Create a Google Cloud Platform (GCP) Connection for Cloud Configuration Assessment (CCA)
CCA End-of-Life Notice
As of February 15, 2024, Rapid7 will start the End-of-Life (EOL) process for Cloud Configuration Assessment. On February 15, 2025 support will officially end and the feature will be permanently removed from InsightVM for all customers.
While we will continue to support this feature in the interim with security patches, we will not be updating or enhancing CCA further. See our Cloud Risk Complete offering if you’re still interested in the capabilities of CCA.
You can configure a Google Cloud Platform (GCP) connection that allows the Insight Platform to collect data from your GCP resources for Cloud Configuration Assessment (CCA).
Fields subject to change
Third party UI elements may be subject to change. Updates to the doc will be made accordingly.
GCP connection requirements
In order for the Insight Platform to connect to your GCP resources, you must have the following:
- A GCP account with appropriate permissions to create service accounts and roles, and enable APIs
Note
You must create a new cloud infrastructure connection for each individual GCP subscription you want to assess.
Configure GCP
Log in to your GCP console and access the project you want to add configuration assessment capabilities to.
Enable APIs
From the GCP navigation menu, go to the APIs & Services > Library.
Search for and enable the following APIs:
Required APIs
- Compute Engine API
- Compute Engine Instance Groups API
- Compute Engine Instance Group Manager API
- Compute Engine Instance Group Updater API
- Cloud Deployment Manager V2 API
- Cloud SQL
- Cloud SQL Admin API
- Cloud Storage
- Google+ API
- Kubernetes Engine API
Create a custom role
- Go to IAM & Admin > Roles and click Create Role.
- Enter a title and ID for your custom role.
- The role ID is a unique identifier for the role within your project. We recommend using an ID that indicates the purpose of this role, such as
InsightVM_CCA
. - The title does not have to be unique, but you should consider entering a description that allows users to easily identify the custom role.
- The role ID is a unique identifier for the role within your project. We recommend using an ID that indicates the purpose of this role, such as
- Click Add Permissions.
- Using the filter, select the following permissions:
storage.buckets.get
storage.buckets.getIAMPolicy
bigquery.tables.get
bigquery.tables.list
cloudasset.assets.listResource
Permission selection
You can use the OR
operator after each selected permission to find and select all of the permissions at the same time.
- With all required permissions selected, click Add.
- Verify that the required permissions are assigned and click Create.
Create a service account
- Go to API & Services > Credentials.
- Click Create Credentials and select Service Account.
- Enter a service account name and ID, then click Create and Continue.
- We recommend using a name and ID that indicate the purpose of this service account, such as
InsightVM-CCA
.
- We recommend using a name and ID that indicate the purpose of this service account, such as
- In the Select a role field, select the custom role you created in step 6 of the Create a custom role process.
- Click Add Another Role and select the Viewer role.
- Click Done.
Create a service account key
- On the API & Services > Credentials page, select the service account that you created in step 3 of the Create a service account process.
- Select Keys and click Add Key > Create new key.
- Select JSON as the key type and click Create to download your private key file.
Save the JSON key somewhere safe
Store this JSON file in a secure place as it contains the only copy of the key.
Sample JSON key file
JSON
1{2"type": "service_account",3"project_id": "project-id",4"private_key_id": "key-id",5"private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",6"client_email": "service-account-email",7"client_id": "client-id",8"auth_uri": "https://accounts.google.com/o/oauth2/auth",9"token_uri": "https://accounts.google.com/o/oauth2/token",10"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",11"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"12}
- Click Close.
Configure InsightVM
Create a GCP connection
- On the Cloud Configuration page, click Add/Manage Connections.
- In the Cloud Infrastructure section, click Add.
- Enter an Account Nickname.
- This is the name for the connection you are creating in InsightVM. We recommend creating a nickname to help you easily identify the GCP project that is being assessed, such as including the GCP project name.
- Enter the following information from the Service account key (JSON file) that you downloaded during GCP setup:
- Project ID – The value for “project_id”.
- Private Key ID – The value for “private_key_id”.
- Private Key – The value for “private_key”.
- Client Email – The value for “client_email”.
- Client ID – The value for “client_id”.
- Client X509 Certificate URL – The value for “client_x509_cert_url”.
- Click Save.