Google Cloud Platform Onboarding Guide
Updated 3 weeks ago
by
admin
This feature is in Early Access preview.
This guide provides the steps you need to follow in order to onboard Google Cloud Platform accounts onto the Posture Management service.
This article will guide you through the following steps:
- Create and configure a Google Cloud Project for Posture Management and Service Account
- Assign read-only permissions for Posture Management
- Add the Google Cloud Platform application to the Posture Management service
You will need to be an Administrator of the Google Cloud account, or have sufficient admin privileges, to perform these steps
- Log in to the GCP Console
- Click the Select Project drop down
- Click New Project and enter a suitable name
- Select the new project
- Enable the required API's in the new project by navigating to API's & Services
- Enable the following API's one by one for the GCP project created on Step 3
- Cloud Resource Manager API
- Identity and Access Management (IAM) API
- Essential Contacts API
- Service Usage API
- Recommender API
- API Keys API
or via Cloud Shell:
gcloud services enable cloudresourcemanager.googleapis.com iam.googleapis.com essentialcontacts.googleapis.com serviceusage.googleapis.com recommender.googleapis.com apikeys.googleapis.com
- The following API's must be enabled only for each GCP project in your organization account (including the project created in Step 3):
- Identity Toolkit API
- Admin SDK API
- Cloud Functions API
- Compute Engine API
- VM Manager (OS Config API)
- Cloud Key Management Service (KMS) API (KMS API)
- Stackdriver Monitoring API (Cloud Monitoring API)
or via Cloud Shell:
gcloud services enable identitytoolkit.googleapis.com admin.googleapis.com cloudfunctions.googleapis.com compute.googleapis.com osconfig.googleapis.com cloudkms.googleapis.com monitoring.googleapis.com
- Next, navigate to IAM & Admin -> Service Accounts -> + Create Service Account
- Enter the Service account name and click Create and Continue
- Click Done
- Copy the Email for the new service account
- Navigate back to IAM & Admin -> IAM and click Grant Access
- Paste in the email address from Step 9
- Use the Select a role dropdown to assign the following permissions:
- Access Approval Viewer
- BigQuery Metadata Viewer
- Browser
- Organization Policy Viewer
- Security Reviewer
- Basic > Viewer
- Navigate back to IAM & Admin -> Service Accounts -> Posture Management email -> Keys and click Add Key -> Create New Key
- Select the JSON option and click Create
- A JSON file will be downloaded which is required in the next step
- To enable monitoring of MFA configuration for users, open Google Workspace Admin and navigate to Account -> Admin Roles
- Select the User Management Admin role and click Assign Role
- Select Assign Members
- Paste in the Posture Management email address from Step 9 and click Assign Role
- Now we can configure the Posture Management service with your new Azure application. Log in to the USS Dashboard and navigate to Products -> Posture Management.
- The Posture Management dashboard will open in a new tab. From the top ribbon, select Service Integration and then +
- Click Google Cloud Platform
- Click Browse ands elect the JSON file that you downloaded in Step 15
- Click Continue
- The discovered account will be displayed. In the Select GCP project(s) section, select one of the available options:
- All (recommended): if you want to have all your GCP projects monitored
- Select a GCP project: if you want to have a specific GCP project monitored
- Click Add
- Click Scan Now to begin scanning the application immediately, or wait for it to automatically scan on a daily basis
- One the first scan has finished you will be able to view the results in the Charts and Activity report tabs