Skip to content

metalstormbass/Cloudguard_Azure_FSP

Repository files navigation

Cloudguard Workload and Azure Functions

CI

This document outlines how to apply Cloudguard Workload protection to an Azure Function in a CI/CD pipeline. The feature being installed is call FSP or Function Self Protect. This is for demonstration purposes only. Here is a logical diagram of the Azure Function:

This function is deployed through Github Actions. That being said, it can be deployed using any CI/CD tool. All of the instructions for the CI/CD pipeline are stored in the build.yml. From a high level this is what the build pipeline does:

  1. Configure Runner Environment
  2. Set up Azure Resource Group, Storage Container and Function App
  3. Apply Cloudguard FSP (Function Self Protect

Get started by forking this repository!

Prerequisites

In order to run this demo, you need the following:

Github Account
Azure Account
Check Point Cloud Security Posture Management Account


To run the activity.py script, you must also have Python3.

Setup

Ensur Azure Serverless Protection is enabled on Check Point Cloud Security Posture Management

Microsoft Azure

Create an App Registration in Azure. As this will be used multiple times, please note the following:

  • Application (client) ID
  • Directory (tenant) ID
  • Secret
  • Subscription ID

Ensure that you give this app registration "Contributor" permission.

Prep the Github Environment

First go to Settings > Secrets and populate the secrets:


CG_TOKEN - Note: This must be in the format DOME9_API_KEY:DOME_API_SECRET
AZURE_SUBSCRIPTION_ID
AZURE_TENANT_ID
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZ_RG - This is the name of the resource group to be created
AZ_LOCATION - Azure Region. EG: West US 2
STORAGE_NAME - Name of your storage container
APP_NAME - App name. This must be unique

Note: Standard naming for Azure rules apply.

Second, select the "Actions" tab and enable workflows.

Run the Build

To deploy this function to Azure, modify the _build_flag and commit the changes. This kicks off the Github Action pipeline. Once the build is finished, you will then see it in Check Point CSPM

Sync to Check Point CSPM

Depending on when you build your function in relation to the sync interval it may take some time for the information to appear. If you would like to force this synchronization, you can run the following command:

curl -X POST https://api.dome9.com/v2/AzureCloudAccount/<CLOUDGUARD_ID_FOR_AZURE>/SyncNow --basic -u <DOME9_API_KEY>:<DOME_SECRET> -H 'Accept: application/json'

Check Point CSPM

Open Check Point CSPM and navigate to the "Serverless" option. Select "Serverless Assets" and click on the function you created. This is what you will see:

Testing the function

First, grab the URL of your function.

To test the function, navigate back to the /scripts directory and run activity.py.

λ python scripts\activity.py
Target: <APP URL>
Select 1 for Bening Input and 2 for Malicious Input: 1
b'Hello, Cloudguard Workload. This HTTP triggered function executed successfully.'

Malicious Input

You can also test putting in malicious input. Here is an example:

λ python scripts\activity.py
Target: <APP URL>
Select 1 for Bening Input and 2 for Malicious Input: 2
b'This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response.'

At this point, since this product is still in EA, it only has detection capabilities. Blocking capabilities are comming soon!

Cleanup

To delete the environment, modify the _destroy_flag and commit the changes. This will delete everything that was created.

About

Demo of Cloudguard FSP to protect Azure Functions

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages