GCP Cloud connector - Documentation for BMC Helix Cloud Security

This topic describes how to onboard the GCP Cloud connector, which gathers data from GCP services and performs compliance and risk assessment on those assets.

Onboarding the GCP Cloud connector involves the following steps:

Understanding the GCP cloud connector

The GCP cloud connector enables you to gather data about the following GCP resources:

IAM
Networks
Virtual Machines
Service Accounts
DNS
KMS
Projects
GKE

License utilization

The following resources consume a product license:

Google Compute Engine
Google Cloud Kubernetes/Google Kubernetes Engine

Completing prerequisites

Go to to IAM
Click on service account page
Create a Service Account
Assign the role having minimum permissions for GCP cloud connector. This can be done only after creating a role as illustrated in Minimum Permissions for GCP Connector.
Refer to the following screenshot:
While creating the service account, create a key and download the JSON file.[This json file would be needed while onboarding the connector]
Also enable API services for below mentioned modules.
- Cloud Resource API
- IAM API
- Cloud SQL API

Onboarding the GCP cloud connector

Log in to Cloud Security with your registered credentials.
Select Configure icon > Connectors.
Click Add Connector.
Under Connector Type > Cloud Based Connectors (Hosted), click GCP Cloud Connector and then click Continue.
In the Name your connector field, specify a name for the connector.
This name must be unique and must not have already been created.
If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.
Specify the GCP client email and GCP private key for the project to be scanned from the JSON file which was downloaded while creating the service account.
GCP client email refers to the user email ID that corresponds to the user's Google Cloud Platform. The user can copy the GCP client email and GCP Private key from the downloaded JSON file and paste itin the Configure Connector page. While copying the client email and private key, it is important to avoid copying unnecessary punctuations accidentally. This means the client email ID will not be enclosed in quotation marks and the private key will start and end as follows:
-----BEGIN PRIVATE KEY ... \n
Select the method for triggering collection cycles from the Collection Mode menu:
1. On Demand. Enables on-demand scanning.
2. Scheduled. Specifies the hours or minutes for which GCP resources will be periodically collected and evaluated.Click Continue.

9. Click Continue.

10. The connector is available in Cloud Security and the policies can be evaluated on the schedule you have set.

This single policy will also cover : IAM, Networks, Virtual Machines, ServiceAccountKeys, DNS, KMS, Projects, GKE.

11. As soon as the connector begins sending data, it displays in the 'Running' state, as illustrated in the below screen.

It then collects the data and begins publishing it back to Cloud Security

CIS Benchmark Mapping

Following policies were developed based on CIS benchmark released on 9th May 2018.
CIS Google Cloud Platform Foundation Benchmark (This single policy will also cover : IAM, Networks, Virtual Machines, ServiceAccountKeys, DNS, KMS, Projects, GKE)
'This Policy is created based on the recommended settings defined by Google Cloud Platform Foundation v1.0.0, published on 9 may 2018.'

Please refer to the below screenshot.

Resource Types:

Below are the resource types that are supported for GCP Cloud Connector: