User settings for GCP security audits

Part of the security audit on Google Cloud Platform (GCP) environments take place automatically. For this we need an API user with the right settings. The user we create has read-only privileges on the settings so we can review them. In this article, we explain how to configure this user.

AWS settings

Create audit role

Log in to Google Cloud console and activate the Cloud Shell. Next, create a file called cyberant-audit-role.yaml.

Give the contents of this file the following content:

name: roles/CyberAntCSPMSecurityAudit
title: CyberAnt CSPM Security Audit
includedPermissions:
  - cloudasset.assets.listResource
  - cloudkms.cryptoKeys.list
  - cloudkms.keyRings.list
  - cloudsql.instances.list
  - cloudsql.users.list
  - compute.autoscalers.list
  - compute.backendServices.list
  - compute.disks.list
  - compute.firewalls.list
  - compute.healthChecks.list
  - compute.instanceGroups.list
  - compute.instances.getIamPolicy
  - compute.instances.list
  - compute.networks.list
  - compute.projects.get
  - compute.securityPolicies.list
  - compute.subnetworks.list
  - compute.targetHttpProxies.list
  - container.clusters.list
  - dns.managedZones.list
  - iam.serviceAccountKeys.list
  - iam.serviceAccounts.list
  - logging.logMetrics.list
  - logging.sinks.list
  - monitoring.alertPolicies.list
  - resourcemanager.folders.get
  - resourcemanager.folders.getIamPolicy
  - resourcemanager.folders.list
  - resourcemanager.hierarchyNodes.listTagBindings
  - resourcemanager.organizations.get
  - resourcemanager.organizations.getIamPolicy
  - resourcemanager.projects.get
  - resourcemanager.projects.getIamPolicy
  - resourcemanager.projects.list
  - resourcemanager.resourceTagBindings.list
  - resourcemanager.tagKeys.get
  - resourcemanager.tagKeys.getIamPolicy
  - resourcemanager.tagKeys.list
  - resourcemanager.tagValues.get
  - resourcemanager.tagValues.getIamPolicy
  - resourcemanager.tagValues.list
  - storage.buckets.getIamPolicy
  - storage.buckets.list
stage: GA

Then run the following command:

gcloud iam roles create CyberAntCSPMSecurityAudit –organization=YOUR_ORGANIZATION_ID –file=cyberant-security-audit-role.yaml

Create service account

Log into your Google Cloud console and navigate to IAM Admin > Service Accounts.
Click on “Create Service Account.”
Enter “CloudSploit” in the “Service account name,” then enter “CloudSploit API Access” in the description.
Click on Continue.
Select the role: Custom > CyberAnt CSPM Security Audit.
Click on Continue.
Click on “Create Key.”
Leave the default JSON selected.
Click on “Create.”
The key will be downloaded to your machine.
Open the JSON key file, in a text editor and copy the Project Id, Client Email and Private Key values into the index.js file or move the JSON key file to a safe location; you can reference it in your config.js file later.