diff --git a/docs/8-reference/cloud-security-api-iac.md b/docs/8-reference/cloud-security-api-iac.md new file mode 100644 index 000000000..8af6a800d --- /dev/null +++ b/docs/8-reference/cloud-security-api-iac.md @@ -0,0 +1,219 @@ +# Cloud Security: API, Infrastructure-as-Code, and Case Automation + +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + +This page is the operator reference for automating LimaCharlie Cloud Security: the +public REST API surface, the Hive records that ARE the Infrastructure-as-Code +surface (providers, policies, saved queries), and the D&R recipes that close the +loop between cloud findings and Cases. + +## The REST API + +All Cloud Security routes live under `https://api.limacharlie.io/v1/cloudsec/{oid}/…` +and appear in the public OpenAPI spec at +[`/openapi`](https://api.limacharlie.io/openapi). Reads require the `cloudsec.get` +permission, finding-triage writes require `cloudsec.set`, and every route requires +the organization to be subscribed to the cloud security extension (a `403` tells +you to subscribe). + +The read surface includes: `findings` (risk-ranked worklist with keyset pagination +and server-side filters), `findings/facets`, `attack-paths` (with the same filter +selectors), `chokepoints` (incl. the principal-exposure metrics), `ciem/public-access`, +`inventory` (+`inventory/facets`), `compliance` (+`compliance/frameworks`), +`overview` (incl. the per-tenant `usage` metering block), `risk-trend`, `changes`, +`scan-status`, `query` (the graph DSL), and `graph/neighbors`. + +### CSV export + +Add `?format=csv` to `findings`, `inventory`, `compliance`, or `query` to stream the +result as a CSV attachment instead of JSON. The server walks the full filtered set +itself (your filter query parameters apply; paging parameters are ignored), capped +at 100,000 rows with a trailing `#`-comment row as the truncation notice. + +```bash +curl -H "Authorization: Bearer $JWT" \ + "https://api.limacharlie.io/v1/cloudsec/$OID/findings?severity=CRITICAL&severity=HIGH&format=csv" \ + -o findings.csv +``` + +The compliance CSV carries one row per control including the proving finding ids — +the auditor-facing evidence export. + +## Hive is the IaC surface + +Cloud Security is configured entirely through Hive records. Anything you can click +in the console you can `limacharlie hive set` — which makes tenant onboarding and +multi-tenant policy management a script, not a UI workflow. + +| Hive | Record | Purpose | +|---|---|---| +| `cloudsec_provider` | one per cloud/IdP connection | what to collect (GCP / AWS / Azure / Okta / Google Workspace) | +| `cloudsec_policy` | many, typed by `policy_type` | `classification` (crown jewels), `coverage` (EDR expectation), `scanning` (agentless YARA), `emission` (event feed), `exclusions` (resource escape hatch), `suppression` (finding disposition rules) | +| `cloudsec_query` | one per saved query | org-shared saved graph queries (the Query Console library) | + +### Onboarding a tenant (recipe) + +```bash +# 1. Subscribe the org to the extension (billing/enable gate). +limacharlie extension subscribe --name ext-cloud-security --oid $OID + +# 2. Connect a provider. +cat > provider.json < classification.json <` header. !!! info "Permissions & enable gate" Reads require `cloudsec.get`; writes require `cloudsec.set`. Every route - requires the organization to be subscribed to `ext-cloud-inventory` — a + requires the organization to be subscribed to `ext-cloud-security` — a `403` on any route means subscribe first. The `oid` is always taken from the authorized path. diff --git a/docs/cloud-security/automation.md b/docs/cloud-security/automation.md index da296afed..e7e8d1a78 100644 --- a/docs/cloud-security/automation.md +++ b/docs/cloud-security/automation.md @@ -1,5 +1,10 @@ # Automation & Infrastructure-as-Code +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Everything Cloud Security does is scriptable: configuration is Hive records, the query/triage surface is the [REST API](api-reference.md) and [CLI](cli.md), and findings flow through the standard event pipeline. This @@ -9,7 +14,7 @@ page collects the operator recipes. ```bash # 1. Subscribe the org to the extension (billing/enable gate). -limacharlie extension subscribe --name ext-cloud-inventory --oid $OID +limacharlie extension subscribe --name ext-cloud-security --oid $OID # 2. Store the collector credential as a secret (hive set reads # record data from --input-file or piped stdin). diff --git a/docs/cloud-security/caasm.md b/docs/cloud-security/caasm.md index 6558b682a..55a4c69da 100644 --- a/docs/cloud-security/caasm.md +++ b/docs/cloud-security/caasm.md @@ -1,5 +1,10 @@ # CAASM — Cyber Asset Attack Surface Management +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Your tools already know what you own: the EDR sees devices, the identity provider sees users and their devices, MDM and scanners see more. CAASM merges those third-party views into one entity-resolved asset inventory and diff --git a/docs/cloud-security/cli.md b/docs/cloud-security/cli.md index 24f76c672..91774a648 100644 --- a/docs/cloud-security/cli.md +++ b/docs/cloud-security/cli.md @@ -1,5 +1,10 @@ # Command Line Interface +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + The `limacharlie cloudsec` command group (Python SDK/CLI v2) covers the full Cloud Security API surface. Every command supports the global options (`--oid`, `--output json|yaml|csv|table`, `--filter `), and every diff --git a/docs/cloud-security/compliance.md b/docs/cloud-security/compliance.md index 401344f75..700b62ea9 100644 --- a/docs/cloud-security/compliance.md +++ b/docs/cloud-security/compliance.md @@ -1,5 +1,10 @@ # Compliance +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Cloud Security evaluates compliance frameworks continuously against the live estate: each control maps to detection rules, and a control fails when open findings prove the violation — so the compliance report is always as fresh diff --git a/docs/cloud-security/configuration.md b/docs/cloud-security/configuration.md index a28d68301..259737771 100644 --- a/docs/cloud-security/configuration.md +++ b/docs/cloud-security/configuration.md @@ -1,5 +1,10 @@ # Configuration Reference +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Cloud Security is configured entirely through three Hive types. Anything the console can configure, `limacharlie hive set` can configure — which makes tenant onboarding and fleet-wide policy a script, not a UI workflow (see diff --git a/docs/cloud-security/findings.md b/docs/cloud-security/findings.md index 4cbead928..314bb5cca 100644 --- a/docs/cloud-security/findings.md +++ b/docs/cloud-security/findings.md @@ -1,5 +1,10 @@ # Findings & Triage +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Everything Cloud Security detects lands in one place: a merged, risk-ranked findings worklist. CSPM misconfigurations, graph-derived attack paths, and identity (CIEM) risks are all findings with the same shape, the same triage diff --git a/docs/cloud-security/getting-started.md b/docs/cloud-security/getting-started.md index 30dc9dc32..57af37520 100644 --- a/docs/cloud-security/getting-started.md +++ b/docs/cloud-security/getting-started.md @@ -1,5 +1,10 @@ # Getting Started with Cloud Security +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + This page takes an organization from zero to a populated Cloud Security dashboard: subscribe the extension, store a credential, connect a provider, and run the first sweep. @@ -7,12 +12,12 @@ and run the first sweep. ## 1. Subscribe the extension Cloud Security is enabled per organization by subscribing to the -`ext-cloud-inventory` extension — the subscription is both the enable gate +`ext-cloud-security` extension — the subscription is both the enable gate and the billing hook. In the web console, open the extension from the Add-Ons marketplace and click **Subscribe**, or from the CLI: ```bash -limacharlie extension subscribe --name ext-cloud-inventory --oid $OID +limacharlie extension subscribe --name ext-cloud-security --oid $OID ``` Until the organization is subscribed, every Cloud Security API route and diff --git a/docs/cloud-security/graph.md b/docs/cloud-security/graph.md index b22b92ffe..94831acce 100644 --- a/docs/cloud-security/graph.md +++ b/docs/cloud-security/graph.md @@ -1,5 +1,10 @@ # Security Graph & Queries +!!! warning "Private Beta" + Cloud Security is currently in **Private Beta**. Features, APIs, and + configuration formats described here may change before general + availability. Contact us if you would like access. + Every sweep builds a graph of the estate: resources, identities, and data stores as nodes; reachability, exposure, permissions, and vulnerability relationships as edges. The graph is what turns three individually-boring diff --git a/docs/cloud-security/index.md b/docs/cloud-security/index.md index b4052e66a..56d10297c 100644 --- a/docs/cloud-security/index.md +++ b/docs/cloud-security/index.md @@ -44,7 +44,7 @@ on a schedule, on demand, or continuously from a change feed. ## How it works -1. **Subscribe** the organization to the `ext-cloud-inventory` extension — +1. **Subscribe** the organization to the `ext-cloud-security` extension — this is the product's enable (and billing) gate. 2. **Connect providers**: one `cloudsec_provider` Hive record per cloud account / IdP tenant. A pre-save credential test probes every permission @@ -74,7 +74,7 @@ onboarded and governed as code. connection records in the Hive. Every route additionally requires the organization to be subscribed to - `ext-cloud-inventory`; unsubscribed organizations receive `403`. + `ext-cloud-security`; unsubscribed organizations receive `403`. ## Documentation diff --git a/mkdocs.yml b/mkdocs.yml index fd5123479..5702703b3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -534,6 +534,7 @@ nav: - Story Tags: 8-reference/story-tags.md - ID Schema: 8-reference/id-schema.md - Permissions: 8-reference/permissions.md + - Cloud Security API & IaC: 8-reference/cloud-security-api-iac.md - Error Codes: 8-reference/error-codes.md - Auth Resource Locator: 8-reference/authentication-resource-locator.md - YARA Modules: 8-reference/yara-modules.md