Google Cloud Platform (GCP)
  • 28 Aug 2024
  • 10 Minutes to read
  • Dark
    Light
  • PDF

Google Cloud Platform (GCP)

  • Dark
    Light
  • PDF

Article summary

Google Cloud Platform (GCP) is a suite of cloud computing services. Alongside a set of management tools, it provides a series of modular cloud services including computing, data storage, data analytics and machine learning.

Types of Assets Fetched

This adapter fetches the following types of assets, some may need to be selected as advanced options:

  • Devices
  • Users
  • Software
  • SaaS Applications
  • Compute Services
  • Networks
  • Load Balancers
  • Databases
  • Object Storage
  • Accounts
  • Disks
  • Serverless Functions
  • Compute Images
  • Firewall Rules
  • Application Resources

Related Enforcement Actions:


Parameters

  1. JSON Key pair for the service account (required) - A JSON-document containing service-account credentials to GCP. For details, see Connect Axonius to Google Cloud Platform.

  2. HTTPS Proxy (optional) - A proxy to use when connecting to the GCP APIs.

  3. HTTPS Proxy User Name (optional) - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.

  4. HTTPS Proxy Password (optional) - The password to use when connecting to the server using the HTTPS Proxy.

  5. Projects Include Filter (GCP Format) (optional) - Filter by projects accessible by the active account, as per the Gcloud Topic Filters.

  6. Exclude App Scripts Projects - Select this option to exclude App Script projects from the projects data fetched by this adapter.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

GCP_Connection

Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

  1. Email domain include list (optional) - Enter a comma-separated list of email domains to include in the fetch. If left empty, all connections for this adapter will fetch all users unless the Email domain exclude list is populated.

  2. Email domain exclude list (optional) - Enter a comma-separated list of email domains to exclude from the fetch when the Email domain include list is empty.

  3. Fetch Google Cloud Clusters - Select this option to fetch Cluster devices and display them in the Devices page.

  4. Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.

    • If enabled, all connections for this adapter will fetch Google Cloud SQL database instances.
    • If disabled, all connections for this adapter will not fetch Google Cloud SQL database instances.
    Note:

    Fetching Google Cloud SQL database instances also requires the following:

    1. Enabling the Cloud SQL Admin API.
    2. Cloud SQL Viewer role.
  5. Fetch Google Cloud Routers (optional) - Select whether to fetch Google Cloud routers.

  6. Fetch Google Cloud VPCs - Select whether to fetch VPCs from Google Cloud as assets.

  7. Fetch Subnets as assets - Split subnets of a VPC network into individual assets.

  8. Fetch Google Cloud Storage buckets (optional) - Fetch all Google Cloud Storage buckets.

    • If enabled, all connections for this adapter will fetch the GCP Storage buckets.
    • If disabled, all connections for this adapter will not fetch the GCP Storage buckets.
    Note:

    Fetch all Google Cloud Storage buckets also requires the following:
    1. Cloud Storage JSON API.
    2. Storage Object Viewer role.

  9. Fetch Google Cloud Compute Images (Images, Snapshots and Templates) - Select whether to fetch all Google Cloud Compute Disk Images, Snapshots and Templates.

  10. Fetch Object metadata in Google Cloud Storage buckets (0: disabled, max supported: 1000) (optional, default: 0) - Fetch Object metadata in GCP Storage buckets that includes: name, size, and links to objects within each bucket.

    • If supplied, all connections for this adapter will fetch 1000 objects or the specified number, the smallest of the two.
    • If not supplied, all connections for this adapter will not fetch Object metadata in GCP Storage buckets.
    Note:

    Fetch object metadata in GCP Storage buckets also requires the following:

    1. Cloud Storage JSON API.
    2. Storage Object Viewer role.
  11. Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles. This includes permissions for build-in roles as well as Subscription-level and Project-level custom defined roles.

    • If enabled, all connections for this adapter will fetch IAM permissions and will associate those to the users roles. These permissions will be represented as the Role Details complex field. This must be enabled to use the Axonius - Send Email to Assets action to send emails to GCE account administrators.
    • If disabled, all connections for this adapter will not fetch IAM permissions.
    Note:

    Fetch IAM permissions and associate those to the users roles requires:

    1. IAM: Organization Role Viewer role

12.Only Fetch SCC Assets with associated SCC Findings - Select this option to only fetch SCC assets that have findings.
13. Fetch organizational tags - Select this option to enrich VM instances with organizational tags or project tags associated with them.
14. Security Command Center (SCC) Organizations (optional) - Specify a comma-separated list of organization IDs.
* If supplied, all connections for this adapter will fetch Security Command Center device assets and their associated vulnerabilities from the specified list of organization IDs.
* If not supplied, all connections for this adapter will not fetch any Security Command Center device assets.

Note:

Fetch Security Command Center device assets and their associated vulnerabilities requires the following organization-level roles to each of the specified organizations:
1. Security Center Findings Viewer role.
1. Security Center Assets Viewer role.
Or Alternatively, Security Center Admin.

  1. Fetch SCC findings from the last X days (0: disabled, max supported: 90) (optional, default: 90) - Specify the number of days SCC findings data is to be fetched.

    • If supplied, all connections for this adapter will fetch SCC findings data gathered in the last number of days as specified.
    • If not supplied, all connections for this adapter will fetch SCC findings data gathered in the last 90 days.
  2. Custom filter expression for SCC findings (optional) - Specify an expression that defines the filter to apply across assets fetched from SCC.

