Google Cloud Platform (GCP)
  • 12 Minutes to read
  • PDF

Google Cloud Platform (GCP)

  • PDF

About this document


This document provides the step-by-step procedure to onboard your Google Cloud Platform in SAFE.

SAFE GCP Compatibility
SAFE currently supports Configuration Assessment for GCP Security Command Center Premium. Using SAFE with GCP Standard Security Command Center will result in false positives being returned which may artificially inflate your SAFE score.

Introduction


SAFE allows you to onboard and access the Google Cloud Platform (GCP) assets. SAFE admins can configure the GCP in SAFE using SAFE REST APIs.

GCP onboarding in SAFE is a 3 step process. Upon successful configuration, SAFE automatically onboards the GCP assets under the "Cloud - GCP" vertical and assess them.

GCP Onboarding Flow

Prerequisite


To configure the GCP with SAFE you need the following privileges:

  • The user must have the SAFE Admin Role.
  • The user must have the Admin Role in the GCP console.

1. Set up a Workload Identity Federation (WIF) Pool

Follow the below step-by-step procedure to set up a Workload Identity Federation (WIF) Pool.

1.1. Create a Project

  1. Log in to the Google Cloud Platform console at https://console.cloud.google.com.
    GCP1(1)
  2. Click the dropdown menu available at the top left of the page located between the Google Cloud Platform label and the search bar.
  3. The system opens a pop-up that lists the hierarchical structure of the organization and all the existing folders and projects within it. 
  4. Click the New Project button.
    GCP2
  5. Enter the Project name. For easy identification, you can keep the name SAFE Security.
  6. Select the Organization and Location
  7.  Click the Create button.
    GCP3

1.2. Enable API Services on the Project

  1. On the Project’s dashboard, click the options menu available at the top left corner.
  2.  In the left options menu, scroll down and click the option APIs & Services.
    GCP4
    GCP5
  3. On the APIs and Services dashboard, click on Enable APIs and Services. The system opens the APIs library.
    GCP6
  4. Search the Security Command Center API and click the Security Command Center API from the search results.
    GCP7
  5. Click the Enable button to enable the API. Once the process completes, it can be verified by revisiting the page. The page displays the label "API Enabled".GCP8
  6. Follow the above steps to enable the following APIs.
    1. Resource Manager API
    2. Security Token Service API
    3. IAM Service Account Credentials API
  7. To verify that all the required APIs have been enabled, go to the APIs & Services dashboard and check the table at the bottom of the page for the names of these four APIs.
    GCP9

1.3. Create a custom role for the Service Account

We need to create a custom IAM role at the organization level that can be assigned to the SAFE Project’s service account to enable SAFE to access/fetch the organization’s Security Command Center findings.

  1. On the Project’s dashboard, click the left navigation and scroll down to IAM & Admin.
  2. On the IAM & Admin page, click the drop-down at the top-left and select the parent organization’s name. This will open the Organization level IAM view and the principal users on it.
    GCP10
  3. Click the Roles from the left navigation bar. All the roles currently assigned to users in the organization will be listed on this page.
    GCP11
  4. Click the Create Role button to create a custom role. On the Create Role page, assign a name to the new custom role and then scroll down to click on ADD PERMISSIONS.GCP12
  5. In the add permissions pop up, enter permission resourcemanager.projects.get in the filter box, select the checkbox in the search result for the same permission name and then click the ADD button. Repeat the process to add the below permissions:
    1. securitycenter.assets.list
    2. securitycenter.findings.list
    3. resourcemanager.organizations.getGCP13
  6. Once all four permissions mentioned in the previous step are added, click the Create button.GCP14
  7. The new role will now be visible under the list of roles on the IAM Roles page at https://console.cloud.google.com/iam-admin/roles for the Organization’s view.

