Google Cloud Platform (GCP)
  • 24 Nov 2022
  • 8 Minutes to read
  • Dark
    Light
  • PDF

Google Cloud Platform (GCP)

  • Dark
    Light
  • PDF

Google Cloud Platform (GCP) is a suite of cloud computing services. Alongside a set of management tools, it provides a series of modular cloud services including computing, data storage, data analytics and machine learning.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Users

Parameters

  1. JSON Key pair for the service account (required) - A JSON-document containing service-account credentials to GCP. For details, see Connect Axonius to Google Cloud Platform.
  2. HTTPS Proxy (optional) - A proxy to use when connecting to the GCP APIs.
  3. Projects Filter (optional) - Filter by projects accessible by the active account, as per the Gcloud Topic Filters.
  4. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

GCP1

Advanced Settings

Note:

From Version 4.6, Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

  1. Email domain include list (optional) - Specify a comma-separated list of email domains.

    • If supplied, all connections for this adapter will only fetch users whose email domain is in the specified list.
    • If not supplied, all connections for this adapter will fetch all users.
  2. Fetch Google Cloud Clusters - Select this option to fetch Cluster devices and display them in the Devices page.

  3. Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.

    • If enabled, all connections for this adapter will fetch Google Cloud SQL database instances.
    • If disabled, all connections for this adapter will not fetch Google Cloud SQL database instances.
    Note:

    Fetching Google Cloud SQL database instances also requires the following:

    1. Enabling the Cloud SQL Admin API.
    2. Cloud SQL Viewer role.
  4. Fetch Google Cloud Storage buckets (optional) - Fetch all Google Cloud Storage buckets.

    • If enabled, all connections for this adapter will fetch the GCP Storage buckets.
    • If disabled, all connections for this adapter will not fetch the GCP Storage buckets.
    Note:

    Fetch all Google Cloud Storage buckets also requires the following:
    1. Cloud Storage JSON API.
    2. Storage Object Viewer role.

  5. Fetch Object metadata in Google Cloud Storage buckets (0: disabled, max supported: 1000) (optional, default: 0) - Fetch Object metadata in GCP Storage buckets that includes: name, size, and links to objects within each bucket.

    • If supplied, all connections for this adapter will fetch 1000 objects or the specified number, the smallest of the two.
    • If not supplied, all connections for this adapter will not fetch Object metadata in GCP Storage buckets.
    Note:

    Fetch object metadata in GCP Storage buckets also requires the following:

    1. Cloud Storage JSON API.
    2. Storage Object Viewer role.
  6. Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles. This includes permissions for build-in roles as well as Subscription-level and Project-level custom defined roles.

    • If enabled, all connections for this adapter will fetch IAM permissions and will associate those to the users roles. These permissions will be represented as the Role Details complex field.
    • If disabled, all connections for this adapter will not fetch IAM permissions.
    Note:

    Fetch IAM permissions and associate those to the users roles requires:

    1. IAM: Organization Role Viewer role
  7. Security Command Center (SCC) Organizations (optional) - Specify a comma-separated list of organization IDs.

    • If supplied, all connections for this adapter will fetch Security Command Center device assets and their associated vulnerabilities from the specified list of organization IDs.
    • If not supplied, all connections for this adapter will not fetch any Security Command Center device assets.
    Note:

    Fetch Security Command Center device assets and their associated vulnerabilities requires the following organization-level roles to each of the specified organizations:

    1. Security Center Findings Viewer role.
    2. Security Center Assets Viewer role.
      Or Alternatively, Security Center Admin.
  8. Fetch SCC findings from the last X days (0: disabled, max supported: 90) (optional, default: 90) - Specify the number of days SCC findings data is to be fetched.

    • If supplied, all connections for this adapter will fetch SCC findings data gathered in the last number of days as specified.
    • If not supplied, all connections for this adapter will fetch SCC findings data gathered in the last 90 days.
  9. Custom filter expression for SCC findings (optional) - Specify an expression that defines the filter to apply across assets fetched from SCC.

    • If supplied, all connections for this adapter will apply the specified filter when fetching SCC assets.
    • If not supplied, all connections for this adapter will not apply any filter when fetching SCC assets.
  10. Number of parallel connections (required, default: 20) - Specify the number of connections to be opened to control the performance of the data fetch.

