InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Organizations (GCP)

Integrating a GCP Organization with InsightCloudSec

You can add multiple GCP projects, known as "organizations," into InsightCloudSec. Note, this page and the functionality detailed here refer to the provider-specific organizations capability for GCP, which is managed under "Clouds --> Organizations".

This functionality should not be confused with the InsightCloudSec-specific Organizations capability that allows for multi-tenant functionality available under "System Administration --> Organizations".

Details on adding Organizations for GCP are below. For questions or issues contact us at [email protected].


Important Things To Note (Authentication & Enable API)

To authenticate against the Google Cloud Platform (GCP) API, a Service Account must be provisioned. Service Accounts can only be defined at the Project level, which is an individual account within a company's Google footprint. The steps below illustrate how to create this Service Account inside of a Project and then link it to the top-level Organization. It is vital to link the Service Account or else InsightCloudSec won't have visibility to the entire project/folder structure.

Enable API
Before onboarding the organization, the "Cloud Resource Manager API" must be enabled on the project that will contain the Service Account. Be sure to search for the API in the GCP console and ensure that it shows as Enabled.

You will need to have Domain Admin permissions within InsightCloudSec to work with GCP Organizations

Steps for Adding GCP Organizations

You can add a GCP organization to InsightCloudSec, enabling automatic addition of all associated cloud accounts (projects) and badging by organizations or folder.

Setup in GCP

1. To create a service account at the project level in your Google Cloud platform, go to IAM & admin (navigation menu). Go to "Roles --> Create Role --> Add Permissions".

  • Using the Filter field, select the following permissions:
    • storage.buckets.get
    • storage.buckets.getIAMPolicy
    • bigquery.tables.get
  • Click "Add".
  • Update the role's Title, Description, ID, and Role launch stage, then click "Create". We recommend a name and ID that includes InsightCloudSec so it's easier to find later.
GCP - Add PermissionsGCP - Add Permissions

GCP - Add Permissions

2. Select the Service Accounts submenu and then select "Create Service Account."

GCP - Create Service AccountGCP - Create Service Account

GCP - Create Service Account

3. Complete your service account details.

  • Give the service account a (display) name.
  • Give the service account an ID.
  • Describe the service account.
  • Select "Create."
GCP - Service Account DetailsGCP - Service Account Details

GCP - Service Account Details

4. Grant the service account project-level permissions by selecting "Editor" or "Viewer", and add the custom role you created in Step #1 above.

GCP - Service Account PermissionsGCP - Service Account Permissions

GCP - Service Account Permissions

5. Add the domain name as a user for the service account, e.g.,

GCP - Service Account Domain Name/UserGCP - Service Account Domain Name/User

GCP - Service Account Domain Name/User

6. Create the key.

  • Use JSON as the key type.
  • Save the JSON key generated on "Create."
  • Select DONE.
GCP - Service Account KeyGCP - Service Account Key

GCP - Service Account Key

7. Click back into the service account and copy the service account email address.

GCP - Service Account EmailGCP - Service Account Email

GCP - Service Account Email


Store this JSON in a secure place; the JSON contains the only copy of the keys.

8. Select your organization from the top drop-down menu, then select your domain in the listing.


Make sure you switch to your Organization level here. It will not work if you go to IAM at the Project level.

GCP - Select DomainGCP - Select Domain

GCP - Select Domain

9. To promote the service account inside the domain and grant members permissions for your GCP organization go to the IAM submenu under IAM & admin on the navigation bar.

  • Select the Members tab.
  • Select the Add tab.
  • Paste the service account email address in the New member field.
  • Select a role for these members, describing specific permissions you wish the member to have on the entirety of the domain. The roles needed for InsightCloudSec for Organization visibility are as follows:
    • Resource Manager -> Organization Viewer (Organization Administrator if you're setting up write permissions)
    • Resource Manager -> Folder Viewer
    • IAM -> Security Reviewer
    • Project -> Viewer

10. Select Continue.

GCP - Service AccountGCP - Service Account

GCP - Service Account

11. Confirm your selections on the IAM & admin/IAM/Members page. In the example below, the roles selected are IAM:Security Reviewer and Resource Manager:Organization Viewer (you'll need Folder Viewer also).

