Minimum Permissions for GCP Connector
This page describes how to configure minimum permissions required by GCP connector to access GCP resources. The goal is to avoid All Admin rights and give only minimum permissions required for Compliance check and Remediation action.
This page explains how to create required roles in GCP using YAML files.
Creating roles in GCP:
The following steps elaborate on how to create roles using YAML file (containing details of minimum permission required by GCP connector for GCP resources) and how to assign the created role to the service account user.
The example considered below will show you how to create a custom role with minimum permission required for Compliance check. To create a custom role with minimum permission required for both Compliance check and Remediation action, follow the same steps and alter the YAML file accordingly.
| Steps | Example Screens | |
|---|---|---|
| 1. | The user must first create a YAML file with the required permissions through GCP command line and then proceed. The YAML files for running Compliance alone and for running Compliance and Remediation are listed at the bottom of this page. Compliance and Remediation YAML file | |
| 2. | After creating the required YAML file, run below command to create role. | |
| 3. | Log on to the GCP console. |
|
| 4. | Click on the navigation menu located at the top left corner of the screen. select custom option |
|
| 5. | From the cascading menu that appears, select IAM & Admin > IAM. |
|
| 6. | Select required user from the options listed. |
|
| 7. | Click on the edit button corresponding to the chosen user. |
|
| 8. | In the screen that pops up, select the box under Role. |
|
| 9. | From the options, choose the type of role to be assigned (in this case, Custom Role). |
|
| 10. | Click Save. |
|
| 11. | You will be notified about the update made. |
|
Wait for a few minutes after assigning custom role to service account user as it takes some time for the permissions to take effect.
Compliance YAML file:
For compliance, please open below YAML file.
Compliance and Remediation YAML file:
For compliance and Remediation, please open below YAML file.
UseCases and Permissions
Below are the minimum permissions required for BMC Helix Cloud Security Compliance and Remediation use-cases to work.
GCP Services involved | Permissions needed for Compliance | Permissions needed for Remediation |
|---|---|---|
Storage | "storage.buckets.get", | "storage.buckets.update", |
Compute | "compute.firewalls.list", | "compute.instances.setMetadata" |
Cloud KMS | "cloudkms.cryptoKeys.list", "cloudkms.keyRings.list" |
|
Cloud SQL | "cloudsql.databases.list", |
|
IAM | "iam.roles.list", "iam.serviceAccountKeys.list", "iam.serviceAccounts.list" |
|
DNS | "dns.changes.list", |
|
Logging | "logging.sinks.list" |
|
Resource Manager | "resourcemanager.projects.get", "resourcemanager.projects.getIamPolicy" |
|
ML | "ml.projects.getConfig" |
|
To perform remediation on rule 3.7 of “CIS Google Cloud Platform Foundation Benchmark – VM” policy, add “Editor” role to service account user.
Comments
Log in or register to comment.