Onboard Google Cloud Projects to Cloud Network Security

This topic describes how to add Google Cloud projects to ACE Cloud Network Security.

Note: AlgoSec only needs   READ   permissions to provide support for your GCP security policy management. This requirement ensures you can receive complete security analysis and recommendations while granting the minimal level of access.

For details about required permissions, see Permissions required for Google Cloud

You can choose from the following four onboarding methods to add new Google Cloud Projects:

  • With script - Uses scripts to onboard Google Cloud resources. Changes to projects in Google Cloud after onboarding are automatically synced to ACE Cloud Network Security.

  • No script - Onboard Google Cloud resources without using scripts. Changes to projects in Google Cloud after onboarding are automatically synced to ACE Cloud Network Security.

  • API (single account) - Onboard a single project. Changes to the projects after onboarding are not synced.

  • Terraform - Leverage Terraform, the infrastructure-as-code solution, for onboarding your Google Cloud projects into ACE Cloud Network Security. Changes to projects in Google Cloud after onboarding are automatically synced to ACE Cloud Network Security.

Notes:

  • To add projects to ACE Cloud Network Security, you need Google Cloud service account credentials.

  • Onboarding means giving access to ACE to collect data from your Google Cloud projects. To stop data collection (delete your project), you must withdraw access to ACE by revoking the ACE permissions within your cloud vendor environment.

  • Project IDs must be unique across all organizations for the onboarding process to complete successfully.

  • Any changes to projects in an onboarded Google Cloud folder or organization will automatically sync with ACE Cloud Network Security once every hour.

Note: For more information about the GCP onboarding script, see Cloud Network Security Google Onboarding Script.

Before you start

To connect a Google Cloud project that is managed by an organization, make sure you are logged on to Google Cloud console.

Access the Onboarding wizard

Do the following:

  1. In the ACE Settings area, click ONBOARDING.

    On the Onboarding Managment page that opens, click +Onboard.

  2. If you are onboarding your first account, click the New Cloud Account button on the welcome page.

  3. Otherwise, click the Google Cloud button and click Next.

    The Google Cloud Onboarding wizard appears.

  4. Select your preferred method to onboard using the Select Onboarding Method dropdown.

    *Automatically syncs changes to projects from Google Cloud to ACE after onboarding.
    Onboarding Method Description Automatic sync*
    With script Uses scripts to onboard Google Cloud resources Yes
    No script Onboard Google Cloud resources without using scripts Yes
    API (single account) Onboard a single Google Cloud via API No
    Terraform Onboard Google Cloud resources using Terraform Yes

  5. Onboard Google Cloud resources using your preferred method:

    Do the following:

    1. In the Onboarding wizard for Google Cloud, from the Select Onboarding Method dropdown, select With script to select the onboarding method using scripts.

    2. The Google Cloud Projects Onboarding wizard is displayed.

    3. In the Access Project ID field, input an Access Project ID using one of the following methods:

      • From the dropdown: Select an existing Google Cloud Project ID to grant access to the Google Cloud resource. ACE will have access to the previous resources and the new resource.

      • Enter a new Access Project ID into the field: The project is used to establish access to the Google Cloud resources.

      Warning: Changing the Access Project ID for an already onboarded organization resets its onboarded data.

    4. (Optional) In the Onboarding resource ID field, enter the ID of the project, folder, or organization root to onboard.

      Note: When this field is left blank, ACE will onboard the project you entered in the Access project ID field.

    5. Complete the onboarding using one of the following methods:

      1. To open a Cloud Shell session directly from the ACE interface:

        1. Click Copy & Launch Shell.

          The Cloud Shell command is automatically copied into the system memory and the browser opens a new tab with the Google Cloud Shell displayed.

          Important: Before clicking Copy & Launch Shell, make sure no Google Cloud Shell terminals are already open to avoid "Billing not found" errors.

        2. Paste the Cloud Shell command from system memory (Ctrl-Shift-V) and press Enter.

          The Authorize Cloud Shell confirmation window appears.

        3. Click AUTHORIZE.

          An onboarding script runs in the Cloud Shell. This script creates an access project and automates all the steps necessary to onboard the resource(s) to ACE.

        4. When the script finishes, press Ctrl-D to close the terminal.

          The ACE Onboarding Management page displays the newly onboarded resources.

          Note: It may take up to an hour for Google Cloud to sync with ACE.