1.4. Create a Service Account

  1. From the Project’s dashboard, click on the left navigation bar and scroll down to IAM & Admin.
  2. Click the Service Accounts from the left navigation bar then click the Create Service Account button.
    GCP15
  3. Enter a name for the service account and click the Create and Continue button.
    GCP16
  4. Under the "Grant this service account access to project" sectionselect the custom role created from the drop-down and then click the Continue button.GCP17
  5. Click the Done button to complete the process. The new service account should be present under the list of service accounts for the project at https://console.cloud.google.com/iam-admin/serviceaccounts.
  6. Assign the custom role at the organization level, so that the service account can use the permissions of this role for all the projects in the organization through inheritance.
  7. Click the IAM in the left navigation bar to go to the IAM principals table and select the organization view from the drop-down menu.
  8. Click the Add button, enter the service account’s complete address in the New principals field, and then select it. Subsequently, select the custom role created earlier in the Role drop-down.
    GCP18
  9. Click the Save button. The system displays the new service account in the table of IAM principals for the organization at https://console.cloud.google.com/iam-admin/iam.

1.5. Create a WIF (Workload Identity Federation) Pool and Identity Provider

  1. On the project’s dashboard, navigate to the IAM & Admin > Workload Identity Federation from the left options menu.
  2. If no Identity Pools are configured, the system displays the instructions to create a Workload Identity Pool.
  3. Click the Get Started button.
    GCP19
  4. Enter Name and Description. 
  5. Make sure that Enable Pool button is enabled. Click the Continue button.GCP20
  6. Add a provider to the pool. Example: For AWS, select the provider as AWS from the drop-down, and enter the Provider name and AWS account ID.  
  7. Click the Continue button.
    GCP21(1)
  8. Under the Configure provider attributes section, change the value of google.subject field to "safe". 
  9. Click Save. GCP22
  10. The system creates a new identity pool with the identity provider configured. 
  11. On the next page, click Grant Access. 
  12. On the "Grant access to service account" pageselect the service account which was created earlier and click Save.GCP23
  13. Clicking the Save opens a pop-up. Here you can download the configuration file which can be used to configure the authentication in the external application.
    GCP24

2. Configuring GCP using SAFE REST APIs


2.1. Go to the SAFE REST APIs

  1. Login in SAFE.
  2. Click the help icon available at the top-right corner of the dashboard.
  3. Click the SAFE APIs option. The system opens the SAFE APIs in a new tab.
    Accessing SAFE REST APIs

2.2. Test if SAFE can connect with the GCP Console

Before configuring a GCP instance with SAFE, we need to make sure that we can connect to the GCP console instance from SAFE. To do that we need to use POST <SAFE_URL>/api/v3/integrations/test.

{
  "type": "cloud",
  "subtype": "gcp",
  "config": {
    "type": "external_account",
    "audience": "//iam.googleapis.com/projects/600979130618/locations/global/workloadIdentityPools/a-team/providers/a-team",
    "token_url": "https://sts.googleapis.com/v1/token",
    "organizationIds": [
      "5555555555"
    ],
    "credential_source": {
      "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
      "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
      "environment_id": "aws1",
      "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
    },
    "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
    "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
  }
}

Details of payload arguments

  1. type: The type of Integration configuration being saved. For GCP, this value defaults to “cloud”.
  2. subtype: The tool name for Integration configuration being saved. For GCP, this value defaults to “gcp”.
  3. config: The configuration properties allow SAFE to connect to GCP. 
    1. Inside the config, the entire WIF config needs to be passed.
    2. organizationIds - the GCP organization ID of the organization to be configured.

Response

On a successful test connection, a 200 OK status response would be returned with the following response body.

{
  "success": true,
  "message": "Test connection success"
}

2.3. Configure GCP to SAFE

Once the credentials are tested using the test connection API; to create a new instance of GCP integration within SAFE, we need to use the POST <SAFE_URL>/api/v3/integrations.

Details of payload arguments

  1. type: The type of Integration configuration being saved. For GCP, this value defaults to “cloud”.
  2. subtype: The tool-name for Integration configuration being saved. For GCP, this value defaults to “gcp”.
  3. config: The configuration properties allow SAFE to connect to GCP:
    1. Inside the config, the entire WIF config needs to be passed.
    2.  organizationIds - the GCP organization ID of the organization to be configured.
    3. autoSync - The period (in the number of days) after which SAFE automatically connects to GCP to fetch the updated GCP findings for assets. Any period between 1 day and 30 days can be specified.
    4. sensitiveFields: SAFE allows the flexibility for the user to select any fields which they want to store as encrypted in the SAFE DB. By providing the field names as an array of strings as input, the specified fields will be stored as encrypted (eg. ["audience", "organizationIds"]).

