Permissions Required for Google Cloud Projects

AlgoSec Cloud Enterprise (ACE) comprises two distinct components, each offering a unique set of functionalities:

  • Cloud Network Security (CNS)

  • Cloud App Analyzer (CAA)

This section outlines the required and optional permissions for Google Cloud Projects necessary to fully leverage the capabilities of ACE. The table below details the permissions requested by each specified role, along with justifications for their necessity.

You can find all these permissions in the CloudFormation template.

The permissions listed below are classified according to the following key:

    READ permissions
    WRITE permissions

Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.

Note: If you decide to stop using Cloud App Analyzer, some resources must be deleted. See Remove GCP Resources.

GCP enabled APIs and justifications

Some Google APIs used by Cloud App Analyzer to perform a security assessment scan charge for usage. Those APIs could be disabled by default.

However, Cloud App Analyzer needs to have them enabled in order to proceed with the scan. Otherwise, the scan will be incomplete.

When Cloud App Analyzer discovers a project under the selected target that needs to be scanned, it will attempt to enable a set of the following APIs for that project:

Notes:

  • When using the "With script" onboarding method: APIs are automatically enabled. If you want to remove the write permission serviceusage.serviceUsageAdmin, you can do so, but you will need to manually enable the following APIs for each Project.

  • When using the "No script" onboarding method, the following APIs must be enabled for each Project before adding the Google Cloud permissions listed in the table below. For details, see Onboard Google Cloud Projects to Cloud Network Security.

Required API Service*

*Click for link to Google Cloud Docs

Functionality

cloudasset.googleapis.com

For Network Firewall policy: Access to this API at an Organization and Project-level granularity to collect secure tags.

See below permissions list. Permissions that start with cloudasset use this API.

cloudresourcemanager.googleapis.com

For Network Firewall policy, VPC Firewall rules, and Risks: Access to this API at Project-level granularity to retrieve project hierarchy information for Folder and organization hierarchical policies.

See below permissions list. Permissions that start with resourcemanager. use this API.

compute.googleapis.com

For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Access to this API at Project-level granularity to retrieve networks, network topology (this API is also needed identify Google Cloud VPCs in the traffic path in the ASMS map), firewalls, VM instances, subnets and more.

See below permissions list. Permissions that start with compute. use this API.

iam.googleapis.com

For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve service account information.

See below permissions list. Permissions that start with iam. use this API.

logging.googleapis.com

For Network Firewall policy and VPC Firewall rules: Access to this API at Project-level granularity so that it can flag unused rules.

See below permissions list. Permissions that start with logging. use this API.

networksecurity.googleapis.com

For Network Firewall policy: Access to this API at an Organization and Project-level granularity to collect address groups.

See below permissions list. Permissions that start with networksecurity use this API.

storage.googleapis.com

For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Cloud storage bucket information.

See below permissions list. Permissions that start with storage. use this API.

spanner.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Cloud spanner instances information.
container.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Kubernetes clusters information.
bigquery.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve BigQuery dataset information.
cloudkms.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Keys metadata.
pubsub.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Topics and Subscriptions information
dns.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Policies and Managed Zones information
monitoring.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Alert policies information
dataflow.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Dataflow jobs information
cloudresourcemanager.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Organizations and Projects metadata
sqladmin.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve SQL instances, users and backupRuns information
deploymentmanager.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve deployments information
cloudfunctions.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve deployments information
artifactregistry.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Artifact repositories information
dataproc.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Dataproc clusters and jobs information
essentialcontacts.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve contacts information
apikeys.googleapis.com For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve API key details, metadata

Permissions required for Google Cloud

Type   Permission   Permission grant level Component   Justification
CNS CAA
 
cloudasset.assets.searchAllResources
Organization or Project   For Network Firewall policy: Permission to access cloudasset.googleapis.com API to collect secure tag values
 
compute.externalVpnGateways.list
Project   For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of external VPN gateway
 
compute.firewallPolicies.list
Project   For security controls, Hierarchical policy, and Risks: Permission to access compute.googleapis.com API to retrieve Google Cloud Firewall information
 
compute.firewalls.list
Project   For Overview of assets and security controls, VPC Firewall rules, and Risks: Permission to access compute.googleapis.com API to retrieve Google Cloud VPC Firewall information
 
compute.instances.list
Project   For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Permission to access compute.googleapis.com API to retrieve VM instances information
 
compute.interconnectAttachments.list
Project   For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of interconnect attachments
 
compute.interconnects.list
Project   For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of interconnects
 
compute.networks.list
Project   For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Permission to access compute.googleapis.com API to retrieve VPC information
 
compute.projects.get
Organization or Folder   For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Permission to access compute.googleapis.com API to retrieve project information
 
compute.regionFirewallPolicies.list
Project   For Cloud Network Security Overview of assets and security controls, Network Firewall policy, and Risks : Permission to access compute.googleapis.com API to retrieve regional network firewall policies information
 
