Real-time threat detection and auto-remediation for cloud IAM with ML anomaly detection and SailPoint lifecycle integration
|
Enterprise challenges with cloud IAM:
Manual IAM review cannot:
|
Modern cloud security requires:
Think of it as an immune system for your cloud. |
Event-driven security automation powered by ML and IGA:
| Capability | Technology | Outcome |
|---|---|---|
| Event Processing | GCP Eventarc + Cloud Functions | Real-time IAM monitoring |
| Anomaly Detection | Isolation Forest ML | Unusual pattern identification |
| Auto-Remediation | Cloud Functions + IAM API | Block threats automatically |
| IGA Integration | SailPoint IdentityIQ | Lifecycle context correlation |
| Risk Scoring | ML-based scoring | 0-100 risk quantification |
| Alerting | Slack, Teams, Email | Multi-channel notifications |
|
Immune Dashboard Bio-organic dark theme |
Detection Center Real-time threat view |
Remediation Console Auto-remediation logs |
Identity Monitor SailPoint lifecycle events |
Alert Management Multi-channel notifications |
|
SailPoint IdentityIQ was chosen for v1.1 because:
|
|
EVENT SOURCES
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ AWS CloudTrail │ │ GCP Cloud │ │ SailPoint │
│ IAM Events │ │ Audit Logs │ │ IdentityIQ │
│ ───────────── │ │ ───────────── │ │ ───────────── │
│ CreateRole │ │ SetIamPolicy │ │ JML Events │
│ AttachPolicy │ │ CreateBucket │ │ Certifications │
│ DeleteUser │ │ UpdateKey │ │ Access Requests│
└────────┬────────┘ └────────┬────────┘ └────────┬────────┘
│ │ │
└──────────────────────┼──────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ GCP EVENTARC │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Event Routing + Filtering + Dead Letter Queue │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────┬───────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ CLOUD FUNCTIONS │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────────┐ │
│ │ Detectors │ │ Remediators │ │ SailPoint Handler │ │
│ │ ────────────│ │ ────────────│ │ ────────────────────│ │
│ │ Public Bucket│ │ Block Public │ │ Lifecycle Events │ │
│ │ Admin Grant │ │ Revoke Access│ │ Cert Correlation │ │
│ │ Policy Change│ │ Alert Team │ │ Identity Health │ │
│ │ Cross Account│ │ Quarantine │ │ HMAC Verification │ │
│ └──────────────┘ └──────────────┘ └──────────────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ ML Anomaly │ │ Risk Scorer │ │
│ │ ────────────│ │ ────────────│ │
│ │ Iso. Forest │ │ Combined │ │
│ │ Baseline │ │ Score 0-100 │ │
│ └──────────────┘ └──────────────┘ │
└─────────────────────────────┬───────────────────────────────────┘
│
┌─────────────────────┼─────────────────────┐
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ React │ │ BigQuery │ │ Slack │
│ Frontend │ │ Events │ │ Teams │
│ │ │ │ │ Email │
│ Bio-organic │ │ Historical │ │ Multi-chan │
│ Dark Theme │ │ Analysis │ │ Alerts │
└──────────────┘ └──────────────┘ └──────────────┘
|
Detects when a GCP bucket is made publicly accessible. # Detection criteria
- allUsers or allAuthenticatedUsers binding
- Public IAM policy changes
- Bucket ACL modificationsRisk: Public data exposure Auto-Remediation: Remove public binding Detects when admin/owner roles are granted. # Detection criteria
- roles/owner
- roles/editor
- roles/*Admin
- Custom roles with broad permissionsRisk: Privilege escalation Auto-Remediation: Revoke + alert |
Detects suspicious IAM policy modifications. # Detection criteria
- SetIamPolicy on sensitive resources
- Service account key creation
- Cross-project bindingsRisk: Unauthorized access Auto-Remediation: Alert + review Monitors service account activities. # Detection criteria
- Service account impersonation
- Key rotation anomalies
- Unusual API patternsRisk: Compromised service accounts Auto-Remediation: Quarantine + alert |
- Python 3.11+
- Node.js 18+
- GCP account with Cloud Functions enabled
- Terraform (for infrastructure deployment)
# Clone repository
git clone https://github.com/MikeDominic92/iam-immune-system.git
cd iam-immune-system
# Backend setup
python -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
pip install -r requirements.txt
# Frontend setup (new terminal)
cd frontend
npm install# Initialize Terraform
cd terraform
terraform init
# Deploy Cloud Functions
terraform apply -var="project_id=your-project" -var="region=us-central1"# Start Frontend
cd frontend && npm run dev
# Functions run via Cloud Functions emulator
functions-framework --target=handle_iam_event --debug- Frontend: http://localhost:3000
- Functions: Deployed to GCP
Running IAM Immune System is extremely cost-effective:
| Component | Monthly Cost | Notes |
|---|---|---|
| Cloud Functions | ~$5 | 1M invocations |
| Eventarc | ~$3 | Event routing |
| BigQuery | ~$5 | 10GB storage |
| Cloud Storage | ~$2 | Logs and state |
| Total | ~$15/month | Typical workload |
See Cost Analysis for detailed breakdown.
