GCP Permissions and Roles
This topic describes the GCP
Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube. APIs and roles that CloudGuard uses to manage your account.
The APIs and roles allow CloudGuard to manage specific entities (such as Security Groups, Instances, etc.) in your GCP account.
APIs
You must enable the Compute Engine API and the Cloud Resource Manager API, and create a new service account for CloudGuard. CloudGuard uses this service account to connect to your GCP account.
|
|
Important - To ensure the maximal security of your assets, CloudGuard adheres to the principle of least privileges and requires only minimal set of access permissions. If you want to allow CloudGuard more access, grant access to additional resources and services. For troubleshooting information, see Troubleshooting GCP Onboarding. |
In addition, you can optionally enable these APIs:
-
GKE API - for GKE entities, such as GkeCluster
-
KMS
AWS Key Management Service (AWS KMS) - A managed service that simplifies the creation and control of encryption keys that are used to encrypt data. API - for KMS entities, such as KmsKeyRing -
IAM
Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. API - for IAM entities, such as GcpIamGroup, and GcpIamUser -
BigQuery API - for the BigQuery entity
-
Admin SDK - for IAM entities like users or groups
-
App Engine Admin API
-
Cloud Functions API
-
Cloud SQL Admin API
-
Cloud BigTable Admin API
-
Cloud Pub/Sub API
-
Cloud Memorystore Redis
-
Service Usage API
-
Cloud Filestore API
-
API Keys API
-
Cloud Logging API
-
Cloud DNS API
-
Cloud Asset API
-
Essential Contacts API
-
Access Approval API
Roles
In addition, you must add these roles for the service account:
-
Viewer (in Project)
-
Security Reviewer (in IAM)