Skip to main content

GCP Security Configuration

Overview

ActiveEye audits your Google Cloud Platform (GCP) configurations and compares them to industry benchmark best practices, informing you of areas of possible improvement. This requires setting up roles in an account for use by ActiveEye, and that various APIs be enabled. This account will have read permissions on the GCP configurations, but not on sensitive data.

Prerequisites

Before you can configure security, ensure that you have created the GCP service connector per the instructions in the Google Cloud Platform topic.

Adding Roles to the Service Account

Use the same service account previously created for GCP, or, if you decide to create a separate service account, be sure to also add the Private Logs Viewer role as described in the Google Cloud Platform topic topic.

The following roles will need to be added to the service account:

  • Viewer
  • Security Reviewer
  • Stackdriver Accounts Viewer

To add the roles, perform the following steps:

  1. Click this link to access the IAM page in GCP.
  2. Click the project containing the service account to which you will add the new roles.
  3. In the left pane, select Manage Resources.
    The Manage resources page appears.
  4. In the table, select the checkbox in the row for the organization containing the project with the new service connector.
  5. If an information pane is not visible on the right side of the page, select the SHOW INFO PANEL button in the upper-right corner of the page to display it.
  6. In the right pane, in the PERMISSIONS tab, expand the Private Logs Viewer node, and then, in the row for the service connector to which you will add permissions, click the pencil icon.
    7. The Edit access to window appears.
  7. Click ADD ANOTHER ROLE, and then click Select a role.
    A window appears.
  8. Hover over Basic on the left side of the window, and then click Viewer on the right side of the window.
    The window closes, and the role is added to the service account.
  9. Click ADD ANOTHER ROLE, and then click Select a role.
    A window appears.
  10. Enter security reviewer in the search bar at the top of the window, and then click Security Reviewer in the results.
    The window closes, and the role is added to the service account.
  11. Click ADD ANOTHER ROLE, and then click Select a role.
    A window appears.
  12. Enter stackdriver accounts viewer in the search bar at the top of the window, and then click Stackdriver Accounts Viewer in the results.
    The window closes, and the role is added to the service account.
  13. Click SAVE.
    The service account is saved with the newly added roles.

Enabling APIs

The following APIs need to be enabled:

  • Admin SDK
  • Compute Engine API
    • note

    Enabling this API requires a project with a billing account.

  • Cloud Functions API
  • Cloud Resource Manager API
  • Cloud SQL Admin API
  • Identity and Access Management (IAM) API
  • Stackdriver API

To enable an API for your project using the console:

  1. Click this link to access the GCP API Library.
  2. In the projects list, select the project for which you will enable the APIs.
  3. In the search bar, search for the name of the API that you want to enable, and then, in the results that appear, select the appropriate API. On the page that appears, click ENABLE.

    4. Repeat this step until all of the following APIs are enabled:

    • Admin SDK
    • Compute Engine API
    • Cloud Functions API
    • Cloud Resource Manager API
    • Cloud SQL Admin API
    • Identity and Access Management (IAM) API
    • Stackdriver API