Google Cloud Platform (GCP)
  • 7 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Google Cloud Platform (GCP)

  • Print
  • Share
  • Dark
    Light

Google Cloud Platform (GCP) is a suite of cloud computing services. Alongside a set of management tools, it provides a series of modular cloud services including computing, data storage, data analytics and machine learning.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Users

Parameters

  1. JSON Key pair for the service account (required) - A JSON-document containing service-account credentials to GCP, For details, see Connect Axonius to Google Cloud Platform
  2. HTTPS Proxy (optional, default: empty) - A proxy to use when connecting to the GCP APIs.
    • If supplied, Axonius will utilize the proxy when connecting to the GCP APIs.
    • If not supplied, Axonius will connect directly to the GCP APIs.
  3. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

image.png

Advanced Settings

  1. Email domain whitelist (optional, default: empty) - specify a comma-separated list of email domains.

    • If supplied, all connections for this adapter will only fetch users whose email domain is in the specified list.
    • If not supplied, all connections for this adapter will fetch all users.
  2. Fetch Google Cloud SQL database instances (required, default: False) - Fetch all Google Cloud SQL instances.

    • If enabled, all connections for this adapter will fetch Google Cloud SQL database instances.
    • If disabled, all connections for this adapter will not fetch Google Cloud SQL database instances.
    NOTE

    Fetching Google Cloud SQL database instances requires:

    1. Enabling the Cloud SQL Admin API.
    2. Cloud SQL Viewer role.
  3. Fetch Google Cloud Storage buckets (optional, default: False) - Fetch all Google Cloud Storage buckets.

    • If enabled, all connections for this adapter will fetch the GCP Storage buckets.
    • If disabled, all connections for this adapter will not fetch the GCP Storage buckets.
    NOTE

    Fetch all Google Cloud Storage buckets requires:
    1. Cloud Storage JSON API.
    2. Storage Object Viewer role.

  4. Fetch Object metadata in Google Cloud Storage buckets (0: disabled, max supported: 1000) (optional, default: 0) - Fetch Object metadata in GCP Storage buckets that includes: name, size, and links to objects within each bucket.

    • If supplied, all connections for this adapter will fetch 1000 objects or the specified number, the smallest of the two.
    • If not supplied, all connections for this adapter will not fetch Object metadata in GCP Storage buckets.
    NOTE

    Fetch object metadata in GCP Storage buckets requires:

    1. Cloud Storage JSON API.
    2. Storage Object Viewer role.
  5. Fetch IAM permissions for users (required, default: False) - Fetch IAM permissions and associate those to the users roles. This includes permissions for build-in roles as well as Subscription-level and Project-level custom defined roles.

    • If enabled, all connections for this adapter will fetch IAM permissions and will associate those to the users roles. These permissions will be represented as the Role Details complex field.
    • If disabled, all connections for this adapter will not fetch IAM permissions.
    NOTE

    Fetch IAM permissions and associate those to the users roles requires:

    1. IAM: Organization Role Viewer role.
  6. Security Command Center (SCC) Organizations (optional, default: empty) - Specify a comma-separated list of organization names.

    • If supplied, all connections for this adapter will fetch Security Command Center device assets and their associated vulnerabilities from the specified list of organizations.
    • If not supplied, all connections for this adapter will not fetch any Security Command Center device assets.
    NOTE

    Fetch Security Command Center device assets and their associated vulnerabilities requires the following organization-level roles to each of the specified organizations:

    1. Security Center Findings Viewer role.
    2. Security Center Assets Viewer role.
      Or Alternatively, Security Center Admin.
  7. Fetch SCC findings from the last X days (0: disabled, max supported: 90) (optional, defualt: 90) - Specify the number of days SCC findings data to be fetched.

    • If supplied, all connections for this adapter will fetch SCC findings data gathered in the last number of days as specified.
    • If not supplied, all connections for this adapter will fetch SCC findings data gathered in the last 90 days.
  8. Custom filter expression for SCC findings (optional, defualt: empty) - Specify an expression that defines the filter to apply across assets fetched from SCC.

