Merge pull request #115 from cloudgraphdev/feature/CG-1294-GCP-CIS-130-118

DRAFT: Feature/cg 1294 gcp cis 130 118

Author: tyler-dunkel

src/gcp/cis-1.3.0/README.md

@@ -71,6 +71,8 @@ Policy Pack based on the GCP Foundations 1.3.0 benchmark provided by the [Center
 | GCP CIS 1.14   | Ensure API keys are restricted to only APIs that application needs access                                                                                           |
 | GCP CIS 1.15   | Ensure API keys are rotated every 90 days                                                                                                                           |
 | GCP CIS 1.16   | Ensure Essential Contacts is Configured for Organization                                                                                                            |
+| GCP CIS 1.17   | Ensure that Dataproc Cluster is encrypted using CustomerManaged Encryption Key                                                                                      |
+| GCP CIS 1.18   | Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager                                                                      |
 | GCP CIS 2.1    | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project                                                             |
 | GCP CIS 2.2    | Ensure that sinks are configured for all log entries                                                                                                                |
 | GCP CIS 2.3    | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                      |

src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-1.17.ts

@@ -0,0 +1,101 @@
+/* eslint-disable @typescript-eslint/explicit-module-boundary-types */
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
+export default {
+  id: 'gcp-cis-1.3.0-1.17',
+  title: 'GCP CIS 1.17 Ensure that Dataproc Cluster is encrypted using CustomerManaged Encryption Key',
+  description:
+    'When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).',
+  audit: `**From Console:**
+  
+  1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting:
+
+          https://console.cloud.google.com/dataproc/clusters.
+
+  2. Select the project from the project dropdown list.
+  3. On the Dataproc Clusters page, select the cluster and click on the Name attribute value that you want to examine.
+  4. On the details page, select the Configurations tab.
+  5. On the Configurations tab, check the Encryption type configuration attribute value. If the value is set to Google-managed key, then Dataproc Cluster is not encrypted with Customer managed encryption keys.
+  
+  Repeat step no. 3 - 5 for other Dataproc Clusters available in the selected project.
+  
+  6. Change the project from the project dropdown list and repeat the audit procedure for other projects.
+
+  **From Command Line:**
+
+  1. Run clusters list command to list all the Dataproc Clusters available in the region:
+
+          gcloud dataproc clusters list --region='us-central1'
+
+  2. Run clusters describe command to get the key details of the selected cluster:
+
+          gcloud dataproc clusters describe <cluster_name> --region=us-central1 --flatten=config.encryptionConfig.gcePdKmsKeyName
+          
+  3. If the above command output return "null", then the selected cluster is not encrypted with Customer managed encryption keys.
+  4. Repeat step no. 2 and 3 for other Dataproc Clusters available in the selected region. Change the region by updating --region and repeat step no. 2 for other clusters available in the project. Change the project by running the below command and repeat the audit procedure for other Dataproc clusters available in other projects:
+
+          gcloud config set project <project_ID>"
+  `,
+  rationale:
+    'Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.',
+  remediation: `**From Console:**
+  1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting
+      
+          https://console.cloud.google.com/dataproc/clusters.
+
+  2. Select the project from the projects dropdown list.
+  3. On the *Dataproc Cluster* page, click on the *Create Cluster* to create a new cluster with Customer managed encryption keys.
+  4. On *Create a cluster* page, perform below steps:
+    • Inside *Set up cluster* section perform below steps:
+      -In the *Name* textbox, provide a name for your cluster.
+        o From *Location* select the location in which you want to deploy a cluster.
+        o Configure other configurations as per your requirements.
+    • Inside *Configure Nodes* and *Customize cluster* section configure the settings as per your requirements.
+    • Inside *Manage security* section, perform below steps:
+      o From *Encryption*, select *Customer-managed key*.
+      o Select a customer-managed key from dropdown list.
+      o Ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account ("serviceAccount:service-<project_number>@computesystem.iam.gserviceaccount.com").
+      o Click on *Create* to create a cluster.
+    • Once the cluster is created migrate all your workloads from the older cluster to the new cluster and delete the old cluster by performing the below steps:
+      o On the *Clusters* page, select the old cluster and click on *Delete cluster*.
+      o On the *Confirm deletion* window, click on *Confirm* to delete the cluster.
+      o Repeat step above for other Dataproc clusters available in the selected project.
+    • Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.
+
+
+  **From Command Line:**
+
+  Before creating cluster ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account ("serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com").
+  Run clusters create command to create new cluster with customer-managed key:
+
+        gcloud dataproc clusters create <cluster_name> --region=us-central1 --gce-pdkms-key=<key_resource_name>
+
+  The above command will create a new cluster in the selected region.
+  Once the cluster is created migrate all your workloads from the older cluster to the new cluster and Run clusters delete command to delete cluster:
+
+        gcloud dataproc clusters delete <cluster_name> --region=us-central1
+
+  Repeat step no. 1 to create a new Dataproc cluster.
+  Change the project by running the below command and repeat the remediation procedure for other projects:
+
+        gcloud config set project <project_ID>"
+  `,
+  references: [
+    'https://cloud.google.com/docs/security/encryption/default-encryption',
+  ],
+  gql: `{
+    querygcpDataprocCluster {
+      id
+      __typename
+      config{
+        encryptionConfigGcePdKmsKeyName
+      }
+    }
+  }`,
+  resource: 'querygcpDataprocCluster[*]',
+  severity: 'unknown',
+  conditions: {
+    path: '@.config.encryptionConfigGcePdKmsKeyName',
+    isEmpty: false,
+  }
+}

