GCP Advanced Settings
Advanced Settings
Note
Advanced settings can either apply to all connections for this adapter, or to a specific connection. Refer to Advanced Configuration for Adapters.
- Email domain include list (optional) - Enter a comma-separated list of email domains to include in the fetch. If left empty, all connections for this adapter will fetch all users unless the Email domain exclude list is populated.
- Email domain exclude list (optional) - Enter a comma-separated list of email domains to exclude from the fetch when the Email domain include list is empty.
- Fetch Google Cloud Clusters - Select this option to fetch Cluster devices and display them in the Devices page.
- Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.
- If enabled, all connections for this adapter will fetch Google Cloud SQL database instances.
- If disabled, all connections for this adapter will not fetch Google Cloud SQL database instances.
Note
Fetching Google Cloud SQL database instances also requires the following:
- Fetch Google Cloud Routers - Select to fetch Google Cloud routers.
- Fetch Google Instance Groups - Select to fetch Google Instance Groups as Compute Services.
- Fetch Google Cloud VPCs - Select whether to fetch VPCs from Google Cloud as assets.
- Fetch Subnets as assets - Split subnets of a VPC network into individual assets.
- Fetch Google Cloud Storage buckets Select to fetch all Google Cloud Storage buckets.
- If enabled (default), all connections for this adapter will fetch the GCP Storage buckets.
- If disabled, all connections for this adapter will not fetch the GCP Storage buckets.
Note
Fetch all Google Cloud Storage buckets also requires the following:
- Fetch Google Cloud Compute Images (Images, Snapshots and Templates) - Select whether to fetch all Google Cloud Compute Disk Images, Snapshots and Templates.
- Fetch Object metadata in Google Cloud Storage buckets (0: disabled, max supported: 1000) (optional, default: 0) - Fetch Object metadata in GCP Storage buckets that includes: name, size, and links to objects within each bucket.
- If supplied, all connections for this adapter will fetch 1000 objects or the specified number, the smallest of the two.
- If not supplied, all connections for this adapter will not fetch Object metadata in GCP Storage buckets.
Note
Fetch object metadata in GCP Storage buckets also requires the following:
- Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles. This includes permissions for build-in roles as well as Subscription-level and Project-level custom defined roles.
- If enabled (default), all connections for this adapter will fetch IAM permissions and will associate those to the users roles. These permissions will be represented as the Role Details complex field. This must be enabled to use the Axonius - Send Email to Assets action to send emails to GCE account administrators.
- If disabled, all connections for this adapter will not fetch IAM permissions.
Note
Fetch IAM permissions and associate those to the users roles requires the following:
- Role Viewer
- Only Fetch SCC Assets with associated SCC Findings - Select this option to only fetch SCC assets that have findings.
- Fetch organizational tags - Select this option to enrich VM instances with organizational tags or project tags associated with them.
- Fetch users (optional, default: true) - Unselect this option to exclude user data from the fetch.
- Security Command Center (SCC) Organizations (optional) - Specify a comma-separated list of organization IDs.
- If supplied, all connections for this adapter will fetch Security Command Center device assets and their associated vulnerabilities from the specified list of organization IDs.
- If not supplied, all connections for this adapter will not fetch any Security Command Center device assets.
Note
Fetch Security Command Center device assets and their associated vulnerabilities requires the following organization-level roles to each of the specified organizations:
Alternatively, Security Center Admin is required.
-
Fetch SCC findings from the last X days (0: disabled, max supported: 90) (optional, default: 90) - Specify the number of days SCC findings data is to be fetched.
- If supplied, all connections for this adapter will fetch SCC findings data gathered in the last number of days as specified.
- If not supplied, all connections for this adapter will fetch SCC findings data gathered in the last 90 days.
-
Custom filter expression for SCC findings (optional) - Specify an expression that defines the filter to apply across assets fetched from SCC.
- If supplied, all connections for this adapter will apply the specified filter when fetching SCC assets.
- If not supplied, all connections for this adapter will not apply any filter when fetching SCC assets.
-
Number of parallel connections (required, default: 20) - Specify the number of connections to be opened to control the performance of the data fetch.
-
Fetch only compute devices that are turned on - Select this option to not fetch compute devices that are turned on.
-
List of tags to parse as fields (optional, default: empty) - Specify a comma-separated list of tag keys to be parsed as device or user fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.
- If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device or user as:
- Values of the Adapter Tags field.
- Designated field with the name of the tag key and the value of the tag value.
- If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.
- If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device or user as:
-
Fetch Google Cloud Serverless Functions - Select this option to fetch Serverless Functions from the 'Cloud Functions' service using the Method: projects.locations.functions.list API.To fetch Google Cloud Serverless Functions the following permissions need to be granted:
- OAuth scope:
https://www.googleapis.com/auth/cloud-platform - IAM permission on the specified resource parent:
cloudfunctions.functions.list
- OAuth scope:
-
Fetch Google Cloud APIs - Select this option to fetch APIs from Apigee. To enable this, the following IAM permission on the specified resource parent is required:
apigee.proxies.list -
Fetch Google Cloud Run Services - Select this option to fetch Cloud Run Services and parse them as Compute Services.
-
Fetch Google Cloud Projects - Select this option to fetch Google Cloud Projects and parse them as Account/Tenants.
-
Fetch Google Cloud DNS Managed Zones - Select this option to fetch DNS Managed Zones from Google Cloud DNS as URL assets.
Note
To fetch DNS managed zones, the following IAM role is required:
- DNS Reader (
roles/dns.reader) - Allows read-only access to DNS managed zones and resource record sets.
Alternatively, you can create a custom role with the following permissions:
- dns.managedZones.list
- dns.managedZones.get
- dns.resourceRecordSets.list
Alternatively, you can create a custom role with these specific permissions:
dns.managedZones.listdns.managedZones.getdns.resourceRecordSets.list
- DNS Reader (
Note
For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.
