A serverless sync server for Santa, built on AWS

Rudolph

Rudolph is the control server counterpart of Santa, and is used to rapidly deploy configurations to Santa agents.

Rudolph is built in Amazon Web Services, and utilizes exclusively serverless components to reduce operational burden. It is designed to be fast, easy-to-use, low-maintenance, and cost-conscious.

Who is Rudolph For?

Rudolph is built for teams interested in deploying Santa to implement Binary Authorization on MacOS environments. In particular, it is designed around supporting:

  • Santa in LOCKDOWN Mode
  • Realtime unblocking
  • Machine-specific configurations

Addtionally, Rudolph uses Amazon Web Services and is ideal for teams that are too small to stand up or maintain more sophisticated environments.

  • Easy deployment: Set up the entire stack in 20 minutes. Tear it down in 1 minute
  • (Almost) Zero maintaintence
  • Proven scalability & cost-efficiency
  • Scales up and down automatically
  • High performance; Rudolph is designed to support 60-second sync intervals on Santa sensors, for real-time unblocking

More information can be found in our primer on Lockdown.

Deployment

Step 1) Deploy Rudolph

Start by deploying rudolph (docs/deploy.md).

Step 2) Deploying Santa Agents

Next, deploy and configure your Santa sensors (docs/configuring-santa.md).

Step 3) Deploy Rules

Use the cli to sync rules (docs/rules.md).

Owner
Airbnb
Airbnb
https://github.com/airbnb/rudolph
Comments
  • Clarify how configuration and rules are deployed

    Clarify how configuration and rules are deployed

    to: cc: @airbnb/rudolph-maintainers

    Background

    Context for the change

    Changes

    • Summary of changes
    • ...

    Testing

    Steps for how this change was tested and verified

  • [AWS][IAM] Restrict KMS Policies to Specified Account

    [AWS][IAM] Restrict KMS Policies to Specified Account

    to: @Ryxias cc: @airbnb/rudolph-maintainers

    Background

    KMS key policies should be limited to only the principals within the same account and these changes optimize and cleanup the KMS policy for clarity.

    Changes

    • Scope KMS principals to just the specified account
    • Cleanup duplicate permissions

    Testing

    This has been deployed internally and validated against working systems.

  • Fix typo in santa log path

    Fix typo in santa log path

    to: cc: @airbnb/rudolph-maintainers

    Background

    Context for the change

    Changes

    • Summary of changes
    • ...

    Testing

    Steps for how this change was tested and verified

  • Supports JSON for rules import/export

    Supports JSON for rules import/export

    to: @ryandeivert @radsec cc: @airbnb/rudolph-maintainers

    Background

    Request to add json support.

    Also the way I was overusing channels before = no bueno. Gotta improve that a little bit.

  • Updates to the csv import/export

    Updates to the csv import/export

    to: @Ryxias @ryandeivert cc: @airbnb/rudolph-maintainers

    Background

    The usage of WGs and channels in csv export/import were... questionable. This PR makes them more sensible

  • KMS key admins param

    KMS key admins param

    to: @Ryxias cc: @airbnb/rudolph-maintainers

    Background

    KMS key administrators are now able to be re-added for additional permission granularity which was here prior

    Changes

    • Adds a kms key administrator option for TF resources that have KMS keys attached to their resources
  • Use Santa preferences to determine machine ID

    Use Santa preferences to determine machine ID

    The Rudolph cli assumes that it can determine the local machineID from a Santa machine mapping plist at a specific path, but Santa supports a few different methods for defining the machineID. Ideally, Rudolph would determine the machine ID using the same methods as Santa.

    Retrieving for Error: failed to get machineID: could not open santa machine mapping plist: open /Library/Preferences/com.google.santa.machine-mapping.plist: no such file or directory

  • Add Private API Gateway Option

    Add Private API Gateway Option

    Is your feature request related to a problem? Please describe. I would like to be able to make the API Gateway Private and then associate a VPC Endpoint with it. This would enable say, me putting all the resources in their own account, and the only thing being exposed from that account being a VPC endpoint.

    https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#associate-private-api-with-vpc-endpoint

    This is somewhat related to # FIXME (derek.wang) Switch to PRIVATE later and attach some VPCs at https://github.com/airbnb/rudolph/blob/fcb3c40d7763bca7624b00e9f1dc220f6aa71765/deployments/terraform_modules/santa_api/main.tf#L11-L13

Related tags
Public API Wrappers rudolph
Go-serverless-eth-event-listener - Go serverless, ethereum contract event listener with a sample contract

go-serverless-eth-event-listener This repository is for showing how to listen sm

May 19, 2022
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.
 Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.

tutor-pet API Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure. Macro architecture: Code architecture: Pre-Re

Aug 17, 2022
This repository shows how can we use `AWS Lambda` to build serverless applications in golang.