    • If supplied, all connections for this adapter will apply the specified filter when fetching SCC assets.
    • If not supplied, all connections for this adapter will not apply any filter when fetching SCC assets.
  9. Number of parallel connections (required, default: 20) - Specify the number of connections to be opened to control the performance of the data fetch.

  10. List of tags to parse as fields (optional, default: empty) - Specify a comma-separated list of tag keys to be parsed as devices fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.

    • If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device as:
      • Values of the Adapter Tags field.
      • Designated field with the name of the tag key and the value of the tag value.
    • If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.

image.png

NOTE

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Connect Axonius to Google Cloud Platform

To connect Axonius to Google Cloud Platform you need to:

  1. Enable cloud APIs
  2. Create a service account and grant permissions to that service account

1. Enable Cloud APIs

  1. Go to the Google Cloud Console and select the project that you want Axonius to connect to.
    Then, go to APIs & Services -> Dashboard.
    image.png

  2. Axonius requires the following APIs to be enabled:

    Enabled API Name Required / Optional Used for
    Compute Engine API Required The adapter to fetch assets data from Google Cloud Platform.
    Cloud Resource Manager API Required The adapter to fetch assets data from Google Cloud Platform.
    Cloud Storage JSON API Optional Adapter advanced settings:
    1. Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
    2. Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
    Cloud SQL Admin API Optional Adapter advanced settings:
    1. Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.

    For example, in the screenshot below you can see that since the Cloud Resource Manager API does not appear in the list, it is not enabled. and needs to be enabled.
    image.png

    To enable an API, click Enable APIs and Services at the top of the page.

  3. Search for the API you want to enable and click It. For example: Cloud Resource Manager API
    image.png

  4. Click Enable.
    image.png

2. Create a service account and grant permissions to that service account

  1. Go to the Google Cloud Console and select the project that you want Axonius to connect to.

  2. From menu, select IAM & admin -> Service accounts.
    image.png

  3. Click Create Service Account.
    In the Service account details step (1), provide the service account details.
    image.png

    Once done, click Create.

  4. Skip the Grant this service account access to project step (2).

  5. In the Grant this service account access to service account step (3), select the following roles:

    Role Name Required / Optional Used for
    Compute Viewer Required Grants read-only access to Axonius to fetch assets.
    Kubernetes Engine Viewer Required Grants read-only access to Axonius to fetch assets.
    Storage Object Viewer Optional Adapter advanced settings:
    1. Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
    2. Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
    Cloud SQL Viewer Optional Adapter advanced settings:
    1. Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.
    IAM: Organization Role Viewer Optional Adapter advanced settings:
    1. Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles.
  6. Next, click Create Key and create a JSON key type.
    image.png

  7. Your JSON key will be downloaded. Finish creating the account and go back to the service accounts page. Copy the email address of the new service account.

  8. In the top part of the page, select the organization resource, and go to IAM & Admin - IAM.

    1. Click Add and use the service account email to add the new service account as a new member of the organization.
    2. Click + Add Another role to add the following roles to added member:
    Role Name Required / Optional Used for
    Compute Viewer Required Grants read-only access to Axonius to fetch assets.
    Kubernetes Engine Viewer Required Grants read-only access to Axonius to fetch assets.
    Storage Object Viewer Optional Adapter advanced settings:
    1. Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
    2. Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
    Cloud SQL Viewer Optional Adapter advanced settings:
    1. Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.
    IAM: Organization Role Viewer Optional Adapter advanced settings:
    1. Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles.
    - Security Center Findings Viewer role
    - Security Center Assets Viewer role
    (Or Alternatively, Security Center Admin)
    Optional Adapter advanced settings:
    1. Security Command Center organizations - Fetch Security Command Center device assets and their associated vulnerabilities from a specified list of organizations (NOTE: Those organization-level roles are required for each of the specified organizations.)

image.png

3. Click Save.

Was This Article Helpful?