Contents x
    GCP - Security Command Center
    • 7 Minutes to read
    • Print
    • PDF
    Contents

    GCP - Security Command Center

    • 7 Minutes to read
    • Print
    • PDF
    Article Summary

    About this document

    This document provides a step-by-step guide to onboard the GCP - Security Command Center into SAFE via UI.

    Introduction

    SAFE allows you to onboard and assess your GCP - Security Command Center assets. SAFE admins can configure the GCP integration in SAFE from the GCP - Security Command Center card availabe on the SAFE Hooks page.

    GCP configuration in SAFE in a 3-step process:

    • Generate connection details from the GCP console.

    • Enter and save connection details in SAFE.

    • Start assessment and view results in SAFE.

    Info

    Please refer to the GCP onboarding via SAFE REST APIs for advanced integration.

    Prerequisites

    To configure GCP - Security Command Center in SAFE, you need the following privileges:

    • The user must have the SAFE Admin Role.

    • The user must have the Admin Role in the GCP console.

    Notes

    SAFE utilizes REST APIs to establish a connection with the GCP security command center and retrieve recommendations. To ensure the successful configuration of authentication and assessment, SAFE necessitates the use of REST APIs connecting through a workload identity federation pool in GCP. SAFE will retrieve and display recommendations for the GCP assets in the Cloud-GCP technology group.

    1. Generate connection details from the GCP console

    1.1. Create a Project

    1. Log in to the Google Cloud Platform console at https://console.cloud.google.com.


    2. Click the dropdown menu at the top of the page. (To the right of where it says "Google Cloud")

    3. In the pop-up, click the NEW PROJECT button in the top right.

    4. Enter a Project name

      • For example: "SAFE Integration"

    5. Select the Organization and Location.

      Location

      When creating the project, you can put the project anywhere as per your company's convention. However, while setting up the permissions, the project must go in at the Organization level. 

    6. Click the CREATE button.

    7. After the project is created, there will be a pop-in with a link to open the project. Click that link or select the project in the drop-down at the top to move to the next step.

    1.2. Enable API Services

    1. Click the navigation menu available at the top left corner of the screen.

    2. Navigate to APIs & Services > Library.

      Option may be hidden

      If the APIs & Services option is not pinned, click the "View all products" option and scroll down to find the APIs & Services option.

    3. Search for Security Command Center API and click on Security Command Center API from the search results.


    4. Click the ENABLE button to enable the API for this project. 

      1. Once the process completes, it can be verified by revisiting the page. 

      2. The page displays the label "API Enabled."

    5. This process needs to be repeated for all 4 or the required APIs.

      1. Security Command Center API (Completed above)

      2. Cloud Resource Manager API

      3. Security Token Service API

      4. IAM Service Account Credentials API

    6. To verify that all the required APIs have been enabled, go to the Enabled APIs & services page and check the table at the bottom of the page for the names of these 4 APIs.

    1.3. Create a custom role

    We need to create a custom IAM role at the organization level that can be assigned to the service account of the project used for SAFE to enable SAFE to read the organization’s Security Command Center findings.

    1. Click the navigation menu available at the top left corner of the screen.

    2. Navigate to IAM and admin > IAM.

    3. On the IAM and admin page, click the drop-down at the top and ensure the parent Organization is selected.

      Organization level

      If the role is created in the wrong location, then this integration will not work. The role must be configured at the Organization level. This is so that the permissions are inherited, and SAFE will be able to retrieve the information required. If the role is created inside the Project, then the assessments will not work.

    4. Click Roles from the left navigation bar.

    5. Click the CREATE ROLE button at the top to create a custom role. 

    6. On the Create role page:

      • Enter a Title for the role.

      • Change the ID if needed.

      • Click the ADD PERMISSIONS button.


    7. In the Add permissions pop-up, enter the following list in the filter box one by one. Select the checkbox in the search result for the matching result(s), then click the ADD button. Repeat the process for each permission:

      1. resourcemanager.organizations.get

      2. resourcemanager.projects.get

      3. securitycenter.assets.list

      4. securitycenter.findings.list

      5. securitycenter.securityhealthanalyticssettings.calculate

        Quick tip

        To save time opening a new pop-up for each item, you can use an OR operator to add all the options at once.

    8. Once all the permissions mentioned in the previous step are added, click the CREATE button.

    9. The new role will now be visible under the list of roles on the IAM Roles page at https://console.cloud.google.com/iam-admin/roles under the Organization view.

    1.4. Create a Service Account

    Please note:

    Change the project created for SAFE (refer section 1.1) from the drop-down at the top. The goals of this step is to create a service account under SAFE’s project and link it back to the role created earlier in section 1.3 at the org level

    1. Click the navigation menu available at the top left corner of the screen.

    2. Navigate to IAM and admin > IAM.

    3. At the top, click the CREATE SERVICE ACCOUNT button.

    4. Enter a name for the service account and click CREATE AND CONTINUE.

    5. Under the Grant this service account access to the project sectionselect the custom role created previously from the drop-down, and then click CONTINUE.