Serverless Api in Go with AWS Lambda Here we are going to use AWS Lambda to build serverless applications in golang. Prerequisites You鈥檒l need an AWS

Nov 3, 2021
Prueba de concepto: Boletia, una aplicaci贸n para venta de boletos, basada en microservicios event-driven. Desarrollada sobre AWS Serverless: Api Gateway, Lambda, DynamoDB, DynamoDB Streams
 Prueba de concepto: Boletia, una aplicaci贸n para venta de boletos, basada en microservicios event-driven. Desarrollada sobre AWS Serverless: Api Gateway, Lambda, DynamoDB, DynamoDB Streams

Prueba de concepto: Boletia, una aplicaci贸n para venta de boletos, basada en microservicios event-driven. Desarrollada sobre AWS Serverless: Api Gatew

May 7, 2022
AWS Tags Updater - Sync tags with all resources via sheet 馃悘馃悘

AWS Tags Updater - Sync tags with all resources via sheet ????

Mar 22, 2022
A Lambda function built with SAM (Serverless Application Module)

AWS SAM Lambda Function 漏 Israel Pereira Tavares da Silva The AWS Serverless Application Model (SAM) is an open-source framework for building serverle

Dec 19, 2021
Simple no frills AWS S3 Golang Library using REST with V4 Signing (without AWS Go SDK)

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Nov 4, 2022
Integrate AWS EKS Anywhere cluster with AWS Services
 Integrate AWS EKS Anywhere cluster with AWS Services

This article provides step-by-step instruction on integrating AWS EKS Anywhere with AWS Services so the applications running on customer data center can securely connect with these services.

Mar 6, 2022
Apis para la administracion de notifiaciones, utilizando servicios como AWS SNS y AWS SQS

notificacion_api Servicio para env铆o de notificaci贸nes por difusi贸n en AWS SNS Especificaciones T茅cnicas Tecnolog铆as Implementadas y Versiones Golang

Jan 7, 2022
AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.
 AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

Dec 20, 2022
A package for access aws service using AWS SDK for Golang

goaws ?? A package for access aws service using AWS SDK for Golang Advantage with goaws package Example for get user list IAM with AWS SDK for Golang

Nov 25, 2021
Aws-parameter-bulk - Export AWS SSM Parameter Store values in bulk to .env files

aws-parameter-bulk Utility to read parameters from AWS Systems Manager (SSM) Par

Oct 18, 2022
Aws-console-plugin - The current HashiCorp Vault AWS Secret Engine currently supports the creation of short lived API keys using the IAM User

aws-console-plugin Background The current HashiCorp Vault AWS Secret Engine curr

Feb 7, 2022
Aws-cognito-demo-go - Source code for AWS Cognito in Go

AWS Cognito Demo in Go Source code for YouTube series, AWS Cognito in Go - https

Dec 10, 2022
Aws-cdk-go-examples - Example projects using the AWS CDK by Golang

aws-cdk-go-examples Example projects using the AWS CDK by Golang Useful commands

Nov 24, 2022
Serverless SOAR (Security Orchestration, Automation and Response) framework for automatic inspection and evaluation of security alert
 Serverless SOAR (Security Orchestration, Automation and Response) framework for automatic inspection and evaluation of security alert

DeepAlert DeepAlert is a serverless framework for automatic response of security alert. Overview DeepAlert receives a security alert that is event of

Jan 3, 2023
A serverless teeny-tiny version of Diomedes which sends alerts to Telegram. Written in Go.
 A serverless teeny-tiny version of Diomedes which sends alerts to Telegram. Written in Go.

diomedes-search Get a notification on Telegram whenever your movie opens bookings in a theater of your choice. Pre-requisites Install AWS CLI (v2) by

Oct 11, 2022
Sample serverless application written in Golang
 Sample serverless application written in Golang

Serverless Go Demo This is a simple serverless application built in Golang. It consists of an API Gateway backed by four Lambda functions and a Dynamo

Dec 15, 2022
Api-waf-example-cdk - Demo using sam to drive a CDK serverless api

CDK SAM Demo Demo using sam to drive a CDK serverless api Stack Setup go build -

Feb 5, 2022