CureIAM: Clean accounts over permissions in GCP infra at scale

CureIAM

Clean up of over permissioned IAM accounts on GCP infra in an automated way

CureIAM is an easy-to-use, reliable, and performant engine for Least Privilege Principle Enforcement on GCP cloud infra. It enables DevOps and Security team to quickly clean up accounts in GCP infra that have granted permissions of more than what is required. CureIAM fetches the recommendations and insights from the GCP IAM recommender, scores them, and enforces those recommendations automatically on daily basis. It takes care of scheduling and all other aspects of running these enforcement jobs at scale. It is built on top of GCP IAM recommender APIs and Cloudmarker framework.

Key features

Discover what makes CureIAM scalable and production-grade.

• Config driven: The entire workflow of CureIAM is config driven. Skip to the Config section to know more about it.
• Scalable: It is designed to scale because of its plugin-driven, multiprocess, and multi-threaded approach.
• Handles Scheduling: The scheduling part is embedded in the CureIAM code itself, configure the time, and CureIAM will run daily at that time note.
• Plugin driven: CureIAM codebase is completely plugin oriented, which means, one can plug and play the existing plugins or create new to add more functionality to it.
• Track actionable insights: Every action that CureIAM takes, is recorded for audit purposes, It can do that in the file store and in the elasticsearch store. If you want you can build other store plugins to push that to other stores for tracking purposes.
• Scoring and Enforcement: Every recommendation that is fetched by CureIAM is scored against various parameters, after a couple of scores like safe_to_apply_score, risk_score, and over_privilege_score. Each score serves a different purpose. For safe_to_apply_score identifies the capability to apply recommendations on an automated basis, based on the threshold set in CureIAM.yaml config file.

Install & Use

Copyright (C) 2023 gojek