Permissions Required for Google Cloud Projects
AlgoSec Cloud Enterprise (ACE) comprises two distinct components, each offering a unique set of functionalities:
-
Cloud Network Security (CNS)
-
Cloud App Analyzer (CAA)
This section outlines the required and optional permissions for Google Cloud Projects necessary to fully leverage the capabilities of ACE. The table below details the permissions requested by each specified role, along with justifications for their necessity.
You can find all these permissions in the CloudFormation template.
The permissions listed below are classified according to the following key:
READ permissions | ||
WRITE permissions |
Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.
Note: If you decide to stop using Cloud App Analyzer, some resources must be deleted. See Remove GCP Resources.
GCP enabled APIs and justifications
Some Google APIs used by Cloud App Analyzer to perform a security assessment scan charge for usage. Those APIs could be disabled by default.
However, Cloud App Analyzer needs to have them enabled in order to proceed with the scan. Otherwise, the scan will be incomplete.
When Cloud App Analyzer discovers a project under the selected target that needs to be scanned, it will attempt to enable a set of the following APIs for that project:
Notes:
-
When using the "With script" onboarding method: APIs are automatically enabled. If you want to remove the write permission serviceusage.serviceUsageAdmin, you can do so, but you will need to manually enable the following APIs for each Project.
-
When using the "No script" onboarding method, the following APIs must be enabled for each Project before adding the Google Cloud permissions listed in the table below. For details, see Onboard Google Cloud Projects to Cloud Network Security.
Required API Service* *Click for link to Google Cloud Docs |
Functionality |
---|---|
cloudasset.googleapis.com |
For Network Firewall policy: Access to this API at an Organization and Project-level granularity to collect secure tags. See below permissions list. Permissions that start with cloudasset use this API. |
cloudresourcemanager.googleapis.com |
For Network Firewall policy, VPC Firewall rules, and Risks: Access to this API at Project-level granularity to retrieve project hierarchy information for Folder and organization hierarchical policies. See below permissions list. Permissions that start with resourcemanager. use this API. |
compute.googleapis.com |
For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Access to this API at Project-level granularity to retrieve networks, network topology (this API is also needed identify Google Cloud VPCs in the traffic path in the ASMS map), firewalls, VM instances, subnets and more. See below permissions list. Permissions that start with compute. use this API. |
iam.googleapis.com |
For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve service account information. See below permissions list. Permissions that start with iam. use this API. |
logging.googleapis.com |
For Network Firewall policy and VPC Firewall rules: Access to this API at Project-level granularity so that it can flag unused rules. See below permissions list. Permissions that start with logging. use this API. |
networksecurity.googleapis.com |
For Network Firewall policy: Access to this API at an Organization and Project-level granularity to collect address groups. See below permissions list. Permissions that start with networksecurity use this API. |
storage.googleapis.com |
For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Cloud storage bucket information. See below permissions list. Permissions that start with storage. use this API. |
spanner.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Cloud spanner instances information. |
container.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Kubernetes clusters information. |
bigquery.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve BigQuery dataset information. |
cloudkms.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Keys metadata. |
pubsub.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Topics and Subscriptions information |
dns.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Policies and Managed Zones information |
monitoring.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Alert policies information |
dataflow.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Dataflow jobs information |
cloudresourcemanager.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Organizations and Projects metadata |
sqladmin.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve SQL instances, users and backupRuns information |
deploymentmanager.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve deployments information |
cloudfunctions.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve deployments information |
artifactregistry.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Artifact repositories information |
dataproc.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve Dataproc clusters and jobs information |
essentialcontacts.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve contacts information |
apikeys.googleapis.com | For Overview of assets and security controls: Access to this API at Project-level granularity to retrieve API key details, metadata |
Permissions required for Google Cloud
Type | Permission | Permission grant level | Component | Justification | |
---|---|---|---|---|---|
CNS | CAA | ||||
cloudasset.assets.searchAllResources |
Organization or Project | ✔ | For Network Firewall policy: Permission to access cloudasset.googleapis.com API to collect secure tag values | ||
compute.externalVpnGateways.list |
Project | ✔ | For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of external VPN gateway | ||
compute.firewallPolicies.list |
Project | ✔ | For security controls, Hierarchical policy, and Risks: Permission to access compute.googleapis.com API to retrieve Google Cloud Firewall information | ||
compute.firewalls.list |
Project | ✔ | For Overview of assets and security controls, VPC Firewall rules, and Risks: Permission to access compute.googleapis.com API to retrieve Google Cloud VPC Firewall information | ||
compute.instances.list |
Project | ✔ | For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Permission to access compute.googleapis.com API to retrieve VM instances information | ||
compute.interconnectAttachments.list |
Project | ✔ | For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of interconnect attachments | ||
compute.interconnects.list |
Project | ✔ | For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of interconnects | ||
compute.networks.list |
