GCP
  • 7 Minutes to read
  • PDF

GCP

  • PDF

Article summary

About this document



This document provides a step-by-step guide to onboard the Google Cloud Platform into SAFE via UI.

Introduction



SAFE allows you to onboard and assess your Google Cloud Platform (GCP) assets. SAFE admins can configure the GCP integration in SAFE from the Google Cloud Platform card availabe on the SAFE Hooks page.

GCP configuration in SAFE in a 3-step process:

  • Generate connection details from the GCP console.

  • Enter and save connection details in SAFE.

  • Start assessment and view results in SAFE.

Info

Please refer to the GCP onboarding via SAFE REST APIs for advanced integration.

Prerequisites


To configure GCP in SAFE, you need the following privileges:

  • The user must have the SAFE Admin Role.

  • The user must have the Admin Role in the GCP console.

Notes

SAFE utilizes REST APIs to establish a connection with the GCP security command center and retrieve recommendations. To ensure successful configuration of authentication and assessment, SAFE necessitates the use of REST APIs connecting through a workload identity federation pool in GCP. SAFE will retrieve and display recommendations for the GCP assets in the Cloud-GCP technology group.

1. Generate connection details from the GCP console

1.1. Create a Project

  1. Log in to the Google Cloud Platform console at https://console.cloud.google.com.


  2. Click the dropdown menu at the top of the page. (To the right of where it says "Google Cloud")

  3. In the pop-up, click the NEW PROJECT button in the top right.

  4. Enter a Project name

    • For example: "SAFE Integration"

  5. Select the Organization and Location.

    Location

    When creating the project, you can put the project anywhere as per your company's convention. However, while setting up the permissions, the project must go in at the Organization level. 

  6. Click the CREATE button.

  7. After the project is created, there will be a pop-in with a link to open the project. Click that link or select the project in the drop-down at the top to move to the next step.

1.2. Enable API Services

  1. Click the navigation menu available at the top left corner of the screen.

  2. Navigate to APIs & Services > Library.

    Option may be hidden

    If the APIs & Services option is not pinned, click the "View all products" option and scroll down to find the APIs & Services option.

  3. Search for Security Command Center API and click on Security Command Center API from the search results.


  4. Click the ENABLE button to enable the API for this project. 

    1. Once the process completes, it can be verified by revisiting the page. 

    2. The page displays the label "API Enabled."

  5. This process needs to be repeated for all 4 or the required APIs.

    1. Security Command Center API (Completed above)

    2. Cloud Resource Manager API

    3. Security Token Service API

    4. IAM Service Account Credentials API

  6. To verify that all the required APIs have been enabled, go to the Enabled APIs & services page and check the table at the bottom of the page for the names of these 4 APIs.

1.3. Create a custom role

We need to create a custom IAM role at the organization level that can be assigned to the service account of the project used for SAFE to enable SAFE to read the organization’s Security Command Center findings.

  1. Click the navigation menu available at the top left corner of the screen.

  2. Navigate to IAM and admin > IAM.

  3. On the IAM and admin page, click the drop-down at the top and ensure the parent Organization is selected.

    Organization level

    If the role is created in the wrong location, then this integration will not work. It is mandatory that the role is configured at the Organization level. This is so that the permissions are inherited, and SAFE will be able to retrieve the information required. If the role is created inside the Project, then the assessments will not work.

  4. Click Roles from the left navigation bar.

  5. Click the CREATE ROLE button at the top to create a custom role. 

  6. On the Create role page:

    • Enter a Title for the role.

    • Change the ID if needed.

    • Click the ADD PERMISSIONS button.


  7. In the Add permissions pop-up, enter the following list in the filter box one by one. Select the checkbox in the search result for the matching result(s), then click the ADD button. Repeat the process for each permission:

    1. resourcemanager.organizations.get

    2. resourcemanager.projects.get

    3. securitycenter.assets.list

    4. securitycenter.findings.list

    5. securitycenter.securityhealthanalyticssettings.calculate

      Quick tip

      To save time opening a new pop-up for each item, you can use an OR operator to add all the options at once.

  8. Once all the permissions mentioned in the previous step are added, click the CREATE button.

  9. The new role will now be visible under the list of roles on the IAM Roles page at https://console.cloud.google.com/iam-admin/roles under the Organization view.

1.4. Create a Service Account

Please note:

Change the project created for SAFE (refer section 1.1) from the drop-down at the top. The goals of this step is to create a service account under SAFE’s project and link it back to the role created earlier in section 1.3 at the org level

  1. Click the navigation menu available at the top left corner of the screen.

  2. Navigate to IAM and admin > IAM.

  3. At the top, click the CREATE SERVICE ACCOUNT button.

  4. Enter a name for the service account and click CREATE AND CONTINUE.

  5. Under the Grant this service account access to the project sectionselect the custom role created previously from the drop-down and then click CONTINUE.

  6. Under Grant users access to this service account, click DONE to complete the process. 

  7. Copy the value for Email as you will need this later.

  8. Click IAM in the left navigation bar.

  9. At the top of the table, make sure View by: PRINCIPALS is selected and not ROLES.

  10. Click the drop-down at the top and ensure the parent Organization is selected.

    Please note:

    Change the organization to the parent organization for the next steps.

  11. At the top of the page, click the ADD button.

  12. Enter the email from step 7 in the New principals field (You can also type and search for it if you prefer).

  13. Under Role, select the role created earlier in section 1.3.

  14. Click the SAVE button. 

1.5. Create a Workload Identity Federation Pool

  1. Click the drop-down at the top and select the project you created for SAFE

  2. Click the navigation menu available at the top left corner of the screen.

  3. Navigate to IAM and admin > Workload Identity Federation

  4. Click the GET STARTED button.

  5. Enter a Name and Description.

    • Make sure that the Enabled Pool switch is enabled. 

  6. Click the CONTINUE button.

  7. In the Select a provider drop-down, select AWS.

  8. Enter a Provider name and Provider ID.

  9. Enter the Safe AWS Account ID as the AWS account ID.

    • You can access this ID by going to the private knowledge base article here.

    • To access this link, you will require a login to the Safe Helpdesk.

      Do not use your own AWS ID

      This is the Safe AWS ID. This is required to grant access from the Safe AWS infrastructure into your GCP account. Using any other AWS account ID here will result in the integration failing.

  10. Click the CONTINUE button.

  11. Under Configure provider attributes, click on EDIT MAPPING to display the additional settings

    1. Change the value in the AWS box that maps with google.subject to "safe". Also, keep the default value in the AWS box that maps with attribute.aws_role, the value should be assertion.arn.contains('assumed-role') ? assertion.arn.extract('{account_arn}assumed-role/') + 'assumed-role/' + assertion.arn.extract('assumed-role/{role_name}/') : assertion.arn

      In this example, this is shown as Google 1 mapping to AWS 1 and Google 2 mapping to AWS 2.

  12. Click the SAVE button. 

  13. On the next page, at the top, click GRANT ACCESS. 

  14. In the "Grant access to service account" pop-up, select the service account that was created in 1.4, choose the subject as the Attribute name, enter safe as the Attribute Value and then click on SAVE.

  15. On the following pop-up, select the Provider you configured in step 8 and click on the DOWNLOAD CONFIG button to save the WIF file to your local disk.

  16. Once downloaded, click the DISMISS button to close the pop-up.

1.6. Find the connection Details

  1. Take the content of the WIF file that was downloaded in the previous step and replace everything in the "config" section. 

  2. This is the value for the connection details for your GCP Organization. It is not in the WIF file you downloaded, so you will need to find this value separately and add it in.

Example

{
    "type": "cloud",
    "subtype": "gcp",
    "config": {
        "organizationIds": [
            "your GCP Org ID goes here"
        ],
        "type": "external_account",
        "audience": "//iam.googleapis.com/projects/684949267137/locations/global/workloadIdentityPools/safe-integration-pool/providers/safe-provider",
        "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
        "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/safe-service-account@safe-integration-358814.iam.gserviceaccount.com:generateAccessToken",
        "token_url": "https://sts.googleapis.com/v1/token",
        "credential_source": {
            "environment_id": "aws1",
            "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
            "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
            "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
        }
    }
}

2. Enter and save connection details in SAFE

  1. Navigate to SAFE Hooks.

  2. Click the GCP card.

  3. On the configuration page, enter the connection details we generated in Step 1 and the auto-sync frequency.

  4. Click the Test Connection button.

  5. Once the connection is verified, Click the Save button. 

  6. Click the Sync Now button to start the assessment.

GCP Integration Made easy(1)

3. View results in SAFE


After the integration is completed and the first sync and assessment have taken place, SAFE automatically adds the assets from GCP into SAFE. 

To view the result

  1. Go to the Risk Scenario page and click the GroupRisk Tab.

  2. Click the Cloud GCP Risk scenario from the list.

  3. The Cloud GCP Risk scenario page displays the breach likelihood trend, actionable insights, ATT&CK mapping, control view, and attack surface view.

    GCP Risk


Import Labels from Google Cloud Platform (GCP) into SAFE


Refer to Import Labels from Google Cloud Platform (GCP) into SAFE.


Was this article helpful?