable SEND_LOGS to False. This will apply to all bots in the account. By default, this is set to True, enabling logs.
Each account is controlled by the variable for the function configured in that account.