Auto-Badging (GCP)

Overview of the GCP Auto-Badging Capability

Capability Overview

InsightCloudSec includes auto-badging capabilities to create a 1:1 map of GCP project, folders, and organization tags & labels to Badges in InsightCloudSec. This allows Clouds and Bots to be scoped to a badge that maps to the account tag.

📘

Deleting Auto-Badging

Once the tags and labels are harvested into InsightCloudSec as badges - you cannot delete them in InsightCloudSec - they must be deleted in the GCP console and the changes will propagate to InsightCloudSec.

GCP Organizations

For GCP Organizations that have auto-badging of projects enabled, all clouds corresponding with a project that do not have a parent folder will have a cloud_org_path badge with a value of '/' to signify they are at the root.
Selecting the "Auto Badge Projects" option will also provide automatic badging for Organizations that use folders through the gcp_folder badge. This badge can be extremely helpful for managing scope around Insights, Bots, and the Compliance Scorecard views for organizational units and lines of business within your cloud footprint.

Organization-level tags can be harvested by InsightCloudSec as badges. For example, an organization-level tag in GCP might look like this: organization-name/tag-key/tag-value. This tag will be returned in InsightCloudSec as org/organization-name/tag-key:tag-value`. All projects within this organization should be returned with this badge.

GCP Projects

For GCP Projects that are not part of an Organization and have auto-badging of projects enabled InsightCloudSec will automatically create badges from the GPC project-level labels. Note: If you add a GCP Organization that includes a previously standalone GCP Project at a later point, the Organization will assimilate the project into the Organization configuration.

Project-level tags can be harvested by InsightCloudSec as badges. For example, a project-level tag in GCP looks similar to an organization-level tag in GCP, but the tag will be returned in InsightCloudSec as organization-name/tag-key:tag-value.

Folders

Folder tags can also be harvested by InsightCloudSec as badges, with top-level folder tags and nested folder tags being returned slightly differently. For example, a nested folder structure within GCP might look like this: organization-name/top-level-folder/nested-folder-1/project-name. A top-level or nested folder tag looks similar to an organization-level or project-level tag in GCP, but the top-level folder tag will be returned in InsightCloudSec as organization-name/folders/top-level-folder-name/tag-key:tag-value. The nested folder tag will be returned in InsightCloudSec as organization-name/folders/top-level-folder-name/nested-folder-1/tag-key:tag-value.

Top level folder tags will be returned by any projects that are held in any sub-folders/the folder itself. Nested folder tags will be returned by any projects that are held in any sub-folders/the folder itself.

Auto Badging Behavior

Auto-badging takes place in two stages.

  • Periodically a process retrieves tags/labels from each account/project and compares them with ResourceTags associated with the corresponding cloud in the InsightCloudSec database.

    • If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project. This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider.
  • Periodically a process retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization. For each cloud the list of tags for that cloud is compared with the current list of Badges and for each Key/Value pair of tags:

    • Existing Badges with a Key prefix of system. are skipped.
    • If the corresponding Badge with the Key/Value pair for that cloud does not already exist, it is created.
    • If a tag Value changes, the Badge with the corresponding Key will be updated to that value.
    • If a Badge no longer has a tag with a corresponding Key, the Badge will be deleted.
    • All Badges that have a corresponding tag will have their autogenerated column set to ‘true’ even if the columns were previously set to ‘false’.