GCP On-Premise Connector
This topic describes how to onboard the GCP (Google Cloud Platform) Connector, which involves the following steps:
To access the latest information about this topic and all Cloud Security releases, check out the Release notes and notices.
Understanding the GCP connector
The GCP connector enables you to gather data about the following GCP resources:
The following resources consume a product license:
- Google Compute Engine
- Google Cloud Kubernetes/Google Kubernetes Engine
- Go to to IAM
- Click on service account page
- Create a Service Account
- Assign the role having minimum permissions for GCP on-premise connector created from Minimum Permissions for GCP Connector.
- Refer to the following screenshot:
- While creating the service account, create a key and download the json file.[This json file would be needed while onboarding the connector]
- Also enable API services for below mentioned modules.
Cloud Resource API
- Cloud SQL API
Onboarding the GCP connector
- Log in to Cloud Security with your registered credentials.
- Select Configure icon > Connectors.
- Click Add Connector.
- Under Connector Type > On Premise Connectors (Installable), click GCP Connector and then click Continue.
- In the Name your connector field, specify a name for the connector.
This name must be unique and must not have already been created.
If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.
Specify the GCP key file path for the project to be scanned. Here you have to specify the location of json file which was downloaded while creating the service account.
Select the method for triggering collection cycles from the Collection Mode menu:
- On Demand. Enables on-demand scanning.
Scheduled. Specifies the hours or minutes for which GCP resources will be periodically collected and evaluated.
Around 200 MB free space is required for unzipping the downloaded connector.
- If the download does not start automatically, click Download Connector setup and unzip the GCP Connector.zip file using any standard compression tool.
The zip file will have the name that you specified for the connector in Step 4.
(Windows) Double-click run.bat to run the connector in your target environment.
(Linux) Execute the command
chmod +x run.shto grant execute permissions to the
run.shfile. Then run the connector using the
Leave the command window open to allow data collection.
CIS Benchmark Mapping
Following policies were developed based on CIS benchmark released on 9th May 2018.
CIS Google Cloud Platform Foundation Benchmark (This single policy will also cover : IAM, Networks, Virtual Machines, ServiceAccountKeys, DNS, KMS, Projects, GKE)
'This Policy is created based on the recommended settings defined by Google Cloud Platform Foundation v1.0.0, published on 9 may 2018.'
- Clear the policies that you will not use to evaluate your GCP account.
To update a policy that you have selected, if an update is available, click Update in the information banner to the right of the selected policy and then click Update Policy on the confirmation message that appears..
The connector is available in Cloud Security and the policies can be evaluated on the schedule or on-demand you have set.
As soon as the connector begins sending data, it displays in the green 'Running' state. It then collects the data and begins publishing it back to Cloud Security.
If you select GCP On-Premise Connector, filter for Resource Types and there you will get a drop down to find Resource Types.
Please refer to the below screenshot.
Below are the resource types that are supported for GCP on-premise Connector:
Performing next steps
To manage connector configuration and settings, see Managing connectors.
To assess the resources including why a rule failed, see Managing resources.