      2. (Alternative method) If you don't want to open a Cloud Shell session directly from the ACE interface, you can run bash locally using a proxy:

        1. Click Copy to copy the Cloud Shell command.

          Note: The command generates an unreadable script. Expand the example below to see the readable version of the script:

          Copy 
          #!/bin/bash
          #Algosec's onboarding URL
          CF_ONBOARDING_URL='https://cloudflow.algosec.com/cloudflow/api/admin/v1/onboarding/gcp'
          #Token
          TOKEN='Bearer XXXX'
          ENV='prod'
          #Define a working project where a service account would be created
          PROJECT_ID='gcp-pm-cf-demo-01'
          PROJECT_ID=($(echo $PROJECT_ID | tr -d '\n'))
          #Define a target project/folder/organization would be onboarded into CloudFlow
          TARGET_RESOURCE='0123456789012'
          TARGET_RESOURCE=($(echo $TARGET_RESOURCE | tr -d '\n'))

          SERVICE_ACCOUNT_NAME_PREFIX="cloudflow-sa"
          SERVICE_ACCOUNT_NAME="$SERVICE_ACCOUNT_NAME_PREFIX-$ENV"

        2. Paste and run the script in your alternative shell to complete onboarding the subscription(s).

          The ACE Onboarding Management page displays the newly onboarded resources.

          Note: It may take up to an hour for Google Cloud to sync with ACE.

    Requires ACE read-only access

    You can onboard Google Cloud Projects without using a script if your system does not support using scripts.

    Do the following:

    1. Log in to the https://console.cloud.google.com/ as a user with the following permissions:

      1. Organization Role Administrator or  IAM Role Administrator

      2. Organization Policy Administrator

    2. Enable the required APIs for your project:

      1. Click the project dropdown from the menu and choose your current project in the popup window that opens.

        In this example, the project is called RnD-GCP-Project.

      2. Click APIs & Services in the navigation menu.

        The APIs & Services page opens.

      3. Click +ENABLE APIS & SERVICES at the top of the screen.

        The Welcome to the API Library screen opens.

      4. Search for Compute Engine API and make sure it is enabled.

      5. Repeat the previous step for

        1. Identity and Access Management (IAM) API

        2. Cloud Storage API

        3. Cloud Resource Manager API

        4. Cloud Logging API

        Note: For a details about required permissions see Permissions required for Google Cloud

    3. Add a Service Account:

      1. Select APIs & Services > Credentials in the navigation menu.

        The Credentials screen opens.

      2. Click on +CREATE CREDENTIALS and select Service account from the dropdown list.

      3. In the Service account name field enter "ACE-account" and click CREATE AND CONTINUE.

      4. Click the Select a role dropdown and scroll to Project with the role Viewer.

        Note: For the list of the Viewer role permissions see the Roles ID column in Permissions required for Google Cloud .

      5. Click CONTINUE to save your changes. (Do not click DONE until you see a checkmark next to Grant this service account access to project).

      6. Click DONE.

      7. Copy the created Service Account email to use it later in Step 6b.

    4. Export the Service Account credentials as a JSON file:

      1. On the Credentials page, click on the Service Account email link for the ACE account.

        The ACE account page opens.

      2. Select the KEYS tab. Click ADD KEY, and choose Create new key.

        The Create Private Key for ACE-account dialog appears.

      3. Select JSON for Key type and then click CREATE.

        The JSON file is downloaded to your computer. You will use this file in Step 8.

        This is an example of the Service Account credentials in a JSON file:

        Note: Your browser may block downloading the file. See the URL box for notifications.

    5. Create custom role with required permissions for your organization

      1. Select Roles located under IAM & Admin in the navigation menu.

      2. Click the project dropdown from the menu and choose your organization in the popup window that opens.

      3. Click +CREATE ROLE. The Create Role screen opens.

      4. Enter the role Title and ID and then click +ADD PERMISSIONS.

        In the example below, Title is "Inherited Policy Viewer" and ID is "InheritedPolicyViewer".

        The Add permissions window opens.