src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-1.18.ts

@@ -0,0 +1,156 @@
+/* eslint-disable @typescript-eslint/explicit-module-boundary-types */
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
+export default {
+  id: 'gcp-cis-1.3.0-1.18',
+  title: 'GCP CIS 1.18 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager',
+  description:
+    'Google Cloud Functions allow you to host serverless code that is executed when an event is triggered, without the requiring the management a host operating system. These functions can also store environment variables to be used by the code that may contain authentication or other information that needs to remain confidential.',
+  audit: `Determine if Confidential Information is Stored in your Functions in Cleartext
+
+  **From Console:**
+
+  1. Log in to the Google Cloud Web Portal (https://console.cloud.google.com/)
+  2. Within the project you wish to audit, select the Navigation hamburger menu in the top left. Scroll down to under the heading 'Serverless', then select 'Cloud Functions'
+  3. Click on a function name from the list
+  4. Open the Variables tab and you will see both buildEnvironmentVariables and environmentVariables
+  5. Review the variables whether they are secrets
+  6. Repeat step 3-5 until all functions are reviewed
+
+  **From Command Line:**
+
+  1. To view a list of your cloud functions run
+
+        cloud functions list
+
+  2. For each cloud function in the list run the following command.
+
+        gcloud functions describe <function_name>
+
+  3. Review the settings of the buildEnvironmentVariables and environmentVariables. Determine if this is data that should not be publicly accessible.
+
+  Determine if Secret Manager API is 'Enabled' for your Project
+  
+  **From Console**
+
+  1. Within the project you wish to audit, select the Navigation hamburger menu in the top left. Hover over 'APIs & Services' to under the heading 'Serverless', then select 'Enabled APIs & Services' in the menu that opens up.
+  2. Click the button '+ Enable APIS and Services'
+  3. In the Search bar, search for 'Secret Manager API' and select it.
+  4. If it is enabled, the blue box that normally says 'Enable' will instead say 'Manage'.
+
+  **From Command Line:**
+
+  1. Within the project you wish to audit, run the following command.
+
+        gcloud services list
+
+  2. If 'Secret Manager API' is in the list, it is enabled.
+  `,
+  rationale:
+    'It is recommended to use the Secret Manager, because environment variables are stored unencrypted, and accessible for all users who have access to the code.',
+  remediation: `Enable Secret Manager API for your Project
+
+  **From Console:**
+
+  1. Within the project you wish to enable, select the Navigation hamburger menu in the top left. Hover over 'APIs & Services' to under the heading 'Serverless', then select 'Enabled APIs & Services' in the menu that opens up.
+  2. Click the button '+ Enable APIS and Services'
+  3. In the Search bar, search for 'Secret Manager API' and select it.
+  4. Click the blue box that says 'Enable'.
+
+  **From Command Line:**
+
+  1. Within the project you wish to enable the API in, run the following command.
+
+        gcloud services enable Secret Manager API
+  
+  Reviewing Environment Variables That Should Be Migrated to Secret Manager
+
+  **From Console:**
+
+  1. Log in to the Google Cloud Web Portal (https://console.cloud.google.com/)
+  2. Go to Cloud Functions
+  3. Click on a function name from the list
+  4. Click on Edit and review the Runtime environment for variables that should be secrets. Leave this list open for the next step.
+
+  **From Command Line:**
+
+  1. To view a list of your cloud functions run
+    
+        cloud functions list
+
+  2. For each cloud function run the following command.
+
+        gcloud functions describe <function_name>
+
+  3. Review the settings of the buildEnvironmentVariables and environmentVariables. Keep this information for the next step.
+
