Cloud Security Posture Management Manual (Google Cloud Platform)

Go to > Cyber Incident Monitoring

Requirements

Set Up Cloud Account Access

ForNote: ManualTo authenticationset up CSPM for a GCP organizationproject, you need admin privileges for the project.

Manual Authentication for GCP

To authenticate manually toand monitor a GCP organization, you’llyou needmust:

to

create
1. Create a new GCP service account,account
assign
2. Assign it the necessary roles,roles generate(organization/project credentials,level)
then
3. Generate providecredentials
4. Provide those credentials to the CSPM integration.integration

 

Use the following commands, after replacing <SA_NAME> with the name of your new service account, <ORG_ID> with your GCP organization’s ID, and <PROJECT_ID> with the GCP project ID of the project where you want

Steps to provisionSet theUp computeCSPM instanceon thatGCP

will

1. run CSPM. 

Go to Google Cloud Console.

In the top-right corner, click on the Cloud Shell Icon 

You should be seeing the image below

2. Set Your Active Project

 Run this command to select the GCP project where you want to create the service account:
  gcloud config set project <PROJECT_ID>


Set up cloud account access 

3.

Note: To set up CSPM for a GCP project, you need admin privileges for the project.  

For Manual authentication (GCP organization)   

To authenticate manually to monitor a GCP organization, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration. 

 

Use the following commands, after replacing <SA_NAME> with the name of your new service account, <ORG_ID> with your GCP organization’s ID, and <PROJECT_ID> with the GCP project ID of the project where you want to provision the compute instance that will run CSPM. 

 

 

Create a new service account:

Replace <ORG_ID> and <PROJECT_ID> in the commands below: 

gcloud iam service-accounts create <SA_NAME> \ 

    --description="Elastic agent service account for CSPM" \ 

    --display-name="Elastic agent service account for CSPM" \ 

    --project=<PROJECT_ID>

 

4. Assign Required IAM Roles

• Assign the necessary roles to the service account at Organization Level: 

  
  

   

  gcloud organizations add-iam-policy-binding <ORG_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/cloudasset.viewer
gcloud organizations add-iam-policy-binding <ORG_ID> \ 


      --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/browser

  
  
• --role=roles/cloudasset.viewer

  Assign

  the

  necessary

  roles to the service account at Project Level: 


  gcloud organizationsprojects add-iam-policy-binding <ORG_IDPROJECT_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/cloudasset.viewer
gcloud 
  projects

  add-iam-policy-binding <PROJECT_ID> \
--member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
 

      --role=roles/browser


 

Note: The Cloud Asset Viewer role grants read access to cloud asset metadata. The Browser role grants read access to the project hierarchy. 

 

5. Download the credentials JSON (first, replace <KEY_FILE> with the location where you want to save it): 

 

gcloud iam service-accounts keys create <KEY_FILE> \ 

    --iam-account=<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com 

 

 

6. Provide CyTech the following values: 

• Organization ID