Sample

{
  "type": "cloud",
  "subtype": "gcp",
  "config": {
    "type": "external_account",
    "audience": "//iam.googleapis.com/projects/600979130618/locations/global/workloadIdentityPools/a-team/providers/a-team",
    "autoSync": 1,
    "token_url": "https://sts.googleapis.com/v1/token",
    "organizationIds": [
      "5555555555"
    ],
    "sensitiveFields": [],
    "credential_source": {
      "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
      "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
      "environment_id": "aws1",
      "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
    },
    "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
    "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
  }
}


Response

On a successful save of the new configuration, a 200 OK status response should be returned with the following response body.

{
  "success": true,
  "message": "Integration configuration saved successfully.",
  "data": {
    "id": 1
  }
}

The data.id  field signifies the Integration configuration’s instance_id which will be used for all operations over this saved configuration.

Viewing All supported operations for GCP Integration

To check what operations can be performed over a stored configuration in this case for type= cloud and subtype= gcp we can use GET <SAFE_URL>/api/v3/integrations/details?type=cloud&subtype=gcp. This will return a list of the fields that are needed to configure GCP integration and supported actions and their description for GCP.

[
  {
    "type": "cloud",
    "subtype": "gcp",
    "configSchema": {
      "type": {
        "type": "string",
        "required": true,
        "description": "This identifies the new type of credential object. This must be 'external_account'"
      },
      "audience": {
        "type": "string",
        "required": true,
        "description": "This is the STS audience which contains the resource name for the workload identity pool and the provider identifier in that pool"
      },
      "autoSync": {
        "type": "number",
        "required": false,
        "description": "auto sync frequency in days"
      },
      "token_url": {
        "type": "string",
        "required": true,
        "description": "This is the STS token exchange endpoint"
      },
      "organizationIds": {
        "type": "array",
        "items": "string",
        "required": true,
        "description": "This is the array of organizationIds to sync the data from"
      },
      "credential_source": {
        "url": {
          "type": "string",
          "required": false,
          "description": "This AWS metadata server URL should be used to retrieve the access key, secret key and security token needed to sign the GetCallerIdentity request"
        },
        "region_url": {
          "type": "string",
          "required": true,
          "description": "This URL should be used to determine the current AWS region needed for the signed request construction"
        },
        "environment_id": {
          "type": "string",
          "required": true,
          "description": "This is the environment identifier, of format aws${version}. A version should be specified to indicate to the auth library whether breaking changes were introduced to the underlying AWS implementation. So if aws1 is supported in the current version of the library but a credential file with aws2 is provided, an error should be thrown instructing the developer to upgrade to a newer version of the library"
        },
        "regional_cred_verification_url": {
          "type": "string",
          "required": true,
          "description": "This defines the regional AWS GetCallerIdentity action URL. This URL should be used to determine the AWS account ID and its roles. This should not actually be called by the Auth libraries. It should be called on the STS token server. The region should be substituted by SDK, e.g. sts.eu-west-1.amazonaws.com"
        }
      },
      "subject_token_type": {
        "type": "string",
        "required": true,
        "description": "This is the STS subject token type based on the OAuth 2.0 token exchange spec"
      },
      "service_account_impersonation_url": {
        "type": "string",
        "required": false,
        "description": "This is the URL for the service account impersonation request"
      }
    },
    "actions": [
      {
        "name": "sync",
        "description": "This action is used to sync data from the GCP to SAFE"
      },
      {
        "name": "test",
        "description": "This action is used to test the connection for the GCP"
      },
      {
        "name": "enable",
        "description": "This action is to enable integration instance"
      },
      {
        "name": "disable",
        "description": "This action is to disable integration instance"
      }
    ]
  }
]


2.4. Perform an action over a saved GCP configuration

Using the instance_id which was retrieved on saving a configuration to SAFE DB, we can now perform operations specific to the GCP Integration. To perform any action, we simply need to POST <SAFE_URL>/api/v3/integrations/:instance_id?action={action}. Replace :instance_id with the id of the GCP configuration and {action} you want to perform.

Perform manual sync of assessment results from GCP SCC

Using a saved configuration to sync the assessment results from GCP, we simply need to do a POST <SAFE_URL>/api/v3/integrations/:instance_id?action=sync. This will trigger a sync in the background and will start populating the assessment results and bring in all the new assets scanned by GCP SCC.