+  Migrating Environment Variables to Secrets within the Secret Manager
+
+  **From Console:**
+
+  1. Go to the Secret Manager page in the Cloud Console.
+  2. On the Secret Manager page, click Create Secret.
+  3. On the Create secret page, under Name, enter the name of the Environment Variable you are replacing. This will then be the Secret Variable you will reference in your code.
+  4. You will also need to add a version. This is the actual value of the variable that will be referenced from the code. To add a secret version when creating the initial secret, in the Secret value field, enter the value from the Environment Variable you are replacing.
+  5. Leave the Regions section unchanged.
+  6. Click the Create secret button.
+  7. Repeat for all Environment Variables
+
+  **From Command Line**
+
+  1. Run the following command with the Environment Variable name you are replacing in the *<secret-id>*. It is most secure to point this command to a file with the Environment Variable value located in it, as if you entered it via command line it would show up in your shell’s command history.
+
+        gcloud secrets create <secret-id> --data-file="/path/to/file.txt"
+
+  Granting your Runtime's Service Account Access to Secrets
+
+  **From Console**
+
+  1. Within the project containing your runtime login with account that has the 'roles/secretmanager.secretAccessor' permission.
+  2. Select the Navigation hamburger menu in the top left. Hover over 'Security' to under the then select 'Secret Manager' in the menu that opens up.
+  3. Click the name of a secret listed in this screen.
+  4. If it is not already open, click Show Info Panel in this screen to open the panel.
+  5.In the info panel, click Add principal.
+  6.In the New principals field, enter the service account your function uses for its identity. (If you need help locating or updating your runtime's service account, please see the 'docs/securing/function-identity#runtime_service_account' reference.)
+  5. In the Select a role dropdown, choose Secret Manager and then Secret Manager Secret Accessor.
+
+  **From Command Line**
+
+  As of the time of writing, using Google CLI to list Runtime variables is only in beta. Because this is likely to change we are not including it here.
+
+  Modifying the Code to use the Secrets in Secret Manager
+
+  **From Console**
+
+  This depends heavily on which language your runtime is in. For the sake of the brevity of this recommendation, please see the '/docs/creating-and-accessing-secrets#access' reference for language specific instructions.
+
+  **From Command Line**
+
+  This depends heavily on which language your runtime is in. For the sake of the brevity of this recommendation, please see the' /docs/creating-and-accessing-secrets#access' reference for language specific instructions.
+
+  Deleting the Insecure Environment Variables Be certain to do this step last. Removing variables from code actively referencing them will prevent it from completing successfully.
+
+  **From Console**
+
+  1. Select the Navigation hamburger menu in the top left. Hover over 'Security' then select 'Secret Manager' in the menu that opens up.
+  2. Click the name of a function. Click Edit.
+  3. Click Runtime, build and connections settings to expand the advanced configuration options.
+  4. Click 'Security’. Hover over the secret you want to remove, then click 'Delete'.
+  5. Click Next. Click Deploy. The latest version of the runtime will now reference the secrets in Secret Manager.
+
+  **From Command Line**
+
+        gcloud functions deploy <Function name>--remove-env-vars <env vars>
+
+  If you need to find the env vars to remove, they are from the step where ‘gcloud functions describe *<function_name>*’ was run.
+
+  **Default Value:**
+  
+  By default Secret Manager is not enabled.
+  `,
+  references: [
+    ['https://cloud.google.com/functions/docs/configuring/env-var#managing_secrets'],
+    ['https://cloud.google.com/secret-manager/docs/overview'],
+  ],
+  severity: 'unknown',
+}

