GCP Additional Configuration
Depending on how your GCP environment is configured and/or the types of services you use, you may want to configure some additional things outside of the general InsightCloudSec onboarding process.
Additional configuration options
Review the sections below to determine what additional features or configurations may be applicable for your environment.
Configuration | Description |
---|---|
GCP Directory Support | InsightCloudSec has expanded our support for GCP Directory to harvest and display expanded IAM data via GCP's Domain-wide Delegation functionality. By enabling Domain-wide Delegation in the GCP Console and configuring the service account ID email within InsightCloudSec, you can gain access to additional data from GCP including MFA Status, Group associations, last login, etc. |
GCP Auto-Badging | InsightCloudSec includes auto-badging capabilities to create a 1:1 map of GCP project, folders, and organization tags and labels to Badges in InsightCloudSec. This capability allows any Clouds and Bots to be scoped to a badge that maps to the account tag. |
GCP Recommended Actions | If properly configured, InsightCloudSec can harvest GCP Recommendations as a resource (found under Identity & Management on the Resources page). Supported Recommendation subtypes can be acted upon from within InsightCloudSec, with the results/resolution being propagated to GCP for easier principal management. |
GCP Directory Support
InsightCloudSec has expanded our support for GCP Directory to harvest and display expanded IAM data via GCP's Domain-wide Delegation functionality. While this capability is optional, we strongly encourage customers with GCP accounts to take advantage of this feature.
By enabling Domain-wide Delegation in the GCP Console and configuring the service account ID email within InsightCloudSec, you can gain access to additional data from GCP including MFA Status, Group associations, last login, etc., for two existing InsightCloudSec resource types:
Scopes that are included with this data are as follows:
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.group
- https://www.googleapis.com/auth/admin.directory.group.member
Configure Directory Support
Configure domain-wide delegation for existing GCP accounts in GCP
Configure domain-wide delegation for existing GCP accounts in GCP
Within your GCP Console (e.g., https://console.cloud.google.com) you will need to locate the service account associated with your InsightCloudSec installation and ensure that you enable the Domain-wide Delegation feature.
- Copy the Service Account Client ID.
- Go to IAM & Admin > Service Accounts and select the newly configured service account.
- In the Advanced Settings section, in the Domain-wide Delegation field, copy the Client ID for your Service account.
- Under Client ID, click View Google Workspace Admin Console.
- Validate and enable domain-wide delegation.
- In the Google Workspace Admin Console, go to Security > Overview and expand API Controls.
- In Domain-wide Delegation, click Manage Domain Wide Delegation.
- Next you will either need to:
- Search for and confirm that the Client ID you copied from your service account already exists.
- Click Add new and add the Client ID to specify the service account you want to configure for Domain-wide delegation. Note: For an existing client ID (a.) verify the following scopes. For a new Client ID (b.) these scopes will have to be added:
- Specify an email address for domain-wide delegation.
- Go to Directory > Users.
- Filter for Admin Role and select Super Admin to narrow the list of user accounts.
- Identify the email for the account you want to use to specify for Domain-wide Delegation.
- The email address provided must be from an appropriately configured GCP Super-Admin from the correct Service Organization to ensure that the data can pass from the GCP Console to InsightCloudSec.
- Save this email in a safe place, you will be using this address in the setup steps within InsightCloudSec.
Configure delegation for GCP accounts in InsightCloudSec
Configure delegation for GCP accounts in InsightCloudSec
You can configure delegation for existing or new GCP accounts in InsightCloudSec.
- In InsightCloudSec, go to Cloud > Clouds and open the Organizations tab.
- Select Edit for the GCP Organization you want to modify.
- Click the unlock button next to Credentials for harvesting Organization data to make the form editable.
- Scroll to the Email Delegation (Optional) field and update with the email address of your desired account. The email address provided must be from an appropriately configured GCP Super-Admin from the correct Service Organization to ensure that the data can pass from the GCP Console to InsightCloudSec.
- Click Update to finalize the changes.
Viewing GCP Directory Data
Viewing GCP Directory Data
Once configured and harvested the additional GCP Directory Data available through Domain-wide Delegation will be visible under Inventory > Resources on the Identity Management tab for both Cloud Domain Group and Cloud Domain User.
GCP Auto-Badging
InsightCloudSec includes auto-badging capabilities to create a 1:1 map of GCP project, folders, and organization tags & labels to Badges in InsightCloudSec. This allows Clouds and Bots to be scoped to a badge that maps to the account tag.
Auto-Badging in GCP Organizations
Auto-Badging in GCP Organizations
For GCP Organizations that have auto-badging of projects enabled, all clouds corresponding with a project that do not have a parent folder will have a cloud_org_path
badge with a value of /
to signify they are at the root.
