Skip to main content

Google Cloud Platform

Cyscale enables you to keep track and secure your Google Cloud infrastructure natively. You connect your Google Cloud project(s) by creating an IAM service account that Cyscale impersonates to read your Google Cloud resources.

Connecting Your Google Cloud Project(s)

Once you are ready to connect your Google Cloud project and have the required permissions, press the Create button from the top-right corner, select Add Connector, and choose Google Cloud. You will be greeted with a simple multi-step process.

Step 1

In the first step, you provide a name for your Google Cloud project to be used throughout Cyscale. This is a plain-text identifier that helps you better manage your resources.

You also provide the project ID. You get this information from your Google Cloud Console (Cyscale will show you precisely how).

Step 2

In the second step, you create the service account that Cyscale will use to read your infrastructure. The output of this step is a JSON file with the service account's credentials.

Terraform (Default)

Based on the project ID you provided in the first step, Cyscale generates a ready-to-use Terraform configuration file. You download this file and, using the Terraform CLI either from your machine or using Cloud Shell, you create the service account, assign the required roles, and create the key.

Authentication and Authorization

Terraform uses the provider's APIs/SDKs to manage the resources. The Terraform Google Cloud provider can be configured in several ways which you can find here.

We recommend using user application default credentials that you can create with the command gcloud auth application-default login (in case you are running the command from WSL, you might want to add the argument --no-launch-browser)

Inspect the Terraform configuration file, run terraform init and terraform apply -auto-approve. Terraform creates the service account, assigns the required roles, creates the key, and outputs the credentials. Since the key is sensitive information, you have to output it in a file using the command terraform output -raw credentials_key > gcp-key.json (the name of the file is not important). Upload this file to Cyscale. You will see something like

Google Cloud Key Uploaded to Cyscale

Infrastructure as Code

Besides being simple to use, it provides a great way to manage the lifecycle of the created resources. For example, if you decide to remove the connection to your Google Cloud project, you simply run terraform destroy to delete all Cyscale-related resources from your project.

Manual

If you prefer setting up the resources manually from the Google Cloud Console, follow the steps described in the application. You can also find the steps for creating a service account in the Google Cloud documentation.

Access Security

While the permissions you grant to Cyscale are limited to reading the configuration of your cloud resources, you might still be concerned about the security of your Google Cloud project. Providing the service account key to Cyscale means that any entity with access to the key can read your Google Cloud resources.

Cyscale encrypts and stores the credentials in a database accessible only from within the Cyscale infrastructure. Then, a specialized microservice decrypts and uses the credentials to sync your Google Cloud assets. No member of the Cyscale team has access to your credentials.

Step 3

In the third step, the system makes sure the connection to your cloud account can be established and starts the first sync in the background. You can navigate to the cloud account overview page. The page will automatically refresh when the sync and assessment are completed.

Global Resources

Certain resources such as IAM resources (users, service accounts, etc.) do not belong to a certain region. These are classified by Cyscale as global assets.

Deep Dive on Permissions

Roles

The permissions Cyscale has with regards to your Google Cloud infrastructure are dictated by the roles you assign to the service account you create in step 2.

To benefit from everything Cyscale has to offer, the following roles are needed:

  • Viewer - This is a built-in basic role that allows read access to most resources in the project. You can read more about the Viewer role in the Google Cloud documentation, and you can see all permissions granted through this role with the command gcloud iam roles describe roles/viewer.
  • Security Reviewer - Another built-in role allowing read access to all resources. It is required because some key list permissions are not granted by the viewer role. You can read more about this role and see all the permissions that it grants in the Google Cloud documentation.
Data Access

It is important to make the distinction between infrastructure/configuration access and data access. Since Cyscale focuses currently on infrastructure, these roles do not grant permissions to your data. For example, Cyscale can read the configuration of your Cloud Storage buckets, but not their actual content (the objects) - i.e. there are no storage.objects.* permissions.

Service APIs

In order to use most services from Google Cloud, you have to enable the APIs of the respective services. For example, to create a VM, you will have to enable the Compute Engine API. Cyscale does not require you to enable APIs that you do not use. You can read more about service APIs in the Google Cloud documentation.

Managing Your Connected Google Cloud Project(s)

Once connected, your Google Cloud project(s) will show up in the Connectors list. From there, you can either use the inline actions or navigate to the overview page of the cloud account. The available options are:

Configure

You can update the following information for your Google Cloud cloud accounts:

  • Name - this helps you better identify the cloud account throughout the Cyscale platform
  • Project ID
  • Service account key - by default in Google Cloud, the service account key does not expire. However, you might want to rotate it or create another service account.

Disable/Enable

By default, all connectors are enabled. If you want to prevent Cyscale from syncing and assessing your assets for a certain connector, you can disable it. The state of the connector in Cyscale will be locked until you enable it again. The assets will not be updated based on your actual resources and assessments will not be performed for them.

Sync

You can always trigger a new sync and assessment manually for a given connector (unless the sync is already in progress). This will make Cyscale read all your resources for that particular connector, evaluate the applicable controls, and generate any alerts if necessary.

Service Coverage

The list of Google Cloud resources that Cyscale can handle are listed in the tables below, along with the number of controls that check their configuration

Compute

Compute# of Controls
Disk1
FirewallRule9
Project1
PublicIP0
SSLPolicy0
TargetHTTPSProxy1
TargetSSLProxy1
VM6
VPC4

Databases

BigQuery# of Controls
BigQueryTable1
BigTable# of Controls
BigTable0
Cloud SQL# of Controls
CloudSQLInstance13
SQLUser1
Cloud Spanner# of Controls
CloudSpanner0

Identity & Access Management

IAM# of Controls
IAMUser5
Role1
ServiceAccount4
ServiceAccountKey1

Logging

Monitoring# of Controls
AlertPolicy0
Logging# of Controls
LogMetric0
LogSink0

Security & Network

Cloud KMS# of Controls
KMSKey2
DNS# of Controls
ManagedZone3
Network# of Controls
NetworkInterface1

Serverless

Cloud Functions# of Controls
CloudFunction0

Services

Container# of Controls
Cluster18

Storage

Storage# of Controls
Bucket6

Cloud-Wide

In addition, Cyscale offers 20 more Google Cloud controls that are not specific to a service or asset type. These are called cloud-wide controls.