Getting Started with Warden

Warden supports both AWS and GCP environments.

Table of Contents

Adding a Scan Group

1-1

1. Click Organization Settings at the top panel.

2. Select Scans on the left sidebar.

3. Click Add New > Warden Scan Group.

2-2

4. Enter the Scan Group Name, Scan Group Description, and the Scan Frequency to run it. You can choose between running a weekly or daily scan.

5. Click Add Group.

3-2

6. Click Manage beside the Scan Group you just created.

7. Click Add Account.

4

8. Choose the type of cloud provider you want to add to the scan group. Warden currently supports AWS and GCP accounts.

9. Use the instructions given for each cloud provider to set up the necessary permissions Warden needs.

10 Click Add.

11. There will be a confirmation screen asking you if you want to run a scan. You can choose to run a scan now, or skip this step so it will run automatically on the schedule you set.

Onboarding an Amazon Web Services (AWS) Account

Setting up Warden in AWS can be done through the Storyfier dashboard. There are two ways to get started:
  1. Adding the Warden IAM roles through a CloudFormation template (recommended)

  2. Manually setting up the necessary IAM roles.

  • Do not close the creation screen during the AWS installation.
  • Login to your AWS Account in another browser window.
  • Make sure that you have Administrator access to the AWS account you are logging in.

CloudFormation Setup (Recommended)

AWS CloudFormation is a service that helps you model and set up AWS resources so that you can spend less time managing resources and more time using the application.

1. Click Launch CloudFormation Stack.

5

2. Check "I acknowledge that AWS CloudFormation might create IAM resources." and click Create Stack.

6

3. Once the CloudFormation Stack is "CREATE_COMPLETE", copy "HorangiWardenRoleARN" from the Outputs tab and paste it in the Paste Role ARN here text box.

12

4. Click Add Account.

5. A confirmation dialog will appear asking you if you would like to start a scan now. You can choose to start your first scan, or postpone it for the next scanning schedule.

6. Warden will then prompt you to create the role needed for One-Click Remediation. You can choose to skip this step or proceed to Setup One-Click Remediation.

Manual Setup (for Advanced Users)

For the extra cautious and tinkerers, you can adjust and limit to what degree you want Warden to monitor your AWS cloud assets. The choice is yours.

1. Access the IAM Roles section and Create role.

23

2. When prompted for the trusted entity type, select Another AWS Account.

3. Enter Horangi's AWS Account Number 396286753434 for the Account ID to trust.

4. Check Require external ID and enter the unique External ID displayed on Step 6 of the step-by-step guide.

5. Do not check Require MFA.

6. Click Next: Permissions.

9

7. Select the Security Audit managed IAM policy.

8. Click Next: Tags.

9. Click Next: Review.

10

10. Enter horangi-warden-scanner for the Role name and enter a description of your choice and click Create Role.

11. Search for the newly created role (i.e horangi-warden-scanner) and copy the Role ARN.

11

12. After the role has been created, go to the role's page.

13. Click on the field Maximum CLI/API session duration and change the value from 1 hour to 4 hours.

14. Save your changes.

12

15. Go back to Storyfier and paste the Role ARN you just copied in the Paste Role ARN here text box.

16. Click Add Account.

17. A confirmation dialog will appear asking you if you would like to start a scan now. You can choose to start your first scan, or postpone it for the next scanning schedule.

18. Warden will then prompt you to create the role needed for One-Click Remediation. You can choose to skip this step or proceed to Setup One-Click Remediation.

Onboarding a Google Cloud Platform (GCP) Project

Setting up Warden in a GCP project can only be done the manual way at this time.

1. Log into your Google Cloud Console, navigate to IAM Admin > Service Accounts and select the project to onboard.


2. Click on Create Service Account.

Screenshot from 2020-09-21 13-17-51

3. Under Service account details, enter Horangi Warden as the Service account name, then enter Horangi API Access as the Service account description.


