GCP Cloud connector

This topic describes how to onboard the GCP Cloud connector, which gathers data from GCP services and performs compliance and risk assessment on those assets.

Onboarding the GCP Cloud connector involves the following steps:

• • Understanding the GCP cloud connector
  • License utilization
  • Completing prerequisites
  • Onboarding the GCP cloud connector
  • Performing next steps

Understanding the GCP cloud connector

The GCP cloud connector enables you to gather data about the following GCP resources:

• IAM
• Networks
• Virtual Machines
• Service Accounts
• DNS
• KMS
• Projects
• GKE

License utilization

The following resources consume a product license:

• Google Compute Engine
• Google Cloud Kubernetes/Google Kubernetes Engine

Completing prerequisites

• Go to to IAM 
• Click on service account page 
• Create a Service Account 
• Assign the role having minimum permissions for GCP cloud connector. This can be done only after creating a role as illustrated in Minimum-Permissions-for-GCP-Connector.
• Refer to the following screenshot:
• 
• While creating the service account, create a key and download the JSON file.[This json file would be needed while onboarding the connector]
• Also enable API services for below mentioned modules. 
  • Cloud Resource API
  • IAM API
  • Cloud SQL API

Onboarding the GCP cloud connector

1. Log in to Cloud Security with your registered credentials.
2. Select Configure icon > Connectors.
3. Click Add Connector.
4. Under Connector Type > Cloud Based Connectors (Hosted), click GCP Cloud Connector and then click Continue.
5. In the Name your connector field, specify a name for the connector.
   This name must be unique and must not have already been created.
   If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.

6. Specify the GCP client email and GCP private key for the project to be scanned from the JSON file which was downloaded while creating the service account. 

   GCP client email refers to the user email ID that corresponds to the user's Google Cloud Platform. The user can copy the GCP client email and GCP Private key from the downloaded JSON file and paste it in the Configure Connector page. While copying the client email and private key, it is important to avoid copying unnecessary punctuations accidentally. This means the client email ID will not be enclosed in quotation marks and the private key will start and end as follows:

   -----BEGIN PRIVATE KEY ... \n

7. Select the method for triggering collection cycles from the Collection Mode menu:

   1. On Demand. Enables on-demand scanning.
   2. Scheduled. Specifies the hours or minutes for which GCP resources will be periodically collected and evaluated.Click Continue.

   

     9. Click Continue.

    10. The connector is available in Cloud Security and the policies can be evaluated on the schedule you have set.

          This single policy will also cover : IAM, Networks, Virtual Machines, ServiceAccountKeys, DNS, KMS, Projects, GKE.

  11. As soon as the connector begins sending data, it displays in the 'Running' state, as illustrated in the below screen.
                

It then collects the data and begins publishing it back to Cloud Security

Please refer to the below screenshot.

Resource Types:

Below are the resource types that are supported for GCP Cloud Connector:

• IAM:GCP IAM Users
• KMS:GCP KMS
• DNS:GCP Networks
• Network:GCP Networks
• GCP Projects
• ServiceAccounts:GCP
• ServiceAccountKeys
• VM:GCP VMs

Performing next steps

To manage connector configuration and settings, see Managing-connectors.

To assess the resources including why a rule failed, see Managing-resources.

^{_{Back to top}}