      5. In the Enter property name or value field enter compute.firewallPolicies.list.

      6. Choose the matching string from the list, click the checkbox to activate it and press ADD.

      7. Repeat steps d through f for

        • resourcemanager.folders.get

        • resourcemanager.organizations.get

        • storage.buckets.list

        Note: For a details about required permissions see Permissions required for Google Cloud

      8. Click CREATE to complete the role creation process.

    6. Assign the required role to the Service Account:

      1. Select IAM located under IAM & Admin in the navigation menu and then click GRANT ACCESS or ADD.

        The Add principals screen opens.

      2. Paste the Service Account email you copied from Step 3g into the New principals field and then choose it from the dropdown.

      3. Click Select a role

      4. In the Quick Access area on the left side of the dialog window choose Custom. Click on the inherited role name you created in Step 5d.

      5. From the left side of the filter dialog window choose Compute Engine. From the right side select Compute Viewer.

      6. Click SAVE. The policy is updated.

    1. From the ACE GPS Onboarding wizard, from the Select Onboarding Method, select No script.

    2. Input the Organization ID and Service Account Key into the appropriate fields. (The Service Account Key is stored in the JSON file that was downloaded in Step 4c.)

    3. Click Onboard to complete the onboarding process.

    You can use API calls to add a single Google Cloud project to ACE.

    Note: Any changes to a project after onboarding are not synced with ACE. To delete one or more manually added accounts, see Offboard Google Cloud projects from ACE

    Do the following:

    1. Go to the page Add a subscription/project.

    2. Click on the tab For Google Cloud Project.

      The instructions for onboarding a Google Cloud Project using API appears.

    3. Follow the instructions on the page.

    You can leverage Terraform, the infrastructure-as-code solution, as another option for onboarding your Google Cloud projects into ACE.

    Do the following:

    Integrate the code below into your Terraform toolkit. Make the following parameter value replacements in the Locals section:

    Parameter Description Notes 
    cf_auth_url

    URL to authorize ACE

    • For US use: 

      https://us.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For EMEA use: 

      https://eu.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For ANZ use: 

      https://anz.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For ME use: 

      https://me.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For UAE use: 

      https://uae.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For IND use: 

      https://ind.app.algosec.com/api/algosaas/auth/v1/access-keys/login

    • For SGP use: 

    • https://sgp.app.algosec.com/api/algosaas/auth/v1/access-keys/login
    		 
    cf_url

    URL to onboard Google Cloud Project

    • For US use: 

      https://api.cloudflow.us.app.algosec.com/cloudflow/api/admin/v1/onboarding/gcp

    • For EMEA use: 

      https://api.cloudflow.eu.app.algosec.com/cloudflow/api/admin/v1/onboarding/gcp

    • For ANZ use: 

      https://api.cloudflow.anz.app.algosec.com/cloudflow/api/admin/v1/onboarding/gcp

    • For ME use: 

      https://api.cloudflow.me.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

    • For UAE use: 

      https://api.cloudflow.uae.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

    • For IND use: 

      https://api.cloudflow.ind.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api

    • For SGP use: 

      https://api.cloudflow.sgp.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api
    		 
    tenantId

    Your ACE Tenant ID

    		   
    clientId

    Client ID

    		 This is part of Access Key details. In ACE, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here. 
    clientSecret

    Client Secret of the API Access Key

    		 This is part of Access Key details. In ACE, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here. 
    organizationId

    Organization ID

    		   
    projectId

    Project ID

    		   
    saId

    Service Account ID

    		  
    Copy 
    locals {
      cfAuthUrl       = "https://stage.app.algosec.com/api/algosaas/auth/v1/access-keys/login"
      cfUrl            = "https://api.cloudflow.stage.app.algosec.com/cloudflow/api/admin/v1/onboarding/gcp"
      tenantId        = "xxxxxxxxxxxxxxxxxxxxxxxx"
      clientId           = "xxxxxxxxxxxxxxxxxxxxxxxx"
      clientSecret    = "xxxxxxxxxxxxxxxxxxxxxxxx"
      organizationId  = "xxxxxxxxxxxxxxxxxxxxxxxx"
      projectId       = "xxxxxxxxxxxxxxxxxxxxxxxx"
      saId            = "xxxxxxxxxxxxxxxxxxxxxxxx"
    }

    resource "google_service_account_key" "cf-key" {
      service_account_id = "projects/${local.projectId}/serviceAccounts/${local.saId}"
    }

    data "http" "cf_auth" {
      url             = local.cfAuthUrl
      method          = "POST"
      # Optional request headers
      request_headers = {
        Accept = "application/json"
      }
      
