Skip to main content

Cloud Security Scans on Google Cloud

Connect Intruder to Google Cloud to synchronise your targets

Updated over 2 months ago

Before you start

The setup involves:

  • Creating a project to contain a service account key

  • Creating a service account inside the project, and an associated key

  • Giving the service account Viewer and Service Auditor access to the client's organisation

  • Enabling APIs required for scanning

    • These must be enabled on the project that contains the service account

  • Adding the integration in Portal using the service account key

For existing clients who have already configured the Google Cloud Integration using the old service account instructions, the differences are:

  • OAuth is no longer available

  • We recommend creating a new project to host the service account

    • This isn't strictly necessary, but it's recommended because APIs must be enabled on the project. Additionally, it will result in a cleaner setup.

  • The permissions are set up on the organisation level, not the project level

    • You can restrict access to specific projects by setting up the required permissions on the project or folder level. To ensure full coverage, though, we recommend configuring these permissions at the organisation level instead.

  • We ask for Viewer and Security Auditor roles instead of Compute Network Viewer and DNS Reader

  • Several APIs must be enabled.

Step 1 - Setting up Google Cloud

There are two different options available for setting up the Service Account - please find links to each of these below:

  1. Option A (using gcloud CLI)

  2. Option B (using the Google Cloud Console)

Option A - Using gcloud CLI

1. Ensure you're authenticated:

gcloud auth login

2. Create a project to contain the service account"

πŸ‘‰ It's recommended to use a standalone project that contains the permissions we need for cloud security scans instead of reusing an existing project.

  • First, get the ID of your organisation:

gcloud organizations list 
ORGANIZATION_ID=<copy your organization ID here>

  • Then create a project:

PROJECT_ID="intruder-connector-$(date +%s)"
gcloud projects create $PROJECT_ID --organization=$ORGANIZATION_ID

3. Create a service account:

SA_NAME="intruder-connector-$(date +%s)"
gcloud iam service-accounts create $SA_NAME --project=$PROJECT_ID --display-name="Intruder Connector"

4. Create a key file for the service account:

gcloud iam service-accounts keys create "./${SA_NAME}-key.json" --iam-account="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" --project=$PROJECT_ID

πŸ‘‰ You will need to upload the key file to Intruder when connecting your account.

The service account key is confidential. Please store it securely following the best practices outlined here:

5. Add the Viewer and Security Auditor roles across your organisation for the service account:

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
  --member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/viewer"

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
  --member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/iam.securityAuditor"

6. Finally, enable APIs that we use to scan your projects for vulnerabilities

πŸ‘‰ Setting a billing account is required by Google for enabling some of the APIs we use to scan your projects. We use read-only access to those APIs and will never incur any charges to your account.

  • First, select a billing account to link to the project containing your service account:

gcloud billing accounts list
BILLING_ACCOUNT_ID=<insert the billing account's ACCOUNT_ID here>

  • Link your project to the billing account:

gcloud billing projects link $PROJECT_ID --billing-account=$BILLING_ACCOUNT_ID

  • Enable the APIs:

gcloud services enable \
--project=$PROJECT_ID \
serviceusage.googleapis.com \
cloudresourcemanager.googleapis.com \
sqladmin.googleapis.com \
iam.googleapis.com \
apikeys.googleapis.com \
accessapproval.googleapis.com \
essentialcontacts.googleapis.com \
cloudkms.googleapis.com \
bigquery.googleapis.com \
logging.googleapis.com \
compute.googleapis.com \
container.googleapis.com \
dns.googleapis.com \
storage.googleapis.com \
cloudasset.googleapis.com

Option B - Using the Google Cloud web console

1. Log in to console.cloud.google.com

2. Open the project picker in the top left navigation menu

3. Create a new project to contain the service account by clicking New project.

πŸ‘‰ It's recommended to use a standalone project that contains the permissions we need for cloud security scans instead of reusing an existing project

  • Give the project a name, select a billing account, and click Create:

πŸ‘‰ Setting a billing account is required by Google for enabling some of the APIs we use to scan your projects. We use read-only access to those APIs and will never incur any charges to your account.

  • Open the project picker again
    ​

4. Select the newly created project

5. In the top navigation, search for Service accounts and navigate as shown

6. Click Create service account

7. Give the service account a name (here Intruder connector), note down the Service account ID and click Done

8. In the service account list, click on the newly created service account:

9. Note down the value in the Email field in the Details tab:

10. Open the Keys tab, and click on Add Key β†’ Create new key

11. Select the JSON type and click on Create

12. The service account key is automatically downloaded to your computer. You will need to upload the file to Intruder when connecting your account.

Note: the service account key is confidential. Store it securely following the best practices outlined here: https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#credential-leakage

13. Open the project picker again, and select your organisation:

14. In the left navbar, select the IAM link:

15. In the View by principals tab, click on Grant access

16. In the Add principals field, enter the service account's Email from step 9, and in Assign roles, add the Basic β†’ Viewer role. Then click Add another role, search for Security Auditor, add the Security Auditor role and click Save.

17. Open the project picker again, and select the project containing your service account. This is important, as the APIs must be enabled on this project in order to enable us to scan all your projects.

18. Finally, enable APIs that we use to scan your projects for vulnerabilities:

  1. Service Usage API

  2. Cloud Resource Manager API

  3. Cloud SQL Admin API

  4. Identity and Access Management (IAM) API

  5. API Keys API

  6. Access Approval API

  7. Essential Contacts API

  8. Cloud Key Management Service (KMS) API

  9. BigQuery API

  10. Cloud Logging API

  11. Cloud Asset API

  12. Compute Engine API

  13. Kubernetes Engine API

  14. Cloud DNS API

  15. Cloud Storage API

The APIs can be enabled one by one by searching for them via the search bar at the top, clicking the search result and clicking Enable. For example, the Cloud Resource Manager API can be enabled as follows:

  • First, search for the API, then click on the result:

    User-uploaded Image

  • Then click on Enable:

    User-uploaded Image

  • Depending on your organization's settings, some APIs may be enabled by default, and you don't need to enable them separately. If that's the case, you will see this instead of the Enable button:

    User-uploaded Image

Step 2 - Add the integration in the Intruder Portal

With the service account credentials created, do the following:

  1. Log in to portal.intruder.io

  2. Navigate to the Discovery tab

  3. Click Add asset source, then select Google Cloud

  4. Click on Choose file and select the service account key file

    ​

  5. Click Add asset

  6. Done! Your integration will now get imported, and will be ready for asset sync and cloud security scans.

Related Articles
AWS 'account' integration
Google Cloud Integration
Microsoft Azure Integration
Cloud Security Scans on AWS
Cloud Security Scans on Microsoft Azure
Did this answer your question?