Tuesday, March 3, 2020

Use Cloud Functions for security scans (IBM Cloud Security Advisor)

Result of a serverless security scan
After the introduction to custom metrics in IBM Cloud Security Advisor and an overview of how to manage custom findings on the command line, I am going to discuss how you can perform your own security scans and add the results to the security advisor. My code is written in Python, but any other language is fine, too. I utilize IBM Cloud Functions to run in the scans in a serverless fashion. The code and instructions are available on GitHub.


As mentioned above, I am using IBM Cloud Functions to perform my own security scans and then add the result as custom findings to IBM Cloud Security Advisor. If you already looked at the functions code on GitHub, you may have noticed that each action for a specific custom scan is actually a sequence of three small actions:
  1. The first action obtains an IAM access token (Identity and Access Management). It is needed to interface with the security advisor and for some scans.
  2. The second action is different in each sequence. It connects to an IBM Cloud management API or to LogDNA to assess activity tracker / audit data.
  3. The third action in the sequence creates individual occurrences for findings or KPI in the IBM Cloud Security Advisor.
The following architecture diagram shows the above steps. Other security scans could be added as second step with a specific action to add the related records in step three.

Serverless security scan with Cloud Functions


Custom security scans

The repository on GitHub provides code for three different security scans.

  • External users: This scan utilizes the IBM Cloud user management API to obtain a list of users in the cloud account. It then looks at the domain of each email address. If there is a mismatch to the configured domain, a security incident (finding) is created and the number of found issues is reported as KPI.
  • Inactive users: Users can have different states, the default is ACTIVE. If for the account a user is found with a non-active state, the issue is reported as finding.
  • LogDNA issues: On IBM Cloud, you can use Activity Tracker with LogDNA for audit logs and Log Analysis with LogDNA for general application logs. In an older blog post I showed how to use the LogDNA API to search for log records. This custom scan performs a set of configured searches against LogDNA instances. If any records are found, they are reported as KPI. Queries could flag errors in security-related components, authentication issues in deployed apps or more.


Access groups for privilege management

The above scans are implemented as Cloud Functions and deployed to a so-called IAM namespace. An IAM namespace maps to a service ID in IBM Cloud. It means, that actions run with the privileges assigned to that service ID. In order to perform the security scans and to create findings, the service ID needs to have the right set of privileges. One option for assigning them is through IAM access groups.

Once you created an access group, you can add users and service IDs to it - in our case just the service ID for the namespace. Thereafter, you create access policies for that group. An access policy determines which resource or service can be accessed and in what role. There can be resource wildcards like "all instances of a service" or selection of specific instances. For each policy you would need to set if, e.g., read, write or management access should be granted.

Grant privileges with access policies in an IAM access group

In order to access user information for the account, the cloud functions need account management access as readers. To create findings in Security Advisor write access is needed. However, in order to update existing findings when a new scan is performed or to even remove findings if the issues is gone, manager access is required.

See the deployment instructions in the repository for details on access management and how to configure input parameters. Once everything is in place, you can either manually run the actions or set up Cloud Functions triggers to schedule daily or weekly execution in a cron-like fashion. Go to the Security Advisor dashboard or the findings page to see the scan results.


In this series of blogs I showed you how you can add your own metrics to IBM Cloud Security Advisor. I wrote a small command line tool to easily work with my custom objects. To perform scans and create custom findings I utilized Cloud Functions. The serverless implementation is the best match for the task and allows scheduled execution. Thus, you can add your own security scans and metrics to the Security Advisor and automatically perform those tests.

Here are the links to the previous blog posts in this series and the code on GitHub:
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.