4. Click on Create.

Screenshot from 2020-12-03 09-58-39

5. Under Service account permissions (optional), select the following roles to attach to the service account.
  • IAM > Security Reviewer
  • Compute Engine > Compute Network Viewer
  • BigQuery > BigQuery Metadata Viewer
  • Binary Authorisation > Binary Authorisation Policy Viewer

6. Click on Continue.

7. Under Grant users access to this service account (optional), leave the fields blank and click on Done.

8. Select the service account that you just created (Horangi Warden) in the Service Accounts page.

Screenshot from 2020-09-21 13-20-01

9. Click on Add Key > Create New Key.

Screenshot from 2020-09-21 13-20-15

10. Leave the default JSON selected and click Create.

11. Save the provided JSON file.

12. Enable the APIs necessary for Warden to work.

Using Google Cloud Shell:

gcloud services enable compute.googleapis.com sqladmin.googleapis.com storage.googleapis.com dns.googleapis.com cloudkms.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com cloudresourcemanager.googleapis.com bigquery.googleapis.com binaryauthorization.googleapis.com

Via the Google Cloud Console API Library:

Enable the following APIs:

The Compute Engine and Cloud DNS APIs require you to have billing enabled on the projects you are onboarding.

Screenshot from 2020-09-21 13-55-24

13. Copy and paste the contents of the JSON file into the API Credentials field.

14. Click on Add.

Onboarding a GCP Organization 

For all GCP projects that you want to scan, Warden will enable the following APIs during scanning.

  • Compute Engine API
  • Cloud SQL Admin API
  • Cloud Storage API
  • Cloud DNS API
  • Cloud Key Management Service (KMS) API
  • Identity and Access Management (IAM) API
  • Kubernetes Engine API
  • Stackdriver Monitoring API
  • Cloud Logging API
  • Cloud Resource Manager API
  • BigQuery API
  • Binary Authorization API

If you are unable to create the IAM Role (see step 10 below), you will have to manually enable all of the above APIs in each project. You can run the following command in google cloud shell to enable the APIs:

gcloud services enable compute.googleapis.com sqladmin.googleapis.com storage.googleapis.com dns.googleapis.com cloudkms.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com cloudresourcemanager.googleapis.com bigquery.googleapis.com binaryauthorization.googleapis.com

Repeat the command once for each project.

Pre-Requisites:

  • A GCP account within the organization assigned with the Organization Administrator and Organization Role Administrator roles.
  • An active Cloud Billing Account

Adding a GCP Cloud Organization

1. Login to the GCP console using an account assigned with the Organization Administrator and Organization Role Administrator roles.

2 - Create New Project

2. Create a new project within the organization to ensure API limits for Warden are controlled separately from production workloads. 

3. Enter a unique project name and click Create. You will then be redirected to the project view.

4 - Billing icon

4. Click the hamburger menu button on the top left corner and click Billing.

5 - Project no billing acc

5. If a billing account has already been linked to the project, you should see the Billing Overview page. Otherwise, click Link a Billing Account.

6 - Billing account drop down box

6. Select the billing account you would like to associate the project with from the dropdown menu and click on Link Account.

7 - Service Account

7. Navigate to IAM & Admin > Service Accounts, then click on Create Service Account.

8 - Service acc details

8. Under Service account details, enter ​Horangi Warden​ as the Service account name, then enter ​Horangi API Access​ as the Service account description.

9. Click Create, then Done.

10 - Email Address of Service Account

10. Note down the email address of the service account​ you just created (Horangi Warden) in an accessible location.

11. Click the 3-dot menu icon under the Actions column for the new service account and click Create key.

12 - Leave Default JSON Key

12. Leave the Key type as JSON and click Create.

13. Save the JSON file to a secure location. You will not be able to recover the key if you lose it.

14. Enable the APIs necessary for Warden to work.

Method 1: Using Google Cloud Shell

Type the following command in the Google Cloud Shell:

gcloud services enable compute.googleapis.com sqladmin.googleapis.com storage.googleapis.com dns.googleapis.com cloudkms.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com cloudresourcemanager.googleapis.com bigquery.googleapis.com binaryauthorization.googleapis.com cloudbilling.googleapis.com

Method 2: Via the Google Cloud Console API Library:

Method 2 - Compute engine API

Enable the following APIs:

The Compute Engine and Cloud DNS APIs require you to have billing enabled on the projects you are onboarding.

