Onboarding GCP Projects to Intelligence
You can use Intelligence to analyze the account activity of your Google Cloud Platform (GCP Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube.) project. For this, onboard the project to Intelligence. This process creates a connection between Intelligence and the GCP project. You can do this after Onboarding Google Cloud Platform Projects to CloudGuard.
|
Note - The onboarding process is done separately for Activity Logs and for Flow Logs. |
Prerequisites for Onboarding
-
For Intelligence Account Activity, enable Activity Logs on your GCP project.
-
For Intelligence Traffic Activity, enable VPC Flow Logs on your GCP project.
-
Make sure you have permissions to run the Google Cloud Shell.
-
Consider one of the options for the onboarding scope:
-
Standard - To onboard one GCP project.
-
Centralized - To onboard multiple projects through the centralized Pub/Sub configuration.
-
-
For the Standard scope, make sure that you have the Owner or Editor permissions.
-
For the Centralized scope, make sure you have these permissions:
-
For a centralized project - Editor, Pub/Sub Admin, Logging Admin roles, or a custom role. See below Centralized Custom Role Permissions.
-
For other projects - Logging Admin role or a custom role. See below Custom Role Permissions.
-
-
If your project was created on or before April 8, 2021, expand here for more information
If your project was created on or before April 8, 2021, then you must grant the
roles/iam.serviceAccountTokenCreator
role to the Google-managed service accountservice-{PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com
on the project. This allows Pub/Sub to create tokens.But if your project was created after this date, it is not necessary to grant this role because the service account has the
roles/pubsub.serviceAgent
role with the same permissions. For more information, see Google Cloud's Push Subscription documentation.
Creating a Custom Role
If you do not want to use more permissive built-in roles, you can create and use a custom role. This lets you minimize and control specific required permissions.
To configure a custom role:
-
Log in to the Google cloud console.
-
From the navigation menu, go to IAM & Admin > Roles and click Create Role.
-
Define mandatory permissions for the custom role, add specific permissions for the GCP services in use, and search & select permissions from the list below:
-
Centralized Custom Role Permissions
-
iam.serviceAccounts.actAs
-
iam.serviceAccounts.get
-
iam.serviceAccounts.list
-
iam.serviceAccounts.create
-
iam.serviceAccounts.delete
-
pubsub.subscriptions.create
-
pubsub.subscriptions.delete
-
pubsub.subscriptions.get
-
pubsub.subscriptions.list
-
pubsub.topics.attachSubscription
-
pubsub.topics.create
-
pubsub.topics.delete
-
pubsub.topics.get
-
pubsub.topics.getIamPolicy
-
pubsub.topics.list
-
pubsub.topics.setIamPolicy
-
logging.sinks.create
-
logging.sinks.delete
-
logging.sinks.get
-
resourcemanager.projects.get
-
serviceusage.services.get
-
serviceusage.services.enable
-
-
Custom Role Permissions
-
logging.sinks.create
-
logging.sinks.delete
-
logging.sinks.get
-
logging.sinks.list
-
resourcemanager.projects.get
-
-
-
Assign the custom role to the user. For this:
-
From the navigation menu, go to IAM & Admin > IAM and click Grant Access.
-
In Add principals, enter the email of the user assigned with the role.
-
In Assign roles, search and select the custom role you created in step 3.
-
Click Save.
-
Onboarding Account Activity to Intelligence with Activity Logs
-
Navigate to the Assets > Environments page.
-
Click Add Filter > Platform > GCP or use the search bar to show the project to onboard to Intelligence.
-
In the project row and the Account Activity column, click Enable to start the Intelligence onboarding wizard.
As an alternative, you can click and enter the GCP page. In the top right menu, click Add Intelligence and select Activity Logs.
-
Follow the on-screen wizard instructions to complete onboarding for Intelligence.
This involves:
-
Selecting the onboarding scope: Standard or Centralized.
-
For the Centralized scope only:
-
Selecting a new or existing Pub/Sub.
-
Selecting one or more projects.
-
-
Opening the Google Cloud Shell and authorizing it to run the script. The script is available on GitHub for review from the Welcome or Shell Script page of the onboarding wizard.
-
Opening your Google Workspace.
-
Copying a command from the CloudGuard wizard and pasting it in the Cloud Shell terminal. The command creates in the project necessary CloudGuard resources. When the process is done, the Cloud Shell terminal displays a confirmation message.
-
Examining the deployment status with the Check Now button.
-
When you see a message that the shell script process is finished, click Onboard.
-
-
After you get a message that the project is successfully onboarded, click Finish to close the wizard. CloudGuard suggests you onboard a new environment or add alerts for this environment. For more information on adding alerts, see Getting Started with Intelligence Policy.
When you complete these steps, CloudGuard starts the onboarding process for Intelligence. It can take several minutes. All GCP environments with onboarded Activity Logs appear in Assets > Environments with Account activity enabled.
Afterward, you can see the account activity on the Logs page, when you navigate to Events > Cloud Logs > Account Activity, select the project name, and click Run.
Onboarding Traffic Activity to Intelligence with VPC Flow Logs
-
Navigate to the Assets > Environments page.
-
Click Add Filter > Platform > GCP or use the search bar to show the project that you want to onboard to Intelligence.
-
In the project row and the Traffic Activity column, click Enable to start the Intelligence onboarding wizard.
As an alternative, you can click and enter the GCP page. In the top right menu, click Add Intelligence and select Flow Logs.
-
Follow the on-screen wizard instructions to complete onboarding for Intelligence.
This involves:
-
Enabling VPC Flow Logs on your project.
-
Selecting the onboarding scope: Standard or Centralized.
-
For the Centralized scope only:
-
Selecting a new or existing Pub/Sub.
-
Selecting one or more projects.
-
-
Opening a repository in Google Cloud Shell and authorizing Google Cloud Shell to run the script. The script is available on GitHub for review from the Welcome or Shell Script page of the onboarding wizard.
-
Copying a command from the CloudGuard wizard and pasting it in the Cloud Shell terminal. The command creates in the project necessary CloudGuard resources.
When the process is done, the Cloud Shell terminal displays a confirmation message.
-
Examining the deployment status with the Check Now button.
-
-
After you get a message that the project is successfully onboarded, click Finish to close the wizard. CloudGuard suggests you onboard a new environment or add alerts for this environment. For more information on adding alerts, see Getting Started with Intelligence Policy.
Error and Warning Messages
Warning / Error |
Details |
Corrective Actions |
---|---|---|
You do not currently have an active account selected. |
You did not select the Trust repo when opened it in Cloud Shell. |
|
You do not appear to have access to project [project_ID] or it does not exist. Are you sure you wish to set property [core/project] to project_ID? |
You copied an incorrect project_ID. |
Follow the instructions in the onboarding wizard and copy the correct project_ID. |
When you complete these steps, CloudGuard starts the onboarding process for Intelligence. It can take about 30 minutes. All GCP environments with onboarded Traffic Logs appear in Assets > Environments with Traffic activity enabled.
Afterword, you can see the traffic activity on the Logs page, when you navigate to Events > Cloud Logs > Network Traffic, select the project name, and click Run.