GCP Advanced Settings

Advanced Settings

📘

Note

Advanced settings can either apply to all connections for this adapter, or to a specific connection. Refer to Advanced Configuration for Adapters.

  1. Email domain include list (optional) - Enter a comma-separated list of email domains to include in the fetch. If left empty, all connections for this adapter will fetch all users unless the Email domain exclude list is populated.
  2. Email domain exclude list (optional) - Enter a comma-separated list of email domains to exclude from the fetch when the Email domain include list is empty.
  3. Fetch Google Cloud Clusters - Select this option to fetch Cluster devices and display them in the Devices page.
  4. Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.
    • If enabled, all connections for this adapter will fetch Google Cloud SQL database instances.
    • If disabled, all connections for this adapter will not fetch Google Cloud SQL database instances.
📘

Note

Fetching Google Cloud SQL database instances also requires the following:

  1. Enabling the Cloud SQL Admin API
  2. Cloud SQL Viewer role
  1. Fetch Google Cloud Routers - Select to fetch Google Cloud routers.
  2. Fetch Google Instance Groups - Select to fetch Google Instance Groups as Compute Services.
  3. Fetch Google Cloud VPCs - Select whether to fetch VPCs from Google Cloud as assets.
  4. Fetch Subnets as assets - Split subnets of a VPC network into individual assets.
  5. Fetch Google Cloud Storage buckets Select to fetch all Google Cloud Storage buckets.
    • If enabled (default), all connections for this adapter will fetch the GCP Storage buckets.
    • If disabled, all connections for this adapter will not fetch the GCP Storage buckets.
📘

Note

Fetch all Google Cloud Storage buckets also requires the following:

  1. Google Cloud Storage JSON API
  2. Storage Object Viewer role
  1. Fetch Google Cloud Compute Images (Images, Snapshots and Templates) - Select whether to fetch all Google Cloud Compute Disk Images, Snapshots and Templates.
  2. Fetch Object metadata in Google Cloud Storage buckets (0: disabled, max supported: 1000) (optional, default: 0) - Fetch Object metadata in GCP Storage buckets that includes: name, size, and links to objects within each bucket.
    • If supplied, all connections for this adapter will fetch 1000 objects or the specified number, the smallest of the two.
    • If not supplied, all connections for this adapter will not fetch Object metadata in GCP Storage buckets.
📘

Note

Fetch object metadata in GCP Storage buckets also requires the following:

  1. Google Cloud Storage JSON API
  2. Storage Object Viewer role
  1. Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles. This includes permissions for build-in roles as well as Subscription-level and Project-level custom defined roles.
    • If enabled (default), all connections for this adapter will fetch IAM permissions and will associate those to the users roles. These permissions will be represented as the Role Details complex field. This must be enabled to use the Axonius - Send Email to Assets action to send emails to GCE account administrators.
    • If disabled, all connections for this adapter will not fetch IAM permissions.
📘

Note

Fetch IAM permissions and associate those to the users roles requires the following:

  • Role Viewer
  1. Only Fetch SCC Assets with associated SCC Findings - Select this option to only fetch SCC assets that have findings.
  2. Fetch organizational tags - Select this option to enrich VM instances with organizational tags or project tags associated with them.
  3. Fetch users (optional, default: true) - Unselect this option to exclude user data from the fetch.
  4. Security Command Center (SCC) Organizations (optional) - Specify a comma-separated list of organization IDs.
    • If supplied, all connections for this adapter will fetch Security Command Center device assets and their associated vulnerabilities from the specified list of organization IDs.
    • If not supplied, all connections for this adapter will not fetch any Security Command Center device assets.
📘

Note

Fetch Security Command Center device assets and their associated vulnerabilities requires the following organization-level roles to each of the specified organizations:

  1. Security Center Findings Viewer role
  2. Security Center Assets Viewer role

Alternatively, Security Center Admin is required.

  1. Fetch SCC findings from the last X days (0: disabled, max supported: 90) (optional, default: 90) - Specify the number of days SCC findings data is to be fetched.

    • If supplied, all connections for this adapter will fetch SCC findings data gathered in the last number of days as specified.
    • If not supplied, all connections for this adapter will fetch SCC findings data gathered in the last 90 days.
  2. Custom filter expression for SCC findings (optional) - Specify an expression that defines the filter to apply across assets fetched from SCC.

    • If supplied, all connections for this adapter will apply the specified filter when fetching SCC assets.
    • If not supplied, all connections for this adapter will not apply any filter when fetching SCC assets.
  3. Number of parallel connections (required, default: 20) - Specify the number of connections to be opened to control the performance of the data fetch.

  4. Fetch only compute devices that are turned on - Select this option to not fetch compute devices that are turned on.

  5. List of tags to parse as fields (optional, default: empty) - Specify a comma-separated list of tag keys to be parsed as device or user fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.

    • If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device or user as:
      • Values of the Adapter Tags field.
      • Designated field with the name of the tag key and the value of the tag value.
    • If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.
  6. Fetch Google Cloud Serverless Functions - Select this option to fetch Serverless Functions from the 'Cloud Functions' service using the Method: projects.locations.functions.list API.To fetch Google Cloud Serverless Functions the following permissions need to be granted:

    1. OAuth scope: https://www.googleapis.com/auth/cloud-platform
    2. IAM permission on the specified resource parent: cloudfunctions.functions.list
  7. Fetch Google Cloud APIs - Select this option to fetch APIs from Apigee. To enable this, the following IAM permission on the specified resource parent is required: apigee.proxies.list

  8. Fetch Google Cloud Run Services - Select this option to fetch Cloud Run Services and parse them as Compute Services.

  9. Fetch Google Cloud Projects - Select this option to fetch Google Cloud Projects and parse them as Account/Tenants.

  10. Fetch Google Cloud DNS Managed Zones - Select this option to fetch DNS Managed Zones from Google Cloud DNS as URL assets.

    📘

    Note

    To fetch DNS managed zones, the following IAM role is required:

    • DNS Reader (roles/dns.reader) - Allows read-only access to DNS managed zones and resource record sets.

    Alternatively, you can create a custom role with the following permissions:

    • dns.managedZones.list
    • dns.managedZones.get
    • dns.resourceRecordSets.list

    Alternatively, you can create a custom role with these specific permissions:

    • dns.managedZones.list
    • dns.managedZones.get
    • dns.resourceRecordSets.list
📘

Note

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.