GCP Recommendation Actions

Managing GCP Recommendations within InsightCloudSec

If properly configured, InsightCloudSec can harvest GCP Recommendations as a resource (found under Identity & Management on the Resources page). Supported Recommendation subtypes (see below) can be acted upon from within InsightCloudSec, with the results/resolution being propagated to GCP for easier principal management. InsightCloudSec supports applying recommendations for both Organizations and Projects.

Currently supported Recommender subtypes are:

REMOVE_ROLE
REMOVE_ROLE_STORAGE_BUCKET
REPLACE_ROLE
REPLACE_ROLE_STORAGE_BUCKET
SERVICE_AGENT_WITH_DEFAULT_ROLE
SERVICE_AGENT_WITHOUT_DEFAULT_ROLE

Prerequisites

Before you can apply recommendations in InsightCloudSec, you'll need the following:

Using GCP Recommendation Actions

Once the InsightCloudSec role associated with the GCP Project/Organization has appropriate permissions, you can apply recommendations from the Resources page.

1. Login to InsightCloudSec and navigate to the Resources page.

2. Click "Identity & Management", then click "Recommendation". Note: Click the hyperlink in the "Affected Resource Name" column to open the properties for that resource.

16001600

Recommendations Resource List

3. Click the Resource Properties icon (next to the checkbox) for the Recommendation you wish to address. Note: Ensure the Subtype column contains a supported subtype.

4. Click "Actions", then click "Apply recommendation".

13831383

Apply Recommendation

5. Click "Submit" to confirm the application. This will propagate the change to the relevant GCP account, and the recommendation will be accepted. The relevant changes will be made based on that recommendation for that Principal.