GCP - Onboarding

After InsightCloudSec is successfully installed, you're ready to start harvesting resources from your target Google Cloud Platform (GCP) accounts. This documentation provides details on configuring GCP to "talk" with InsightCloudSec securely for both admin and non-admin users and explains the different onboarding workflows you can expect for new and returning users.

This page walks through the steps required to add either single GCP account, also known as a project, into InsightCloudSec.

• Read more about Google Cloud Projects.

Getting Started with Onboarding for GCP

Before you can begin the GCP onboarding process, you'll need to login to InsightCloudSec and open the Cloud Account Onboarding Wizard, which is a different experience depending on the type of user you are:

• First-time User: InsightCloudSec is freshly deployed and this will be the first time a Cloud Service Provider (CSP) has been onboarded.
• Returning User: InsightCloudSec has one or more CSPs already onboarded and you would like to add a new GCP account.
• Non-Admin User: You can interact with InsightCloudSec and are onboarding GCP but do not have the appropriate access to grant InsightCloudSec access to your cloud account(s).
  • Jump to the instructions for Non-Admin Onboarding for GCP
• Admin User: You can login to the GCP console and have the appropriate access to grant InsightCloudSec access to your account(s).
  • Jump to the instructions for Admin Onboarding for GCP

In addition, we also provide instructions for:

• Existing Cloud Accounts: For details on modifying an existing cloud account, check out the Cloud Account Setup & Management page for details.

📘

Need Support?

We are here to help! If you have questions or concerns reach out to us through the Customer Support Portal.

Non-Admin Onboarding for GCP

If you've determined that you're not an Admin user or you're not sure, you will need to provide an Admin within your organization with the "Google Cloud Platform Admin Instructions". Once the Admin has completed the instructions, they should be able to provide you with an answer and/or content for the required fields:

• A Nickname
• Email Delegation (optional, but strongly recommended)
• Project ID
• API Credentials

Steps for Non-Admin Onboarding

The steps to complete this process for both First-time Users and Returning Users are provided below. Step 2a and 2b provide specifics for the two user types.

1. Log in to InsightCloudSec

2-a. For first-time users a successful log in should launch the Onboard a Cloud Account workflow. You will need to select "Google Cloud Platform" as your Cloud Service Provider, and then select "No - Help me identify the details needed. Click "Next" to start the onboarding process.

2-b. For returning users navigate to "Cloud --> Cloud Accounts" and select "Add Cloud". *You will need to select "Google Cloud Cloud" as your Cloud Service Provider, and then select the "Don't have admin access?" option at the bottom right of the window.

3. From the wizard, copy the details from the "Google Cloud Platform Admin Instructions" text box and share them with the appropriate Admin.

• Note: If you log out and log back in, the onboarding will return you to the step where you left off.

4. Once your administrator has completed the setup, they can provide you with the required items to complete the configuration.

5. Return to the onboarding workflow and provide the required information:

• Nickname
• Email Delegation (optional but strongly recommended)
• Project ID
• API Credentials

6. Click "Connect Account" to finalize your Google Cloud Platform onboarding setup.

Admin Onboarding for GCP

For administrative users this section includes step-by-step instructions for the configuration required in both the GCP console and the InsightCloudSec Onboarding Wizard to connect.

• If you are connecting to InsightCloudSec for the first time you will be greeted by a workflow that shares some details around InsightCloudSec capabilities and allows you to select your Cloud Service Provider to start the onboarding process.

• If you have connected to InsightCloudSec previously but are setting up GCP for the first time, you will need to navigate to "Cloud --> Cloud Accounts" and select the "Add Cloud" option to open the cloud onboarding.

Using either path select "Google Cloud Platform" to get started with the admin onboarding.

GCP Login (Step 1)

📘

Service Accounts & Project Details

Service accounts can only be created within a Project, so choose an appropriate Project or consider creating a new Project for the service account for InsightCloudSec to reside in. The following steps will take place within that Project.

In the GCP Console - Choosing a Project
1. Log in to your Google Platform account and select the Project you want to onboard.

In the InsightCloudSec Onboarding Wizard
2. Create a Nickname for your associated InsightCloudSec Account.

3. Click "Next" to go to 2. Service Account and Key.

Service Account and Key (Step 2)

In the GCP Console - Creating a Service Account

1. Navigate into "IAM & Admin > Service Account".

2. Click "Create Service Account" and complete the service account details.

• We recommend including "ICS" or "InsightCloudSec" here for tracking purposes.

🚧

Service Account ID

Copy your Service Account ID and save this information in a safe place. You will need this information late.

3. Click "Done" to create the Service Account.

In the GCP Console - Generating a Service Account Key

1. After creating the account you should be in the Service Accounts tab, otherwise navigate into the newly created Service Account by pasting the "Service Account ID" into the filter input. Click the email address link to view the details.

2. In the KEYS section, select "ADD KEY".

3. Select "Create New Key". With Key Type as JSON, click "Create" to download the key.

❗️

Save Your Service Account Key

Store this JSON file in a secure place; it contains the only copy of the key.

In the InsightCloudSec Onboarding Wizard

4. Paste the JSON file of the KEY you just created in the "API Credentials" field.

5. Locate the "Project ID" in the JSON file and paste that in the corresponding field.

6. Click "Next" to go to 3. Role and Permissions.

Role and Permissions (Step 3)

In the GCP Console - Role Creation

1. Navigate into "IAM & Admin > Roles".

2. Click "Create Role".

• Name your role and give it a description.
• We recommend including ICS or InsightCloudSec here for tracking purposes.