      request_body = jsonencode({
        tenantId : local.tenantId, clientId : local.clientId, clientSecret : local.clientSecret
      })

      lifecycle {
        postcondition {
          condition     = contains([200, 201, 204], self.status_code)
          error_message = "Authorization failed"
        }
      }
    }

    locals {
      auth_response = jsondecode(data.http.cf_auth.response_body)
      auth_token    = local.auth_response.access_token
    }

    data "http" "cf_onboard_account" {
      url             = local.cfUrl
      method          = "POST"
      # Optional request headers

      request_headers = {
        Accept        = "application/json"
        Authorization = "Bearer ${local.auth_token}"
      }

      request_body = jsonencode({
        data : google_service_account_key.cf-key.private_key,
        organization_id : local.organizationId,
        event : {
            RequestType : "Create"
          }
        })

      lifecycle {
        postcondition {
          condition     = contains([200, 201, 204], self.status_code)
          error_message = "Onboarding process failed"
        }
      }
    }

Permissions required for Google Cloud

Notes:

  • When using the "With script" onboarding method: APIs are automatically enabled. If you want to remove the write permission serviceusage.serviceUsageAdmin, you can do so, but you will need to manually enable the following APIs for each Project.

  • When using the "No script" onboarding method, the following APIs must be enabled for each Project before adding the Google Cloud permissions listed in the table below. For details, see Step 2 in To Onboard Google Cloud resources | No script.

Important: Missing permissions can cause ACE to malfunction and lead to data inconsistencies. AlgoSec is not responsible for any issues arising from missing permissions.

See Permissions Required for Google Cloud Projects.

Enable Google Cloud logs

By enabling Google Cloud logs, ACE can retrieve and analyze logs. This provides data, shown on the Risks page and Network Policy page, such as the date each rule was last used.

Do the following:

  1. In the Google Cloud console, select VPC network > Firewall.

  2. Click the firewall selector at the top of the page.

    The Select From dialog appears.

  3. Select the firewall whose rules you want to log.

  4. Select the rules.

    1. Use the checkbox to the left of the rule name to select individual rules. To select all rules in the project, click the checkbox in the header. Then click CONFIGURE LOGS.

    2. In the popup that appears, select On. Then click SAVE CONFIGURATION.

    Note: Traffic logs for rules in hierarchical policies are only collected for projects that have been onboarded to ACE.

    Note: Each rule in a hierarchical policy must be edited separately.

    1. Click the Priority number of the rule

    2. Click EDIT.

    3. Under Logs, select On. Scroll to the bottom and click SAVE.

Offboard Google Cloud projects from ACE

You can offboard Google Cloud projects from ACE with the following methods:

Do the following:

  1. Navigate to the Google Cloud Console and select IAM from the navigation menu.

  2. Select the project / folder / organization you want to offboard.

    • To remove all projects, select Organization

    • To remove all projects from within a folder, select Folder

    • To remove a specific project, select the Project.

  3. Use the Filter to search for the access project.

  4. Select the access project you want to remove and then click Remove Access.

    A confirmation window appears.

  5. Click CONFIRM.

    The access project and associated project(s) is removed.

Note: Removed projects will automatically sync with ACE once every hour.

Do the following:

From the GCP Shell run the following command:

For EMEA:

gcloud iam service-accounts delete cloudflow-sa-prod-eu@PROJECT_ID.iam.gserviceaccount.com

For US:

gcloud iam service-accounts delete cloudflow-sa-prod-us@PROJECT_ID.iam.gserviceaccount.com

For ANZ:

gcloud iam service-accounts delete cloudflow-sa-prod-anz@PROJECT_ID.iam.gserviceaccount.com

Note:

  • You need proper permissions to run "gcloud iam service-accounts delete".

  • Replace PROJECT_ID with the Access Project ID specified while onboarding.

For more details on using the GCP Shell to offboard a project, see Delete and undelete service accounts.

Note: Removed projects will automatically sync with ACE once every hour.

Do the following:

  1. In ACE, hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ONBOARDING. The ONBOARDING MANAGEMENT page is displayed, with a table showing details for each account defined in ACE.

  2. Select the checkbox to the left of the projects(s) you want to delete. You can click on the checkbox in the column header to select all vendors.

  3. Click Delete.

    A confirmation window appears.

  4. Click Delete again to delete the selected project(s).