GCP Compliance Audits
ThreatDefence's GCP integration provides best practice assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also offers remediations.
Prerequisites
ThreatDefence requires the following permissions to scan Google Cloud:
IAM Roles
- Reader (
roles/reader
) – Must be granted at the project, folder, or organization level to allow scanning of target projects.
Project-Level Settings
At least one project must have the following configurations:
-
Identity and Access Management (IAM) API (iam.googleapis.com) – Must be enabled via:
- The Google Cloud API UI, or
- The gcloud CLI:
gcloud services enable iam.googleapis.com --project <your-project-id>
-
Service Usage Consumer (
roles/serviceusage.serviceUsageConsumer
) IAM Role – Required for resource scanning. -
Quota Project Setting – Define a quota project using:
- The gcloud CLI:
gcloud auth application-default set-quota-project <project-id>
- The gcloud CLI:
Step 1: Configuration the Service Account
ThreatDefence uses a service account to perform scans. ThreatDefence will scan all projects available to the service account. Follow these steps to create and configure the service account:
-
Create a Service Account:
- Navigate to the Google Cloud Console.
- Go to IAM & Admin > Service Accounts.
- Click Create Service Account.
- Provide a name and description for the service account.
- Click Create and Continue.
-
Assign Roles to the Service Account:
- Assign the following roles:
- Viewer (
roles/viewer
) - Security Reviewer (
roles/iam.securityReviewer
) - Service Usage Consumer (
roles/serviceusage.serviceUsageConsumer
)
- Viewer (
- Click Continue and then Done.
- Assign the following roles:
-
Create and Download a Service Account Key:
- In the Service Accounts list, click on the newly created service account.
- Go to the Keys tab.
- Click Add Key > Create New Key.
- Select JSON and click Create.
- Save the downloaded JSON key file securely, as it will be used for authentication in ThreatDefence.
Step 2: Onboard the Integration
- Log in to your ThreatDefence SIEM Portal.
- Navigate to Deployments > Integrations.
- Click Add and select GCP Auditor.
- Upload the JSON key file you downloaded earlier.