compute.routers.list
Project   For ASMS network topology map : Permission to accesscompute.googleapis.com API so that it can display information of routers
 
compute.routes.list
Project   For ASMS network topology map : Permission to access compute.googleapis.com API so that it can display information of routes
 
compute.subnetworks.list
Project   For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Permission to access compute.googleapis.com API to retrieve Subnets information
 
compute.vpnGateways.list
Project   For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of VPN gateways
 
compute.vpnTunnels.list
Project   For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of VPN tunnels
 
compute.targetVpnGateways.list
Project   For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of target VPN gateway
 
iam.serviceAccounts.list
Project   For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Permission to access iam.googleapis.com API to retrieve service account information
 
logging.views.access
Project  

For Network Firewall policy and VPC Firewall rules : Permission to access logging.googleapis.com API to flag unused rules

 
networksecurity.addressGroups.list
Organization or Project   For Network Firewall policy: Permission to access networksecurity.googleapis.com API to collect address groups
 
resourcemanager.folders.get
Organization or Folder   For Network Firewall policy, VPC Firewall rules, and Risks: Permission to access cloudresourcemanager.googleapis.com API to retrieve hierarchical policy rules
 
resourcemanager.organizations.get
Organization or Folder   For Network Firewall policy, VPC Firewall rules, and Risks: Permission to access cloudresourcemanager.googleapis.com API to retrieve hierarchical policy rules
 
resourcemanager.projects.get
Project   For Network Firewall policy, VPC Firewall rules, and Risks: Permission to access cloudresourcemanager.googleapis.com API to retrieve project hierarchy information
 
resourcemanager.tagKeys.list
Organization or Project   For Network Firewall policy : Permission to access cloudresourcemanager.googleapis.com API to collect secure tag keys
 
storage.buckets.list
Project   For Overview of assets and security controls: Permission to access storage.googleapis.com API to retrieve Cloud storage bucket information
 
compute.forwardingRules.list
Project   For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of forwarding rules.
 

serviceusage.serviceUsageAdmin

(optional - only required for auto-onboarding using the With Script method)

Project  

This permission is only required for auto-onboarding using the With Script method to grant permissions for AlgoSec to create a new service account.

For onboarding without script, via terraform or API manual onboarding, the user will use their own service account and this permissions is not needed.

List of roles added to the selected target

In addition to the project, Cloud App Analyzer web application also asks the user to specify an onboarding target. If the user onboards a single project, that project's ID will be the target.

If the user onboards multiple projects, the selected target will be an organization or a folder that is a parent to other projects.

During onboarding, Cloud App Analyzer adds the following roles to the selected onboarding target:

Type   Role Name   Role title Component   Justification
CNS CAA
  roles/browser

Browser

 

Access to browse the hierarchy for a project, including the folder, organization, and allow policy

  roles/viewer

Viewer

 

Access for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data

  roles/essentialcontacts.viewer

Essential Contacts Viewer

 

Access to enlist essential contacts for the organization

  roles/iam.securityReviewer

Security Reviewer

 

Access to list all resources and read their policies

  compute.forwardingRules.list Forwarding rule viewer   Access to list GCP forwarding rules
  serviceusage.serviceUsageConsumer Service User Consumer   Access to inspect service states and operations, and consume quota and billing for a consumer project.
  roles/monitoring.editor

Monitoring Editor

 

Access to enable APIs in the projects (see Permissions Required for Google Cloud Projects )

  roles/iam.serviceAccountTokenCreator

Service Account Token Creator

 

Access to impersonate Cloud App Analyzer service account, required by the Cloud App Analyzer cloud security assessment scanner

CD mitigation roles

Note: These roles are part of the ACE Cloud App Analyzer GCP onboarding script. If the CD Mitigation feature is not required, these roles need to be manually removed.

Once a new image is pushed to the repository and binary authorization is enabled, it can only be deployed to GCP services if it has valid signatures from authorized attestors. In this setup, ACE is configured as an attestor and will sign the image after it passes the Cloud App Analyzer scanner’s security checks.

Type   Role Name   Role title Component   Justification
CNS CAA
  binaryauthorization.policyEditor Policy Editor   Access to edit Binary Authorization Policy
  containeranalysis.occurrences.editor Occurrences Editor   Access to edit Container Analysis Occurrences
  containeranalysis.notes.attacher Notes Attacher   Access to attach Container Analysis Occurrences to Notes
  cloudkms.signer Signer   Access to enable Sign operations

Service Account

During onboarding, Cloud App Analyzer asks the user to specify a project where the service account for Cloud App Analyzer can be created.

The details of the created service account are:

  • Name: prevasio-<######>-cspm

    <#####> is a random five-digit hash

  • Display name: Prevasio CSPM

  • Email: prevasio-<######>-cspm@[PROJECT_ID].iam.gserviceaccount.com

    where [PROJECT_ID] is an ID of the selected GCP project.

In order to create the service account, Cloud App Analyzer ensures that the selected project is billable.