GCP - RolesGCP - Roles

GCP - Roles

Setup in InsightCloudSec

These steps allow you to add a GCP Organization to InsightCloudSec.

1. Sign into your InsightCloudSec account and navigate to the "Cloud --> Clouds" page.

2. Click the "Organizations" tab, then click "Add Organizations".

Adding an OrganizationAdding an Organization

Adding an Organization

3. Select "GCP" from the "Cloud Type" drop-down menu.

4. Provide a nickname for the Organization. This creates a system Badge containing the nickname that can be searched or referenced throughout InsightCloudSec.

5. Paste in the JSON string credential you created on the GCP console above.

6. Select your desired Organization options as follows:

  • Select the "Limit import scope" checkbox and provide Parent Folder ID(s) to only include the given folder(s) and anything underneath it.

  • The "Auto-Sync Projects" checkbox is enabled by default and allows InsightCloudSec to auto-sync with Projects in your Organization. Note: if you deselect this option you will have to manually add your accounts.

  • The "Auto-Remove Deleted Accounts" checkbox is enabled by default. If you want to prevent InsightCloudSec from removing accounts that are deleted from GCP you will need to uncheck this box.

  • The "Auto Badge Projects" is enabled by default and allows InsightCloudSec to auto-badge your projects.

Organizations FormOrganizations Form

Organizations Form


Badging for Folders.

For GCP Organizations that have auto badging of projects enabled, all clouds corresponding with a project that do not have a parent folder will have a cloud_org_path badge with a value of '/' to signify they are at the root.

Selecting the "Auto Badge Projects" option will also provide automatic badging for Organizations that utilize folders through the new gcp_folder badge.

This badge can be extremely helpful for managing scope around Insights, Bots, and the Compliance Scorecard views for organizational units and lines of business within your cloud footprint.

7. Confirm Addition of Organization by navigating to the Clouds --> Organizations.

  • Your organization should be listed. Initially, the listing will show '0' accounts. After an initial harvesting cycle, you should see the correct number of associated accounts for this organization displayed.


Import Scope

To change the import scope to a different folder, or to remove the scope entirely navigate to "Clouds --> Organizations". Select the pencil next to the name of the Organization you want to modify. This should allow you to edit or remove the Folder ID associated with the "Limit import scope" function.

Edit Organization DetailsEdit Organization Details

Edit Organization Details

Auto Badging

As an enhancement to support for provider-base organizations InsightCloudSec includes auto badging capabilities. The purpose of auto badging is to create a 1:1 map of GCP project-level labels to Badges in InsightCloudSec. This allows Clouds to be scoped to a badge that maps to the account tag.

Auto badging takes place in two stages.

  • Periodically a process retrieves tags/labels from each account/project and compares them with ResourceTags associated with the corresponding cloud in the InsightCloudSec database.

    • If there are any changes detected, the ResourceTags in the database are overwritten with the values from the account/project. This means that Cloud Account tags should not be locally modified since any local changes will be overwritten the next time the process runs. Additionally any local changes that are made to Cloud Account tags are not pushed back up to the cloud provider.
  • Periodically a process retrieves all ResourceTags from the local database that are associated with the accounts managed by an organization. For each cloud the list of tags for that cloud is compared with the current list list of Badges and for each Key/Value pair of tags:

    • Existing Badges with a Key prefix of system. are skipped.
    • If the corresponding Badge with the Key/Value pair for that cloud does not already exist, it is created.
    • If a tag Value changes the Badge with the corresponding Key will be updated to that value.
    • If a Badge no longer has a tag with a corresponding Key, it will be deleted.
    • All Badges that have a corresponding tag will have their autogenerated column set to ‘true’ even if they were previously set to ‘false’.

Updated 15 days ago

Organizations (GCP)

Integrating a GCP Organization with InsightCloudSec

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.