search

GoogleCloudPlatform / security-response-automation

Take automated actions against threats and vulnerabilities.
Apache License 2.0
208 stars 52 forks source link

Removes unnecessary roles from scc notifications sa #170

Closed atos-cit closed 4 years ago

atos-cit commented 4 years ago

In the section Set up Security Command Center Notifications in README, after running the script to create the SCC Notifications there are two commands to add roles to a service account:

gcloud beta pubsub topics add-iam-policy-binding projects/$PROJECT_ID/topics/$TOPIC_ID \
--member="serviceAccount:$SERVICE_ACCOUNT_FROM_ABOVE" \
--role="roles/pubsub.publisher"

gcloud pubsub topics add-iam-policy-binding projects/$PROJECT_ID/topics/threat-findings \
--member="serviceAccount:$SERVICE_ACCOUNT_FROM_ABOVE" \
--role="roles/securitycenter.notificationServiceAgent"

After some tests creating a project and following the steps to create the SCC Notifications, it seems that adding both roles is unnecessary. After the step to grant the role roles/pubsub.admin to the service account utilized in the script ./local/cli/main.go, the generated service account of the SCC Notifications receives the role roles/securitycenter.notificationServiceAgent. Since it is a role that has the same permissions that the role roles/pubsub.publisher, there is no need to add those commands in the README.

tomscript commented 4 years ago

the notificationServiceAgent is a new requirement for CSCC notifications. its not enforced yet but soon will be. re: "roles/pubsub.publisher" that role was requested to be added by the CSCC notification folks. seems odd that it functions without but im not familiar enough with their service to know why. probably should leave it for now since they asked us to add it. i wouldnt want to break something later if their internals change

atos-cit commented 4 years ago

the notificationServiceAgent is a new requirement for CSCC notifications. its not enforced yet but soon will be. re: "roles/pubsub.publisher" that role was requested to be added by the CSCC notification folks. seems odd that it functions without but im not familiar enough with their service to know why. probably should leave it for now since they asked us to add it. i wouldnt want to break something later if their internals change

Since the roles/pubsub.publisher have the same permissions that roles/securitycenter.notificationServiceAgent (in fact is only the permission pubsub.topics.publish), it doesn't seem odd to me. Maybe they just wanted to be sure that the service account has the correct role, but like you said, best leave as-is for now, especially because they requested for it and things are not in GA yet.