  11. List of tags to parse as fields (optional, default: empty) - Specify a comma-separated list of tag keys to be parsed as devices fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.

    • If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device as:
      • Values of the Adapter Tags field.
      • Designated field with the name of the tag key and the value of the tag value.
    • If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.
Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Connect Axonius to Google Cloud Platform

To connect Axonius to Google Cloud Platform you need to:

  1. Enable cloud APIs
  2. Create a service account and grant permissions to that service account

1. Enable Cloud APIs

  1. Navigate to the Google Cloud Console and select the project that you want Axonius to connect to.

  2. Navigate to APIs & Services > Dashboard.
    image.png

  3. Axonius requires the following APIs to be enabled:

Enabled API Name Required / Optional Used for
Compute Engine API Required The adapter to fetch assets data from Google Cloud Platform.
Cloud Resource Manager API Required The adapter to fetch assets data from Google Cloud Platform.
Container Registry API Required https://container.googleapis.com
Identity and Access Management (IAM) API Required https://iam.googleapis.com
Security Command Center API Required https://securitycenter.googleapis.com
Cloud Storage JSON API Optional Adapter advanced settings:
  • Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
  • Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
  • Cloud SQL Admin API Optional Adapter advanced settings:
  • Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.

  • For example, in the screenshot below you can see that since the Cloud Resource Manager API doesn't appear in the list, it isn't enabled and needs to be enabled.
    image.png

    To enable an API, click Enable APIs and Services at the top of the page.

    1. Search for the API you want to enable and select it. For example: Cloud Resource Manager API
      image.png

    2. Click Enable.
      image.png

    2. Create a Service Account and Grant Permissions to that Service Account

    1. Navigate to the Google Cloud Console and select the project that you want Axonius to connect to.

    2. Select IAM & admin > Service accounts.
      image.png

    3. Click Create a Service Account.

    GCPService1.png

    1. Provide a name and description for the service account, then click Create. If you already clicked Done, skip to Step 8.

    GCPService2.png

    1. In the Grant this service account access to a project section, give the service account the roles listed below, as well as the "Security Reviewer" role.

      Role Name Required / Optional Used for
      Compute Viewer Required Grants read-only access to Axonius to fetch assets.
      Kubernetes Engine Viewer Required Grants read-only access to Axonius to fetch assets.
      Storage Object Viewer Optional Adapter advanced settings:
      Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
      Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
      Cloud SQL Viewer Optional Adapter advanced settings:
      Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.
      IAM: Organization Role Viewer Optional Adapter advanced settings:
      Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles.
      Security Reviewer Required Provides permissions to list all resources and allow policies on them.

    GCPService3.png

    1. Skip the Grant users access to this service account step.
    2. Click Done.
    3. To modify, or review the permissions granted to this service account in any project or at the organization level, go to IAM, find the service account you've created and click Edit Permissions.

    GCPService4.png

    GCPService5.png

    GCPSErvice6.png

    1. Click Create Key to create a JSON key type.
      image.png

    2. Your JSON key is subsequently downloaded. Finish creating the account and go back to the Service Accounts page. Copy the email address of the new service account.

    3. In the top part of the page, select the organization resource, and go to IAM & Admin - IAM.

      1. Click Add and use the service account email to add the new service account as a new member of the organization.
      2. Click + Add Another role to add the following roles to added member:
      Role Name Required / Optional Used for
      Compute Viewer Required Grants read-only access to Axonius to fetch assets.
      Kubernetes Engine Viewer Required Grants read-only access to Axonius to fetch assets.
      Storage Object Viewer Optional Adapter advanced settings:
      Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
      Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
      Cloud SQL Viewer Optional Adapter advanced settings:
      Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.
      IAM: Organization Role Viewer Optional Adapter advanced settings:
      Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles.
      • Security Center Findings Viewer role
      • Security Center Assets Viewer role
      (Or alternatively, Security Center Admin)
      Optional Adapter advanced settings:
      Security Command Center organizations - Fetch Security Command Center device assets and their associated vulnerabilities from a specified list of organizations (NOTE: Those organization-level roles are required for each of the specified organizations.)

    image.png

    1. Click Save.



    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.