You can add multiple GCP projects, known as "organizations," into InsightCloudSec. Note, this page and the functionality detailed here refer to the provider-specific organizations capability for GCP, which is managed under "Clouds --> Organizations".
This functionality should not be confused with the InsightCloudSec-specific Organizations capability that allows for multi-tenant functionality available under "System Administration --> Organizations".
Details on adding Organizations for GCP are below. For questions or issues contact us at [email protected].
Important Things To Note (Authentication & Enable API)
To authenticate against the Google Cloud Platform (GCP) API, a Service Account must be provisioned. Service Accounts can only be defined at the Project level, which is an individual account within a company's Google footprint. The steps below illustrate how to create this Service Account inside of a Project and then link it to the top-level Organization. It is vital to link the Service Account or else InsightCloudSec won't have visibility to the entire project/folder structure.
Before onboarding the organization, the "Cloud Resource Manager API" must be enabled on the project that will contain the Service Account. Be sure to search for the API in the GCP console and ensure that it shows as Enabled.
You will need to have Domain Admin permissions within InsightCloudSec to work with GCP Organizations
You can add a GCP organization to InsightCloudSec, enabling automatic addition of all associated cloud accounts (projects) and badging by organizations or folder.
1. To create a service account at the project level in your Google Cloud platform, go to IAM & admin (navigation menu). Go to "Roles --> Create Role --> Add Permissions".
- Using the Filter field, select the following permissions:
- Click "Add".
- Update the role's Title, Description, ID, and Role launch stage, then click "Create". We recommend a name and ID that includes
InsightCloudSecso it's easier to find later.
2. Select the Service Accounts submenu and then select "Create Service Account."
3. Complete your service account details.
- Give the service account a (display) name.
- Give the service account an ID.
- Describe the service account.
- Select "Create."
4. Grant the service account project-level permissions by selecting "Editor" or "Viewer", and add the custom role you created in Step #1 above.
5. Add the domain name as a user for the service account, e.g., insightcloudsec.com.
6. Create the key.
- Use JSON as the key type.
- Save the JSON key generated on "Create."
- Select DONE.
7. Click back into the service account and copy the service account email address.
Store this JSON in a secure place; the JSON contains the only copy of the keys.
8. Select your organization from the top drop-down menu, then select your domain in the listing.
Make sure you switch to your Organization level here. It will not work if you go to IAM at the Project level.
9. To promote the service account inside the domain and grant members permissions for your GCP organization go to the IAM submenu under IAM & admin on the navigation bar.
- Select the Members tab.
- Select the Add tab.
- Paste the service account email address in the New member field.
- Select a role for these members, describing specific permissions you wish the member to have on the entirety of the domain. The roles needed for InsightCloudSec for Organization visibility are as follows:
- Resource Manager -> Organization Viewer (Organization Administrator if you're setting up write permissions)
- Resource Manager -> Folder Viewer
- IAM -> Security Reviewer
- Project -> Viewer
10. Select Continue.
11. Confirm your selections on the IAM & admin/IAM/Members page. In the example below, the roles selected are IAM:Security Reviewer and Resource Manager:Organization Viewer (you'll need Folder Viewer also).
These steps allow you to add a GCP Organization to InsightCloudSec.
1. Sign into your InsightCloudSec account and navigate to the "Cloud --> Clouds" page.
2. Click the "Organizations" tab, then click "Add Organizations".
3. Select "GCP" from the "Cloud Type" drop-down menu.
4. Provide a nickname for the Organization. This creates a system Badge containing the nickname that can be searched or referenced throughout InsightCloudSec.
5. Paste in the JSON string credential you created on the GCP console above.
6. Select your desired Organization options as follows:
Select the "Limit import scope" checkbox and provide Parent Folder ID(s) to only include the given folder(s) and anything underneath it.
The "Auto-Sync Projects" checkbox is enabled by default and allows InsightCloudSec to auto-sync with Projects in your Organization. Note: if you deselect this option you will have to manually add your accounts.
The "Auto-Remove Deleted Accounts" checkbox is enabled by default. If you want to prevent InsightCloudSec from removing accounts that are deleted from GCP you will need to uncheck this box.
The "Auto Badge Projects" is enabled by default and allows InsightCloudSec to auto-badge your projects.
Badging for Folders.
For GCP Organizations that have auto badging of projects enabled, all clouds corresponding with a project that do not have a parent folder will have a
cloud_org_pathbadge with a value of '/' to signify they are at the root.
Selecting the "Auto Badge Projects" option will also provide automatic badging for Organizations that utilize folders through the new
This badge can be extremely helpful for managing scope around Insights, Bots, and the Compliance Scorecard views for organizational units and lines of business within your cloud footprint.
7. Confirm Addition of Organization by navigating to the Clouds --> Organizations.
- Your organization should be listed. Initially, the listing will show '0' accounts. After an initial harvesting cycle, you should see the correct number of associated accounts for this organization displayed.
To change the import scope to a different folder, or to remove the scope entirely navigate to "Clouds --> Organizations". Select the pencil next to the name of the Organization you want to modify. This should allow you to edit or remove the Folder ID associated with the "Limit import scope" function.
As an enhancement to support for provider-base organizations InsightCloudSec includes auto badging capabilities. The purpose of auto badging is to create a 1:1 map of GCP project-level labels to Badges in InsightCloudSec. This allows Clouds to be scoped to a badge that maps to the account tag.
Auto badging takes place in two stages.
Periodically a process retrieves tags/labels from each account/project and compares them with ResourceTags associated with the corresponding cloud in the InsightCloudSec database.
- If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project. This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider.
Periodically a process retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization. For each cloud the list of tags for that cloud is compared with the current list list of Badges and for each Key/Value pair of tags:
- Existing Badges with a Key prefix of
- If the corresponding Badge with the Key/Value pair for that cloud does not already exist, it is created.
- If a tag Value changes the Badge with the corresponding Key will be updated to that value.
- If a Badge no longer has a tag with a corresponding Key, it will be deleted.
- All Badges that have a corresponding tag will have their
autogeneratedcolumn set to ‘true’ even if they were previously set to ‘false’.
- Existing Badges with a Key prefix of
Updated 15 days ago