Selecting the "Auto Badge Projects" option will also provide automatic badging for Organizations that use folders through the gcp_folder
badge. This badge can be extremely helpful for managing scope around Insights, Bots, and the Compliance Scorecard views for organizational units and lines of business within your cloud footprint.
Organization-level tags can be harvested by InsightCloudSec as badges. For example, an organization-level tag in GCP might look like this: organization-name/tag-key/tag-value
. This tag will be returned in InsightCloudSec as org/organization-name/tag-key:tag-value\
. All projects within this organization should be returned with this badge.
Auto-Badging in GCP Projects
Auto-Badging in GCP Projects
For GCP Projects that are not part of an Organization and have auto-badging of projects enabled InsightCloudSec will automatically create badges from the GPC project-level labels. Note: If you add a GCP Organization that includes a previously standalone GCP Project at a later point, the Organization will assimilate the project into the Organization configuration.
Project-level tags can be harvested by InsightCloudSec as badges. For example, a project-level tag in GCP looks similar to an organization-level tag in GCP, but the tag will be returned in InsightCloudSec as organization-name/tag-key:tag-value
.
Folders
Folders
Folder tags can also be harvested by InsightCloudSec as badges, with top-level folder tags and nested folder tags being returned slightly differently. For example, a nested folder structure within GCP might look like this: organization-name/top-level-folder/nested-folder-1/project-name
. A top-level or nested folder tag looks similar to an organization-level or project-level tag in GCP, but the top-level folder tag will be returned in InsightCloudSec as organization-name/folders/top-level-folder-name/tag-key:tag-value
. The nested folder tag will be returned in InsightCloudSec as organization-name/folders/top-level-folder-name/nested-folder-1/tag-key:tag-value
.
Top level folder tags will be returned by any projects that are held in any sub-folders/the folder itself. Nested folder tags will be returned by any projects that are held in any sub-folders/the folder itself.
Auto-badging
Auto-badging
As an enhancement to support for provider-based organizations InsightCloudSec includes auto badging capabilities. The purpose of auto-badging is to create a 1:1 map of AWS account-level tags to Badges in InsightCloudSec. This allows Clouds to be scoped to a badge that maps to the account tag.
After the tags and labels are harvested into InsightCloudSec as badges - you cannot delete them in InsightCloudSec - they must be deleted in AWS and the changes will propagate to InsightCloudSec.
Auto-badging takes place in two stages.
Stage | Description |
---|---|
Retrieves tags and labels from each account and project and compares them with ResourceTags associated with the cloud account in the InsightCloudSec database. | If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project. This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally, any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider. |
Retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization. | For each cloud the list of tags for that cloud is compared with the current list of Badges and for each Key/Value pair of tags:
|
GCP Recommended Actions
If properly configured, InsightCloudSec can harvest GCP Recommendations as a resource (found under Identity & Management on the Resources page). Supported Recommendation subtypes (see below) can be acted upon from within InsightCloudSec, with the results/resolution being propagated to GCP for easier principal management. InsightCloudSec supports applying recommendations for both Organizations and Projects.
Supported Recommender subtypes
Currently supported Recommender subtypes are:
REMOVE_ROLE
REMOVE_ROLE_STORAGE_BUCKET
REPLACE_ROLE
REPLACE_ROLE_STORAGE_BUCKET
SERVICE_AGENT_WITH_DEFAULT_ROLE
SERVICE_AGENT_WITHOUT_DEFAULT_ROLE
Using Recommended Actions
Prerequisites
Before you can apply recommendations in InsightCloudSec, you'll need the following:
- Permissions to view, apply, and dismiss recommendations in GCP. The required permissions should be added to the InsightCloudSec role you created during GCP - Onboarding. Review GCP's Recommendations documentation for more information.
- Domain Admin permissions within InsightCloudSec
Using GCP Recommendation Actions
After the InsightCloudSec role associated with the GCP Project/Organization has appropriate permissions, you can apply recommendations from the Resources page.
- Login to InsightCloudSec and go to Resource > Resources.
- Click Identity & Management, then click Recommendation.
- (Optional) To open the properties for the resource, click the hyperlink in the Affected Resource Name column.
- Click the Resource Properties icon for the Recommendation you want to address
- Ensure the Subtype column contains a supported subtype.
- Click Actions, then click Apply recommendation.
- Click Submit to confirm the application.
This will propagate the change to the relevant GCP account, and the recommendation will be accepted. The relevant changes will be made based on that recommendation for that Principal.