    • If supplied, all connections for this adapter will apply the specified filter when fetching SCC assets.
    • If not supplied, all connections for this adapter will not apply any filter when fetching SCC assets.
  3. Number of parallel connections (required, default: 20) - Specify the number of connections to be opened to control the performance of the data fetch.

  4. Fetch only compute devices that are turned on - Select this option to not fetch compute devices that are turned on.

  5. List of tags to parse as fields (optional, default: empty) - Specify a comma-separated list of tag keys to be parsed as device or user fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.

    • If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device or user as:
      • Values of the Adapter Tags field.
      • Designated field with the name of the tag key and the value of the tag value.
    • If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.
  6. Fetch Google Cloud Serverless Functions - Select this option to fetch Serverless Functions from the 'Cloud Functions' service using the Method: projects.locations.functions.list API.To fetch Google Cloud Serverless Functions the following permissions need to be granted:

    1. OAuth scope: https://www.googleapis.com/auth/cloud-platform
    2. IAM permission on the specified resource parent: cloudfunctions.functions.list
  7. Fetch Google Cloud APIs - Select this option to fetch APIs from Apigee. To enable this, the following IAM permission on the specified resource parent is required: apigee.proxies.list

Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Connect Axonius to Google Cloud Platform

To connect Axonius to Google Cloud Platform you need to:

  1. Enable cloud APIs
  2. Create a service account and grant permissions to that service account

1. Enable Cloud APIs

  1. Navigate to the Google Cloud Console and select the project that you want Axonius to connect to.

  2. Navigate to APIs & Services > Dashboard.
    image.png

  3. Axonius requires the following APIs to be enabled:

Enabled API NameRequired / OptionalUsed for
Compute Engine APIRequiredThe adapter to fetch assets data from Google Cloud Platform.
Cloud Resource Manager APIRequiredThe adapter to fetch assets data from Google Cloud Platform.
Container Registry APIRequiredhttps://container.googleapis.com
Identity and Access Management (IAM) APIRequiredhttps://iam.googleapis.com
Security Command Center APIRequiredhttps://securitycenter.googleapis.com
Cloud Storage JSON APIOptionalAdapter advanced settings:
  • Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
  • Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
  • Cloud SQL Admin APIOptionalAdapter advanced settings:
  • Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.

  • For example, in the screenshot below you can see that since the Cloud Resource Manager API doesn't appear in the list, it isn't enabled and needs to be enabled.
    image.png

    To enable an API, click Enable APIs and Services at the top of the page.

    1. Search for the API you want to enable and select it. For example: Cloud Resource Manager API
      image.png

    2. Click Enable.
      image.png

    2. Create a Service Account and Grant Permissions to that Service Account

    1. Navigate to the Google Cloud Console and select the project that you want Axonius to connect to.

    2. Select IAM & admin > Service accounts.
      image.png

    3. Click Create a Service Account.

    GCPService1.png

    1. Provide a name and description for the service account, then click Create. If you already clicked Done, skip to Step 8.

    GCPService2.png

    1. In the Grant this service account access to a project section, give the service account the roles listed below, as well as the "Security Reviewer" role.

      Role NameRequired / OptionalUsed for
      Compute ViewerRequiredGrants read-only access to Axonius to fetch assets.
      Kubernetes Engine ViewerRequiredGrants read-only access to Axonius to fetch assets.
      Storage Object ViewerOptionalAdapter advanced settings:
      Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
      Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
      Cloud SQL ViewerOptionalAdapter advanced settings:
      Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.
      IAM: Organization Role ViewerOptionalAdapter advanced settings:
      Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles.
      Security ReviewerRequiredProvides permissions to list all resources and allow policies on them.

    GCPService3.png

    1. Skip the Grant users access to this service account step.
    2. Click Done.
    3. To modify, or review the permissions granted to this service account in any project or at the organization level, go to IAM, find the service account you've created and click Edit Permissions.

    GCPService4.png

    GCPService5.png

    GCPSErvice6.png

    1. Click Create Key to create a JSON key type.
      image.png

    2. Your JSON key is subsequently downloaded. Finish creating the account and go back to the Service Accounts page. Copy the email address of the new service account.

    3. In the top part of the page, select the organization resource, and go to IAM & Admin - IAM.

      1. Click Add and use the service account email to add the new service account as a new member of the organization.
      2. Click + Add Another role to add the following roles to added member:
      Role NameRequired / OptionalUsed for
      Compute ViewerRequiredGrants read-only access to Axonius to fetch assets.
      Kubernetes Engine ViewerRequiredGrants read-only access to Axonius to fetch assets.
      Storage Object ViewerOptionalAdapter advanced settings:
      Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
      Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
      Cloud SQL ViewerOptionalAdapter advanced settings:
      Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.
      IAM: Organization Role ViewerOptionalAdapter advanced settings:
      Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles.
      • Security Center Findings Viewer role
      • Security Center Assets Viewer role
      (Or alternatively, Security Center Admin)
      OptionalAdapter advanced settings:
      Security Command Center organizations - Fetch Security Command Center device assets and their associated vulnerabilities from a specified list of organizations (NOTE: Those organization-level roles are required for each of the specified organizations.)

    image.png

    Note:

    Additional permissions are required for GCP Enforcement Actions.

    1. Click Save.



    Was this article helpful?

    What's Next