2.5. Checking the Sync status for GCP Integration

To view the information related to any saved configuration, use GET /integrations/:instance_id. It will return all config fields except the fields which are encrypted using the sensitiveFields array. It will also return the information regarding the config state and the current sync status.

{
  "id": 31,
  "type": "cloud",
  "subtype": "gcp",
  "config": {
        "type": "external_account",
        "audience": "//iam.googleapis.com/projects/600979130618/locations/global/workloadIdentityPools/a-team/providers/a-team",
        "autoSync": 1,
        "token_url": "https://sts.googleapis.com/v1/token",
        "organizationIds": [
          "5555555555"
        ],
        "sensitiveFields": [],
        "credential_source": {
          "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
          "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
          "environment_id": "aws1",
          "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
        },
        "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
        "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken"
      ,
   "state": {
     "status": 0,
     "newAssets": 0,
     "lastScanTime": "2022-04-02T04:31:47.380Z",
     "lastCronTriggerTs": "2022-04-14T04:30:05.449Z",
     "lastScanTriggerTs": "2022-04-14T04:30:05.449Z",
     "lastScanCompletionTs": "2022-04-14T04:31:37.503Z"
   },
   "isEnabled": true
  }
}

These are all the possible statuses and what each one of them means:

StatusMeaning
0Success
1In Progress
2Error
3Partial success

2.6. Get all configured Integrations

To view the information related to all saved configurations GET /integrations can be used. It will return all config fields except the fields which are encrypted using the sensitiveFields array. It will also return the information regarding the current state of each configured integration instance.

The GET /integrations API takes in a few query parameters to help filter the information:

  1. page: Pagination parameter for the page number.
  2. pagelen: Number of items to be displayed per page. (Default is 100)
  3. id: Filter the results using integration instance id. Using this filter will return only one item as the id is unique for each integration instance.
  4. type: Filter the results using the integration type eg., cloud. This will return integration configuration instances for any integration which can be qualified as a cloud.
  5. subtype: Filter the results using the integration subtype eg., gcp. This will return all integration configuration instances which have a subtype value gcp.

Response

{
  "page": 1, // the page number for which the results are displayed
  "pagelen": 100, // max items per page
  "previous": null, // previous page url, if not the first page
  "next": null, // next page url, if not the last page
  "size": 1, // total number of items across all pages qualifying the filter criteria
  "values": [ // an array of items corresponding to the page
    {
      "id": 1,
      "type": "cloud",
      "subtype": "gcp",
      "config": {
        "url": "https://www.example.url/",
        "username": "username",
        "sensitiveFields": [
          "password"
        ],
        "autoSyncFrequency": 1,
        "shouldImportAssets": true,
        "assetMatchingCriteria": [
          "asset_name",
          "ip_address",
          "mac_address"
        ]
      },
      "state": null,
      "isEnabled": true
    }
  ]
}

2.7. Delete a stored integration

To delete a stored integration instance from SAFE, you need to send a request to DELETE /integration/:instance_id. This will delete the integration instance and all stored credentials corresponding to that instance from SAFE. 

3. View assessment result


Once the GCP configuration is successfully established, SAFE automatically adds the GCP assets under the Cloud- GCP vertical under Technology >  Inside-out.

To view the assessment result of GCP assets:

  1. Log in to SAFE 
  2. Navigate to the Technology >  Inside-out.
  3. Click the Cloud - GCP vertical on the Inside out dashboard.
  4. The system displays the GCP assets and their assessment result on this page. 
    GCP1

FAQs


1. Where do I get the organization ID and the WIF config to configure SAFE with?

Ans: 

2. What assessment do we perform on GCP assets?

Ans: SAFE does not perform any native assessment of GCP assets. It pulls in the vulnerabilities from Security Command Center and maps those findings to Configuration Assessment controls in SAFE.

3. How does SAFE map GCP Security Command Centre responses to SAFE control status?

Ans: The status mapping is as follows:

  • ACTIVE in GCP translates to Failed in SAFE
  • INACTIVE in GCP translates to Qualified in SAFE
  • If a finding is marked as MUTED in Security Command Center, the corresponding control is marked as Accepted Failed in SAFE.



Was this article helpful?