Cloud Security Posture Management Manual (Google Cloud Platform)
Go to > Cyber Incident Monitoring
For Manual authentication GCP organization
To authenticate manually to monitor a GCP organization, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration.
Use the following commands, after replacing <SA_NAME> with the name of your new service account, <ORG_ID> with your GCP organization’s ID, and <PROJECT_ID> with the GCP project ID of the project where you want to provision the compute instance that will run CSPM.
Go to Google Cloud Console.
In the top-right corner, click on the Cloud Shell Icon
You should be seeing the image below
Set Your Active Project
Run this command to select the GCP project where you want to create the service account:
gcloud config set project <PROJECT_ID>
Set up cloud account access
Note: To set up CSPM for a GCP project, you need admin privileges for the project.
For Manual authentication (GCP organization)
To authenticate manually to monitor a GCP organization, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration.
Use the following commands, after replacing <SA_NAME> with the name of your new service account, <ORG_ID> with your GCP organization’s ID, and <PROJECT_ID> with the GCP project ID of the project where you want to provision the compute instance that will run CSPM.
Create a new service account:
gcloud iam service-accounts create <SA_NAME> \
--description="Elastic agent service account for CSPM" \
--display-name="Elastic agent service account for CSPM" \
--project=<PROJECT_ID>
Assign the necessary roles to the service account:
gcloud organizations add-iam-policy-binding <ORG_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/cloudasset.viewer
gcloud organizations add-iam-policy-binding <ORG_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/browser
Note: The Cloud Asset Viewer role grants read access to cloud asset metadata. The Browser role grants read access to the project hierarchy.
Download the credentials JSON (first, replace <KEY_FILE> with the location where you want to save it):
gcloud iam service-accounts keys create <KEY_FILE> \
--iam-account=<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
Provide CyTech the following values:
To authenticate manually to monitor an individual GCP project, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration.
Use the following commands, after replacing <SA_NAME> with the name of your new service account, and <PROJECT_ID> with your GCP project ID.
Create a new service account:
gcloud iam service-accounts create <SA_NAME> \
--description="Elastic agent service account for CSPM" \
--display-name="Elastic agent service account for CSPM" \
--project=<PROJECT_ID>
Assign the necessary roles to the service account:
gcloud projects add-iam-policy-binding <PROJECT_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/cloudasset.viewer
gcloud projects add-iam-policy-binding <PROJECT_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/browser
Note: The Cloud Asset Viewer role grants read access to cloud asset metadata. The Browser role grants read access to the project hierarchy.
Provide CyTech the following values:
-
Project ID (the project where you want to provision the compute instance that will run CSPM)
-
Credentials JSON values