15 - Create Role

15. Switch back to Organization view to start setting up the organization-wide permissions.

16. Navigate to IAM & Admin > Roles, then click Create Role.

Title Horangi Warden Scanner

17. Under Title, enter ​Horangi Warden Scanner​, then enter HorangiWardenScanner​ as the ID.

18. Click Add Permissions.

Screenshot 2021-02-19 at 12.17.34 PM

19. Under the Filter table field, enter and select `serviceusage.services.enable`

20. Once the permission has been selected, click Add.

21. Click Create to finish creating the custom role.

Screenshot from 2021-03-08 14-58-36

22. Still in Organization view, navigate to IAM & Admin > IAM. Click Add to add permissions for the service account you created in Steps 7-9.

Screenshot from 2021-03-08 14-57-24

23. Input the email of the service account you created as ​New members​.

Add member to tigerengineer

24. Add the following roles:

  • Custom > Horangi Warden Scanner (the Role created earlier)
  • Resource Manager > Organization Viewer
  • Resource Manager > Folder Viewer
  • Billing > Billing Account Viewer
  • IAM > Security Reviewer
  • Compute Engine > Compute Network Viewer
  • BigQuery > BigQuery Metadata Viewer
  • Binary Authorisation > Binary Authorisation Policy Viewer
  • Service Usage > Service Usage Viewer

If you can’t find the Role `Horangi Warden Scanner`, wait for a few minutes and try again. It may take some time for the Role to appear after creation.

25. Click Save to finish adding permissions.

S1


26. Go to Storyfier’s Settings (gear icon) page, then click on Integrations.

27. Click the Add button next to GCP. A popup of the list of organizations linked to your Storyfier org will appear.

S2

28. Click Add New GCP Cloud Organization. 

You can only add a GCP organization once. If you need to make changes to your service account credentials, you can edit an existing GCP organization.

S3

29. Paste the service account credentials JSON file you saved earlier in the API Credentials field.

ksnip_20210309-131442

30. For the Identifier field, enter the text `organizations/` followed by your Organization ID. The Organization ID can be found by clicking on the dropdown menu on the top and looking at the ID next to your organization.

31. Click Add

Caution: You cannot remove GCP organizations in Storyfier and doing so will disable all scans tied to that GCP organization. If you have to remove your organization, contact us at hello@horangi.com for assistance.

Updating GCP Cloud Organization API Credentials

1. Follow Steps 1-25 of Adding a GCP Cloud Organization to create a new Service Account.

Screenshot 2021-03-10 at 5.24.54 PM

2. In Storyfier, click on Settings > Integrations, then click Update next to GCP.

3. Click Update next to the GCP Organization you want to update.

Screenshot 2021-03-10 at 5.25.00 PM

4. Paste the API credentials you downloaded in Step 12 of Adding a GCP Cloud Organization.

5. Click Save Changes.

Importing Projects from a GCP Cloud Organization

S4

1. Navigate to the Settings page (gear icon), then click Scan Configuration on the left sidebar.

2. Create a new scan group or use an existing one.

3. On the Scan Configuration page, click on the pencil icon next to the scan group which you would like to import GCP projects into.

S7

4. On the right-side panel, click Add Account.

S8

5. Select Add Projects From Google Cloud Organization and click Next.

Screenshot from 2021-03-10 15-57-46

6. Select the Organization that you created previously and click on Next.

Screenshot from 2021-03-10 15-58-20

7. Select the projects you want to onboard in Warden and click Add Projects.

S10-1

8. On the Scan Configuration page, you should see the projects imported into the scan group.

9. Click on the Refresh icon next to each project to start a scan.

Only projects that have billing accounts linked are imported. If there is a project in your organization that has not been imported, check to see if the project is linked to a billing account.