src/gcp/cis-1.3.0/rules/index.ts

@@ -14,6 +14,8 @@ import Gcp_CIS_130_113 from './gcp-cis-1.3.0-1.13'
 import Gcp_CIS_130_114 from './gcp-cis-1.3.0-1.14'
 import Gcp_CIS_130_115 from './gcp-cis-1.3.0-1.15'
 import Gcp_CIS_130_116 from './gcp-cis-1.3.0-1.16'
+import Gcp_CIS_130_117 from './gcp-cis-1.3.0-1.17'
+import Gcp_CIS_130_118 from './gcp-cis-1.3.0-1.18'
 import Gcp_CIS_130_21 from './gcp-cis-1.3.0-2.1'
 import Gcp_CIS_130_22 from './gcp-cis-1.3.0-2.2'
 import Gcp_CIS_130_23 from './gcp-cis-1.3.0-2.3'
@@ -96,6 +98,8 @@ export default [
   Gcp_CIS_130_114,
   Gcp_CIS_130_115,
   Gcp_CIS_130_116,
+  Gcp_CIS_130_117,
+  Gcp_CIS_130_118,
   Gcp_CIS_130_21,
   Gcp_CIS_130_22,
   Gcp_CIS_130_23,

src/gcp/cis-1.3.0/tests/gcp-cis-1.3.0-1.x.test.ts

@@ -16,6 +16,7 @@ import Gcp_CIS_130_112 from '../rules/gcp-cis-1.3.0-1.12'
 import Gcp_CIS_130_113 from '../rules/gcp-cis-1.3.0-1.13'
 import Gcp_CIS_130_115 from '../rules/gcp-cis-1.3.0-1.15'
 import Gcp_CIS_130_116 from '../rules/gcp-cis-1.3.0-1.16'
+import Gcp_CIS_130_117 from '../rules/gcp-cis-1.3.0-1.17'
 import { initRuleEngine } from '../../../utils/test'
 
 export interface MetricDescriptor {
@@ -111,13 +112,27 @@ export interface QuerygcpIamPolicy {
   bindings: Bindings[]
 }
 
+export interface QuerygcpEssentialContact {
+  id: string
+  notificationCategorySubscriptions: string[]
+  email: string
+}
+export interface DataprocClusterConfig {
+  encryptionConfigGcePdKmsKeyName?: string
+}
+export interface QuerygcpDataprocCluster {
+  id: string
+  config: DataprocClusterConfig
+}
 export interface CIS1xQueryResponse {
   querygcpOrganization?: QuerygcpOrganization[]
   querygcpProject?: QuerygcpProject[]
   querygcpApiKey?: QuerygcpApiKey[]
   querygcpServiceAccount?: QuerygcpServiceAccount[]
   querygcpKmsKeyRing?: QuerygcpKmsKeyRing[]
   querygcpIamPolicy?: QuerygcpIamPolicy[]
+  querygcpEssentialContact?: QuerygcpEssentialContact[]
+  querygcpDataprocCluster?: QuerygcpDataprocCluster[]
 }
 
 describe('CIS Google Cloud Platform Foundations: 1.3.0', () => {
@@ -985,4 +1000,50 @@ describe('CIS Google Cloud Platform Foundations: 1.3.0', () => {
       await testRule(data, Result.FAIL)
     })
   })
+
+  describe('GCP CIS 1.17 Ensure that Dataproc Cluster is encrypted using Customer Managed Encryption Key', () => {
+    const getRuleFixture = (): CIS1xQueryResponse => {
+      return {
+        querygcpDataprocCluster: [
+          {
+            id: cuid(),
+            config: {},
+          },
+        ],
+      }
+    }
+
+    const testRule = async (
+      data: CIS1xQueryResponse,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Gcp_CIS_130_117 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('Security Issue when Customer Managed Encryption Key config is missing ', async () => {
+      const data: CIS1xQueryResponse = getRuleFixture()
+      await testRule(data, Result.FAIL)
+    })
+
+    test('Security Issue when Customer Managed Encryption Key config is empty ', async () => {
+      const data: CIS1xQueryResponse = getRuleFixture()
+      const dataprocCluster = data.querygcpDataprocCluster as QuerygcpDataprocCluster[]
+      dataprocCluster[0].config.encryptionConfigGcePdKmsKeyName = ''
+      await testRule(data, Result.FAIL)
+    })
+
+    test('No Security Issue when Customer Managed Encryption Key is configured', async () => {
+      const data: CIS1xQueryResponse = getRuleFixture()
+      const dataprocCluster = data.querygcpDataprocCluster as QuerygcpDataprocCluster[]
+      dataprocCluster[0].config.encryptionConfigGcePdKmsKeyName = 'MyKey'
+      await testRule(data, Result.PASS)
+    })
+  })
 })