Commit a private key in GitHub? Oops!! {NFT}

Hey you!!! Happy new year!! 2020 was a strange year, but I can’t complain. Lot of things, knowledge, worked a lot. So, let’s keep going in 2021!!!

So, let’s talk a little about security. I’ve been working within an interesting project to make GCP Security Command Center to work with some external tools and automation with Cloud Functions. And guess what: as I love automation, here’s what I’ve being studying:

The code used for this test can be checked here

First, SCC (Security Command Center) is a security solution from Google to monitor your assets and provide you remediations and visibility of your projects in your organization. There’s some modules, like the compliance where you can check if you’re following CIS compliances. You can see in the portal the scans results, filter by types of assets, projects and so on.

Ok, that’s all. Let’s see this scenario now. Let’s say that you have some new developer in your team that did some mistake and commit the Service Account key to the public repository on GitHub portal! Ops! That happens and we know.

So, what should be the approach here? It depends. For this simple scenario, let’s say that we want to revoke the key, create a new one and provide this key into a bucket with limited permissions for Devs. Also, we want to to send this notification to some external tool, on this case, Forseti, but it can be any other SIEM application. Well, it doesn’t matter the application because I will not cover this on this post. I will show you just the “rotation” of keys. Cool, let’s go ahead.

First thing is understanding the flow. Let’s assume that SCC is already enabled. First thing is to create the Pub/Sub topic to deliver the messages. That’s easy. Let’s use gcloud command for this:

Great! We have our scc-topic and scc-sub created! Now, we need to create the SCC notification to Pub/Sub. This means, route the alert as a message to Pub/Sub. This notification can be done with Google SDK or API only and we can filter based in the category of alert. For this case, I know that the alert category is “account_has_leaked_credentials” (you can see some categories here). So, the filter should be like this:

Ok, we have now the notification sending to Pub/Sub, so if someone commit the key, SCC should send a message to Pub/Sub. But this is not the end. Now we need to create a function to “rotate” the keys. This means, delete the leaked key and create a new one.

I will be using Google API for this, in Python ❤️ language. SPOILER: I’m not a developer, so don’t expect to see a fancy code here. 🥸:

Note that you should have bucket name in line 9. So, the code is simple. check the asset with the alert, revoke the key leaked, create a new one and put into bucket.

Deploy this in Cloud Functions and things are ready!! Now it’s time!!

So, let’s commit the service key to some public repository:

Oh no!! My Service Account key was pushed to repository (sa-insecure.json)! Let’s see what Security Command Center tells me:

Ok, I have my alert there. Let’s see some details

Pretty cool, huh? Let’s check now if PubSub receives the message:

Looks like everything worked. Let’s check now the most important step that is the function.

Aha!! We should now have a new key into the bucket. Let’s check:

Great!! Looks like everything worked. As I said, I will not cover the SIEM topic, but the message will be in the topic and you can integrate any system to consume it.

That’s all folks! The sky is the limit with automation, you just need to understand the flow and what exactly you want. :)

Stay safe!!