from src.integrations import SailPointConnector, WebhookHandler, CertificationSync
# Initialize connector (mock mode available)
sailpoint = SailPointConnector(
base_url="https://company.identitynow.com",
client_id="your-client-id",
client_secret="your-secret",
mock_mode=True # For demo
)
# Handle lifecycle webhook
handler = WebhookHandler(secret_key="webhook-secret")
@app.post("/sailpoint/webhook")
async def handle_sailpoint_event(request: Request):
# Verify HMAC signature
if not handler.verify_signature(request):
raise HTTPException(401)
event = await request.json()
# Process lifecycle event
if event['type'] == 'JOINER':
# New employee - establish baseline
handler.process_joiner(event)
elif event['type'] == 'LEAVER':
# Termination - revoke all access
handler.process_leaver(event)
return {"status": "processed"}
# Sync certification decisions
cert_sync = CertificationSync(sailpoint)
revocations = cert_sync.get_recent_revocations(days=7)|
Scenario: Developer accidentally makes bucket public. Detection: Public Bucket Detector triggers on IAM change. Response:
Outcome: Data exposure prevented. |
Scenario: Employee leaves but access remains. Detection: SailPoint LEAVER event received. Response:
Outcome: Zero orphaned access. |
|
Scenario: Compromised account grants admin to attacker. Detection: Admin Grant + ML anomaly detection. Response:
Outcome: Privilege escalation blocked. |
Scenario: Certification revocation ignored. Detection: SailPoint cert decision not reflected in cloud. Response:
Outcome: Cert decisions enforced automatically. |
iam-immune-system/
├── functions/
│ └── iam_monitor/
│ ├── main.py # Cloud Function entry
│ ├── detectors/ # Threat detectors
│ │ ├── public_bucket.py
│ │ ├── admin_grant.py
│ │ ├── policy_change.py
│ │ └── machine_identity.py
│ ├── remediators/ # Auto-remediation
│ │ ├── block_public.py
│ │ ├── revoke_access.py
│ │ └── alert_team.py
│ └── ml/ # ML models
│ ├── anomaly_detector.py
│ └── baseline_builder.py
├── src/
│ └── integrations/ # v1.1: SailPoint
│ ├── sailpoint_connector.py
│ ├── webhook_handler.py
│ └── certification_sync.py
├── terraform/ # Infrastructure as Code
├── frontend/ # React dashboard
└── docs/ # Documentation
| Category | Technologies |
|---|---|
| Cloud Security | GCP IAM, Cloud Functions, Eventarc |
| IGA Integration | SailPoint IdentityIQ, Lifecycle Webhooks |
| Machine Learning | Isolation Forest, Anomaly Detection |
| Infrastructure | Terraform, Cloud Run, BigQuery |
| Backend | Python, FastAPI, async/await |
| Frontend | React, TypeScript, Dark Theme |
- v1.0: Core detectors and remediators
- v1.1: SailPoint IdentityIQ integration
- v1.2: Okta lifecycle integration
- v1.3: AWS support (CloudTrail)
- v2.0: SOAR playbook integration
Mike Dominic
- GitHub: @MikeDominic92
- Focus: Cloud Security Automation + IGA
Built to demonstrate serverless security automation with enterprise IGA integration.
This is a portfolio project. Production deployment requires GCP infrastructure and SailPoint credentials.