Cloud Security Posture Management (CSPM) helps to mitigate and minimize cloud data security breaches and to assess the overall posture of the entire cloud environment against best practices and compliance standards to help remediate issues.
CSPM tools verify that cloud configurations follow security best practices and compliance standards such as CIS, Azure, and GCP benchmarks as well as PCI and HIPAA frameworks. As companies are increasingly moving to the cloud, CSPM is becoming a necessary aspect of security insights.
The CSPM can be installed using the following methods:
For each installation method, we need to pass the following environment variables:
API_KEY | Under “Send your data” on your Coralogix account |
APPLICATION_NAME | Set the application name |
SUBSYSTEM_NAME | Set the subsystem name |
COMPANY_ID | Company ID from the settings screen in your Coralogix account |
CORALOGIX_ENDPOINT_HOST | Coralogix GRPC endpoint associated with your Coralogix domain |
CLOUD_PROVIDER | The Cloud Provider that CSPM will be deployed into in lowercase (e.g. aws, gcp, etc) |
TESTER_LIST | If specified, will run the tests on the specified service, otherwise will run tests on all the AWS services. leave empty to run all testers, otherwise, comma separated per tester name without spaces |
REGION_LIST | If specified, will check only the specified regions (For global services like AWS S3, IAM and Route53, make sure you add region “global”). Otherwise, the tests will be conducted in all regions. leave empty to run on all regions, otherwise, comma separated per region name without spaces |
AWS_DEFAULT_REGION | AWS default region for authentication |
ROLE_ARN_LIST | An additional role(s) that can be assumed from other AWS accounts to scan. leave empty to run on the current account, for additional accounts, add in a comma-separated manner per role ARN without spaces. Note: please follow the instructions below for multi-account configuration |
CORALOGIX_ALERT_API_KEY | (Optional parameter) Under “Alerts, Rules and Tags API Key” on your Coralogix account. When providing this variable, a custom enrichment for failed resources will be created in Coralogix’s account at the end of each run if specified |
Note that the instance type will affect the run time, so it’s up to a personal preference and is affected by the environment size.
After prerequisites are met, download the docker image using the following command (if the following command hasn’t run, the image will still be downloaded automatically in the next step):
docker pull coralogixrepo/snowbit-cspm
In order to automate the process, use Crontab in the following manner:
Create the crontab using your favorite editor
sudo crontab -e
Inside the document, on the bottom, paste the following one-liner (note that the API_KEY and the CORALOGIX_ENDPOINT_HOST fields are mandatory)
*/10 * * * * docker rm snowbit-cspm ; docker rmi coralogixrepo/snowbit-cspm ; docker run --name snowbit-cspm -d -e PYTHONUNBUFFERED=1 -e CLOUD_PROVIDER="choose_the_cloud_provider - aws / gcp" -e AWS_DEFAULT_REGION="eu-west-1" -e CORALOGIX_ENDPOINT_HOST="coralogix_grpc_endpoint" -e APPLICATION_NAME="application_name" -e COMPANY_ID=<coralogix_company_ID> -e SUBSYSTEM_NAME="subsystem_name" -e TESTER_LIST="" -e API_KEY="send_your_data_api_key" -e REGION_LIST="" -e ROLE_ARN_LIST="" -e CORALOGIX_ALERT_API_KEY="" --network host -v ~/.aws:/root/.aws coralogixrepo/snowbit-cspm
The above command will try to run every 10* minutes, and consists of two commands:
** The actual scheduling is set in the Coralogix security tab – scroll to the “Configuring the scan settings” section for further details
In order to deploy the image in a pod that follows the principle of least privileged, we should use a service account that assumes the needed role at the start of each job and doesn’t inherit its permission from his host node.
Determine whether you have an existing IAM OIDC provider for your cluster:
oidc_id=$(aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
aws iam list-open-id-connect-providers | grep $oidc_id
Note: If the output is returned from the previous command, then you already have a provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM OIDC provider for your cluster
If the output from the above test is blank, create an IAM OIDC identity provider for your cluster with the following command. Replace “my-cluster” with your own value
eksctl utils associate-iam-oidc-provider --cluster my-cluster --approve
Configuring a Kubernetes service account to assume an IAM role (the policy ARN is the policy created in section 6 of the above prerequisites)
eksctl create iamserviceaccount --name my-service-account --namespace default --cluster my-cluster --role-name "my-role" --attach-policy-arn arn:aws:iam::111111111111:policy/my-policy --approve
Use the following CronJob configurations:
apiVersion: batch/v1 kind: CronJob metadata: name: snowbit-cspm-cronjob namespace: <optional - when using the default, remove entire row> spec: schedule: "*/10 * * * *" successfulJobsHistoryLimit: 1 jobTemplate: spec: template: spec: serviceAccountName: <my-service-account> hostNetwork: true containers: - image: coralogixrepo/snowbit-cspm name: snowbit-cspm-cronjob command: ["python3"] args: ["lambda_function.py"] env: - name: API_KEY value: "send_your_data_api_key" - name: CORALOGIX_ENDPOINT_HOST value: "coralogix_endpoint" - name: CLOUD_PROVIDER value: "choose_the_cloud_provider - aws / gcp" - name: APPLICATION_NAME value: "application_name" - name: SUBSYSTEM_NAME value: "subsystem_name" - name: TESTER_LIST value: "" - name: REGION_LIST value: "" - name: ROLE_ARN_LIST value: "" - name: COMPANY_ID value: "<coralogix_company_ID>" - name: PYTHONUNBUFFERED value: "1" - name: AWS_DEFAULT_REGION value: "eu-west-1" - name: CORALOGIX_ALERT_API_KEY value: "" restartPolicy: OnFailure
Save the above content into a .yaml file and execute the following command:
kubectl create -f Cronjob.yaml
Inside the security tab in your Coralogix account, you will find the SCAN SETTINGS button:
Definitions
Example for one additional account:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CSPMMultiAccountAccess", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::123456789012:role/cspm_additional_account_to_scan" } ] }