search

GoogleCloudPlatform / config-validator

Golang library which provides functionality to evaluate GCP resources against Rego-based policies
Apache License 2.0
45 stars 34 forks source link

Allow support for referential constraints #160

Open Jberlinsky opened 3 years ago

Jberlinsky commented 3 years ago

Summary

I have a customer for whom referential constraints would drive outsize business value, enabling them to adopt Forseti Config Validator and Terraform Validator to implement detective and protective controls to safeguard their GCP organization.

Use Case

The specific use case identified is:

At present, we can pull sufficient information from CAI to determine that there is some ResourcePolicy attached to a Disk:

{
  "asset_type": "compute.googleapis.com/Disk",
  ...
  "resource": {
    "version": "v1",
    "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
    "discovery_name": "Disk",
    ...
    "data": {
      ...
      "resourcePolicies": [
        "https://www.googleapis.com/compute/v1/projects/.../regions/us-east4/resourcePolicies/snapshot-disks"
      ],
      ...
    },
    "location": "us-east4-a"
  },
  ...
}

And subsequently pulling the ResourcePolicy CAI data yields information about the snapshot schedule:

{
  "asset_type": "compute.googleapis.com/ResourcePolicy",
  ...
  "resource": {
    "version": "v1",
    "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
    "discovery_name": "ResourcePolicy",
    ...
    "data": {
      ...
      "snapshotSchedulePolicy": {
        "retentionPolicy": {
          "maxRetentionDays": 7,
          "onSourceDiskDelete": "KEEP_AUTO_SNAPSHOTS"
        },
        "schedule": {
          "dailySchedule": {
            "daysInCycle": 1,
            "duration": "PT14400S",
            "startTime": "00:00"
          }
        }
      },
      "status": "READY"
    },
    "location": "us-east4"
  },
  ...
}

The ability to build policies that consider both of these CAI asset data objects at once would be valuable, and extensible to other security control implementations.

briantkennedy commented 3 years ago

Hi Jason,

We previously had referential constraints prior to integrating with Constraint Framework, however, there are some scaling issues for larger organizations. Referential constraints entail having the entire set of resources loaded into memory and Golang experiences roughly 60x increase in memory footprint for parsed JSON (eg, a 1GB CAI export will require 60GB of physical memory).

Enabling referential constraints would require implementing the rego function matching_reviews_and_constraints in pkg/gcptarget/library.go, creating the appropriate unit tests, plumbing through functionality for loading CAI information into Constraint Framework, and invoking the audit. Unfortunately, I have no plans to implement it at this time, however, I am willing to review pull requests.

-Brian

morgante commented 3 years ago

This is something we're still considering for the roadmap though.

aimjwizards commented 3 years ago

+Marten van Wezel martenvw@google.com for awareness

On Fri, Jan 15, 2021 at 11:46 AM Morgante Pell notifications@github.com wrote:

This is something we're still considering for the roadmap though.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/forseti-security/config-validator/issues/160#issuecomment-761162085, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZQCJQHC332EKQGTKQD63DS2CLR3ANCNFSM4WEQHKKQ .