    6. Under Grant users access to this service account, click DONE to complete the process. 

    7. Copy the value for Email as you will need this later.

    8. Click IAM in the left navigation bar.

    9. At the top of the table, make sure View by: PRINCIPALS is selected and not ROLES.

    10. Click the drop-down at the top and ensure the parent Organization is selected.

    Please note:

    Change the organization to the parent organization for the next steps.

    1. At the top of the page, click the ADD button.

    2. Enter the email from step 7 in the New principals field (You can also type and search for it if you prefer).

    3. Under Role, select the role created earlier in section 1.3.

    4. Click the SAVE button. 

    1.5. Create a Workload Identity Federation Pool

    1. Click the drop-down at the top and select the project you created for SAFE

    2. Click the navigation menu available at the top left corner of the screen.

    3. Navigate to IAM and admin > Workload Identity Federation

    4. Click the GET STARTED button.

    5. Enter a Name and Description.

      • Make sure that the Enabled Pool switch is enabled. 

    6. Click the CONTINUE button.

    7. In the Select a provider drop-down, select AWS.

    8. Enter a Provider name and Provider ID.

    9. Enter the Safe AWS Account ID as the AWS account ID.

      • You can access this ID by going to the private knowledge base article here.

      • To access this link, you will require a login to the Safe Helpdesk.

        Do not use your own AWS ID

        This is the Safe AWS ID. This is required to grant access from the Safe AWS infrastructure into your GCP account. Using any other AWS account ID here will result in the integration failing.

    10. Click the CONTINUE button.

    11. Under Configure provider attributes, click on EDIT MAPPING to display the additional settings

    12. Change the value in the AWS box that maps with google.subject to "safe". Also, keep the default value in the AWS box that maps with attribute.aws_role, the value should be assertion.arn.contains('assumed-role') ? assertion.arn.extract('{account_arn}assumed-role/') + 'assumed-role/' + assertion.arn.extract('assumed-role/{role_name}/') : assertion.arn

      In this example, this is shown as Google 1 mapping to AWS 1 and Google 2 mapping to AWS 2.

    13. Click the SAVE button. 

    14. On the next page, at the top, click GRANT ACCESS. 

    15. In the "Grant access to service account" pop-up, select the service account that was created in 1.4, choose subject as Attribute name, enter safe as the Attribute Value and then click on SAVE.

    16. On the following pop-up, select the Provider you configured in step 8 and click on the DOWNLOAD CONFIG button to save the WIF file to your local disk.

    17. Once downloaded, click the DISMISS button to close the pop-up.

    1.6. Find the connection Details

    1. Take the content of the WIF file that was downloaded in the previous step and replace everything in the "config" section. 

    2. This is the value for the connection details for your GCP Organization. It is not in the WIF file you downloaded, so you will need to find this value separately and add it in.

    Example

    {
    "type": "cloud",
    "subtype": "gcp",
    "config": {
        "organizationIds": [
            "your GCP Org ID goes here"
        ],
        "type": "external_account",
        "audience": "//iam.googleapis.com/projects/684949267137/locations/global/workloadIdentityPools/safe-integration-pool/providers/safe-provider",
        "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
        "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/safe-service-account@safe-integration-358814.iam.gserviceaccount.com:generateAccessToken",
        "token_url": "https://sts.googleapis.com/v1/token",
        "credential_source": {
            "environment_id": "aws1",
            "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
            "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
            "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
        }
    }
}

    2. Enter and save connection details in SAFE

    1. Navigate to SAFE Hooks.

    2. Click the GCP card.

    3. On the configuration page, enter the connection details we generated in Step 1 and the auto-sync frequency.

    4. Click the Test Connection button.

    5. Once the connection is verified, Click the Save button. 

    6. Click the Sync Now button to start the assessment.

    GCP Configuration

    3. View results in SAFE

    After a successful sync, the GCP - Security Command Center assets are automatically imported into SAFE.

    To view the assets pulled from GCP - Security Command Center:

    1. Click the See Updated Assets button available at the top-right of the History table.

    2. The system displays a filtered list of assets pulled from GCP - Security Command Center.

    GCP Configuration


    To view the findings:

    Note

    To view findings related to assets, they should be assigned to at least one group and its associated risk scenarios. The Findings view on the Risk Scenario page will present the findings list along with their respective details.

    1. Navigate to the Risk Scenario created for the GCP - Security Command Center assets.

    2. Scroll down to the Findings section. Here you can see the finding details of the GCP - Security Command Center assets.


    Import Labels from Google Cloud Platform (GCP) into SAFE

    Refer to the Import Azure Tags and GCP Labels in SAFE.


    Was this article helpful?
    What's Next