3. Click add permissions, and using the filter field provided, select the following permissions:

• bigquery.tables.get
• bigquery.tables.list
• cloudasset.assets.listResource
• cloudasset.assets.searchAllIamPolicies
• serviceusage.services.enable
• storage.buckets.get
• storage.buckets.getIamPolicy

📘

Kubernetes Security Guardrails & Kubernetes Remote Scanner

If you are interested in using our Kubernetes Security Guardrails and Kubernetes Remote Scanner features, we recommend including the required permission(s) (container.secrets.list) for those features at this step.

Additional details on GCP GKE Support are available here.

4. Click "Add" to finalize the permissions.

5. Click "Create" to save the role.

In the GCP Console - Attach Role to Service Account

1. Navigate to "IAM & Admin--> IAM" and click "Grant Permissions".

2. Then Navigate to "IAM & Admin--> IAM" and click "Grant Access".

3. Paste in the Service Account Email (taken from the Service Account details page) into the "New principals" field.

4. Now you will need to add Roles to the Service Account.

• Basic -> Viewer (Editor to allow InsightCloudSec to have write permissions into GCP)
• Custom -> Custom InsightCloudSec Role created in previous steps

5. Click "Save".

In the InsightCloudSec Onboarding Wizard

6. Click to check the box stating "I confirm a role assignment has been created."

GCP Directory Support (Optional but recommended)

📘

GCP Directory Support (Recommended)

We strongly encourage you to enable GCP Directory Support. This configuration allows InsightCloudSec to harvest additional data at the domain level; specifically harvesting and visibility into Domain Users and Domain Groups.

• Read more about what the configuration includes on our GCP Directory Support page.

In the GCP Console - Setting Up Directory Support/Email Delegation

Enabling Directory Support/Delegation - Part 1
1. Navigate to "IAM & Admin--> Service Accounts”.

2. Open to view the details of your InsightCloudSec configured service account. Scroll to advanced settings and locate "Domain-wide Delegation".

3. Click to copy the "Client ID" for your Service account.

4. Under Client ID, click on the "View Google Workspace Admin Console" and move to the next section of steps.

Enabling Directory Support/Delegation - Part 2

1. Navigate to "Security → Overview ”.

2. Scroll to "API Controls" and click to expand.

3. Under API Controls scroll to locate "Domain-wide Delegation" and click "Manage Domain Wide Delegation".

4.Next you will either need to:

• Search for and confirm that the Client ID you copied from your service account already exists, or:
• Click "Add new" and add the Client ID to specify the service account you want to configure for Domain-wide delegation.
• Note: For an existing client ID (a.) verify the following scopes. For a new Client ID (b.) these scopes will have to be added:
  • https://www.googleapis.com/auth/admin.directory.user
  • https://www.googleapis.com/auth/admin.directory.group
  • https://www.googleapis.com/auth/admin.directory.group.member

Enabling Directory Support/Delegation - Part 3

1. Navigate to "Directory → Users”.

2. Filter for Admin Role and select "Super Admin" to narrow the list of user accounts.

3. Identify the email for the account you want to use to specify for Domain-wide Delegation.

In the InsightCloudSec Onboarding Wizard

1. Add the email address associated with the Directory Support you just configured.

2. Click "Connect Account" to complete your GCP Onboarding.

👍

Success!

Congratulations on successfully onboarding a GCP account! InsightCloudSec will now detect the following:

• If there are any missing permissions, which could cause impaired visibility into your account
• If the account is a GCP Organization; if it is an Organization, you can enable Account Discovery. If Account Discovery is enabled, Rapid7 can onboard and collect information on related GCP projects via the onboarded Organization. Click "Enable Auto Discovery" at the bottom of the window to start this process.

---

Organization Post-Onboarding Information

If you followed the instructions above and onboarded a GCP Organization, you should have at least your Organization account with full visibility in InsightCloudSec. Review the following sections for more information on augmenting your Organization onboarding experience or managing the Organization within InsightCloudSec.

Enabling Account Discovery

Once an Organization is onboarded to InsightCloudSec, we automatically detect the Organization and prompt you to enable Account Discovery. If you clicked the "Enable Auto Discovery" button within the onboarding wizard, you'll be taken to the Edit Organization Config window for the new Organization.

1. From the Edit Organization Config window, select the "Auto-Sync Projects" checkbox.

2. Click "UPDATE".

Once enabled, Accounts are discovered via the API dynamically and configured with defaults you provide.

Modifying an Organization

After onboarding an AWS Organization, you can edit configuration information at any time.

1. From InsightCloudSec, click expand "CLOUD", then click "Cloud Accounts -> Organizations".

2. Next to the desired Organization, click the options button (hamburger icon), then click "Edit Organization".

3. Adjust the nickname or credentials values as necessary.

4. Adjust the scope/badging options as necessary:

• "Projects to Skip" -- Enter details for projects (ID’s or Names) to be skipped (e.g., you have a group of development accounts you are not interested in tracking)
• "Auto-Sync Projects" (checkbox) -- Select this box to add all projects associated with the organization. Note: If not checked, each account must be added manually
• "Auto-remove deleted accounts" (checkbox) -- Select this box to automatically remove deleted GCP accounts from InsightCloudSec. As soon as this checkbox is enabled, a background process will begin running and remove the accounts automatically as they are found
• "Auto-Badge Projects" (checkbox) -- Select this box to allow InsightCloudSec to automatically badge your incoming projects
• "Enable API Auto-Enablement" (checkbox) -- Select this box to automatically enable required APIs for each project. Review the Cloud Account Detail Page for additional details on this feature.
• “Limit import scope” (checkbox) -- Select this box and provide Parent Folder ID(s) to only include the given folder(s) and anything underneath it

📘

Import Scope Changes

To change the import scope to a different folder, or to remove the scope entirely, navigate to "Clouds --> Organizations". Select the pencil next to the name of the Organization you want to modify. You will need to input the JSON credentials again in order to make this change.

5. Click "UPDATE".