Skip to main content

Cloud Security Scans on GCP (Google Cloud Platform)

Connect Intruder to Google Cloud Platform to synchronize your targets

Updated today

Before you start

The setup involves:

  • Creating a project to contain a service account key

  • Creating a service account inside the project, and an associated key

  • Giving the service account Viewer and Service Auditor access to the client's organization

  • Enabling APIs required for scanning

    • These must be enabled on the project that contains the service account

  • Adding the integration in Portal using the service account key

For existing clients who have already configured the GCP Integration using the old service account instructions, the differences are:

  • OAuth is no longer available

  • We recommend creating a new project to host the service account

    • This isn't strictly necessary, but it's recommended because APIs must be enabled on the project. Additionally, it will result in a cleaner setup.

  • The permissions are set up on the organisation level, not the project level

    • You can restrict access to specific projects by setting up the required permissions on the project or folder level. To ensure full coverage, though, we recommend configuring these permissions at the organisation level instead.

  • We ask for Viewer and Security Auditor roles instead of Compute Network Viewer and DNS Reader

  • Several APIs must be enabled.

Step 1 - Setting up GCP

There are two different options available for setting up the Service Account - please find links to each of these below:

  1. Option A (using gcloud CLI)

  2. Option B (using the GCP Console)

Option A - Using gcloud CLI

1. Ensure you're authenticated:

gcloud auth login

2. Create a project to contain the service account"

πŸ‘‰ It's recommended to use a standalone project that contains the permissions we need for cloud security scans instead of reusing an existing project.

  • First, get the ID of your organisation:

gcloud organizations list 
ORGANIZATION_ID=<copy your organization ID here>

  • Then create a project:

PROJECT_ID="intruder-connector-$(date +%s)"
gcloud projects create $PROJECT_ID --organization=$ORGANIZATION_ID

3. Create a service account:

SA_NAME="intruder-connector-$(date +%s)"
gcloud iam service-accounts create $SA_NAME --project=$PROJECT_ID --display-name="Intruder Connector"

4. Create a key file for the service account:

gcloud iam service-accounts keys create "./${SA_NAME}-key.json" --iam-account="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" --project=$PROJECT_ID

πŸ‘‰ You will need to upload the key file to Intruder when connecting your account.

The service account key is confidential. Please store it securely following the best practices outlined here:

5. Add the Viewer and Security Auditor roles across your organisation for the service account:

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
  --member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/viewer"

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
  --member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/iam.securityAuditor"

6. Finally, enable APIs that we use to scan your projects for vulnerabilities

πŸ‘‰ Setting a billing account is required by Google for enabling some of the APIs we use to scan your projects. We use read-only access to those APIs and will never incur any charges to your account.

  • First, select a billing account to link to the project containing your service account:

gcloud billing accounts list
BILLING_ACCOUNT_ID=<insert the billing account's ACCOUNT_ID here>

  • Link your project to the billing account:

gcloud billing projects link $PROJECT_ID --billing-account=$BILLING_ACCOUNT_ID

  • Enable the APIs:

gcloud services enable \
--project=$PROJECT_ID \
serviceusage.googleapis.com \
cloudresourcemanager.googleapis.com \
sqladmin.googleapis.com \
iam.googleapis.com \
apikeys.googleapis.com \
accessapproval.googleapis.com \
essentialcontacts.googleapis.com \
cloudkms.googleapis.com \
bigquery.googleapis.com \
logging.googleapis.com \
compute.googleapis.com \
container.googleapis.com \
dns.googleapis.com \
storage.googleapis.com \
cloudasset.googleapis.com

Option B - Using the GCP web console

1. Log in to console.cloud.google.com

2. Open the project picker in the top left navigation menu

3. Create a new project to contain the service account by clicking New project.

πŸ‘‰ It's recommended to use a standalone project that contains the permissions we need for cloud security scans instead of reusing an existing project

  • Give the project a name, select a billing account, and click Create:

πŸ‘‰ Setting a billing account is required by Google for enabling some of the APIs we use to scan your projects. We use read-only access to those APIs and will never incur any charges to your account.

  • Open the project picker again
    ​

4. Select the newly created project

5. In the top navigation, search for Service accounts and navigate as shown

6. Click Create service account

7. Give the service account a name (here Intruder connector), note down the Service account ID and click Done

8. In the service account list, click on the newly created service account:

9. Note down the value in the Email field in the Details tab:

10. Open the Keys tab, and click on Add Key β†’ Create new key

11. Select the JSON type and click on Create

12. The service account key is automatically downloaded to your computer. You will need to upload the file to Intruder when connecting your account.

Note: the service account key is confidential. Store it securely following the best practices outlined here: https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#credential-leakage

13. Open the project picker again, and select your organization:

14. In the left navbar, select the IAM link:

15. In the View by principals tab, click on Grant access

16. In the Add principals field, enter the service account's Email from step 9, and in Assign roles, add the Basic β†’ Viewer role, and then click Save

17. Open the project picker again, and select the project containing your service account. This is important, as the APIs must be enabled on this project in order to enable us to scan all your projects.

18. Finally, enable APIs that we use to scan your projects for vulnerabilities:

Service Usage API
Cloud Resource Manager API
Cloud SQL Admin API
Identity and Access Management (IAM) API
API Keys API
Access Approval API
Essential Contacts API
Cloud Key Management Service (KMS) API
BigQuery API
Cloud Logging API
Cloud Asset API
Compute Engine API
Kubernetes Engine API
Cloud DNS API
Cloud Storage API

The APIs can be enabled one by one by searching for them via the search bar at the top, clicking the search result and clicking Enable. For example, the Cloud Resource Manager API can be enabled as follows:

  • First, search for the API, then click on the result:

    User-uploaded Image

  • Then click on Enable:

    User-uploaded Image

  • Depending on your organization's settings, some APIs may be enabled by default, and you don't need to enable them separately. If that's the case, you will see this instead of the Enable button:

    User-uploaded Image

Step 2 - add the integration in the Intruder Portal

With the service account credentials created, do the following:

  1. Log in to portal.intruder.io

  2. Navigate to the Discovery tab

  3. Click Add asset source, then select Google Cloud

  4. Click on Choose file and select the service account key file

    ​

  5. Click Add asset

  6. Done! Your integration will now get imported, and will be ready for asset sync and cloud security scans.

Related Articles
GCP: Do I need permission before I start the scan?
AWS 'account' integration
GCP (Google Cloud Platform) integration
Cloud Security Scans on AWS
Cloud Security Scans on Microsoft Azure
Did this answer your question?