Project | ✔ | For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Permission to access compute.googleapis.com API to retrieve VPC information | ||
compute.projects.get |
Organization or Folder | ✔ | For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Permission to access compute.googleapis.com API to retrieve project information | ||
compute.regionFirewallPolicies.list |
Project | ✔ | For Cloud Network Security Overview of assets and security controls, Network Firewall policy, and Risks : Permission to access compute.googleapis.com API to retrieve regional network firewall policies information | ||
compute.routers.list |
Project | ✔ | For ASMS network topology map : Permission to accesscompute.googleapis.com API so that it can display information of routers | ||
compute.routes.list |
Project | ✔ | For ASMS network topology map : Permission to access compute.googleapis.com API so that it can display information of routes | ||
compute.subnetworks.list |
Project | ✔ | For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Permission to access compute.googleapis.com API to retrieve Subnets information | ||
compute.vpnGateways.list |
Project | ✔ | For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of VPN gateways | ||
compute.vpnTunnels.list |
Project | ✔ | For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of VPN tunnels | ||
compute.targetVpnGateways.list |
Project | ✔ | For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of target VPN gateway | ||
iam.serviceAccounts.list |
Project | ✔ | For Overview of assets and security controls, Network Firewall policy, VPC Firewall rules, and Risks: Permission to access iam.googleapis.com API to retrieve service account information | ||
logging.views.access |
Project | ✔ |
For Network Firewall policy and VPC Firewall rules : Permission to access logging.googleapis.com API to flag unused rules |
||
networksecurity.addressGroups.list |
Organization or Project | ✔ | For Network Firewall policy: Permission to access networksecurity.googleapis.com API to collect address groups | ||
resourcemanager.folders.get |
Organization or Folder | ✔ | For Network Firewall policy, VPC Firewall rules, and Risks: Permission to access cloudresourcemanager.googleapis.com API to retrieve hierarchical policy rules | ||
resourcemanager.organizations.get |
Organization or Folder | ✔ | For Network Firewall policy, VPC Firewall rules, and Risks: Permission to access cloudresourcemanager.googleapis.com API to retrieve hierarchical policy rules | ||
resourcemanager.projects.get |
Project | ✔ | For Network Firewall policy, VPC Firewall rules, and Risks: Permission to access cloudresourcemanager.googleapis.com API to retrieve project hierarchy information | ||
resourcemanager.tagKeys.list |
Organization or Project | ✔ | For Network Firewall policy : Permission to access cloudresourcemanager.googleapis.com API to collect secure tag keys | ||
storage.buckets.list |
Project | ✔ | For Overview of assets and security controls: Permission to access storage.googleapis.com API to retrieve Cloud storage bucket information | ||
compute.forwardingRules.list |
Project | ✔ | For ASMS network topology map: Permission to access compute.googleapis.com API so that it can display information of forwarding rules. | ||
serviceusage.serviceUsageAdmin (optional - only required for auto-onboarding using the With Script method) |
Project | ✔ |
This permission is only required for auto-onboarding using the With Script method to grant permissions for AlgoSec to create a new service account. For onboarding without script, via terraform or API manual onboarding, the user will use their own service account and this permissions is not needed. |
List of roles added to the selected target
In addition to the project, Cloud App Analyzer web application also asks the user to specify an onboarding target. If the user onboards a single project, that project's ID will be the target.
If the user onboards multiple projects, the selected target will be an organization or a folder that is a parent to other projects.
During onboarding, Cloud App Analyzer adds the following roles to the selected onboarding target:
Type | Role Name | Role title | Component | Justification | |
---|---|---|---|---|---|
CNS | CAA | ||||
roles/browser | ✔ |
Access to browse the hierarchy for a project, including the folder, organization, and allow policy |
|||
roles/viewer | ✔ |
Access for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data |
|||
roles/essentialcontacts.viewer | ✔ |
Access to enlist essential contacts for the organization |
|||
roles/iam.securityReviewer | ✔ |
Access to list all resources and read their policies |
|||
compute.forwardingRules.list | Forwarding rule viewer | ✔ | Access to list GCP forwarding rules | ||
serviceusage.serviceUsageConsumer | Service User Consumer | ✔ | Access to inspect service states and operations, and consume quota and billing for a consumer project. | ||
roles/monitoring.editor | ✔ |
Access to enable APIs in the projects (see Permissions Required for Google Cloud Projects ) |
|||
roles/iam.serviceAccountTokenCreator | ✔ |
Access to impersonate Cloud App Analyzer service account, required by the Cloud App Analyzer cloud security assessment scanner |
CD mitigation roles
Note: These roles are part of the ACE Cloud App Analyzer GCP onboarding script. If the CD Mitigation feature is not required, these roles need to be manually removed.
Once a new image is pushed to the repository and binary authorization is enabled, it can only be deployed to GCP services if it has valid signatures from authorized attestors. In this setup, ACE is configured as an attestor and will sign the image after it passes the Cloud App Analyzer scanner’s security checks.
Type | Role Name | Role title | Component | Justification | |
---|---|---|---|---|---|
CNS | CAA | ||||
binaryauthorization.policyEditor | Policy Editor | ✔ | Access to edit Binary Authorization Policy | ||
containeranalysis.occurrences.editor | Occurrences Editor | ✔ | Access to edit Container Analysis Occurrences | ||
containeranalysis.notes.attacher | Notes Attacher | ✔ | Access to attach Container Analysis Occurrences to Notes | ||
cloudkms.signer | Signer | ✔ | Access to enable Sign operations |
Service Account
During onboarding, Cloud App Analyzer asks the user to specify a project where the service account for Cloud App Analyzer can be created.
The details of the created service account are:
-
Name: prevasio-<######>-cspm
<#####> is a random five-digit hash
-
Display name: Prevasio CSPM
-
Email: prevasio-<######>-cspm@[PROJECT_ID].iam.gserviceaccount.com
where [PROJECT_ID] is an ID of the selected GCP project.
In order to create the service account, Cloud App Analyzer ensures that the selected project is billable.