Cloud Risk Configuration - Google Cloud Platform

---

 

How to configure in ADAudit Plus :

• Go to Azure AD tab, then Threat sub-tab, you will be navigated to Cloud Directory page. Click on Add Cloud Directory
• Select Google Cloud
• Enter the Display name,Client Email Id, Account ID and Private Key.For this data refer Service Account JSON File.
• Select the Audit Log checkbox if you want to fetch and monitor all activities happening within your GCP environment
• Click on Next
• Review your configuration and click on Finish

How to create Custom Role :

• Open the Google Cloud Console, Make sure you have selected the project for which you want to create a service account.
• In the GCP Console, navigate to the Terminal section in the top.
• Click Open Editor and create a yaml file.
• Copy the below yaml content and paste it in your yaml file.

            
              title: "ROLE_NAME"
              description: "ROLE_DESCRIPTION"
              stage: "ALPHA"
              includedPermissions:
                - alloydb.clusters.list
                - alloydb.instances.list
                - alloydb.locations.list
                - apikeys.keys.list
                - appengine.applications.get
                - batch.jobs.list
                - batch.locations.list
                - batch.tasks.list
                - bigquery.datasets.get
                - bigquery.tables.list
                - bigtable.instances.list
                - cloudbuild.builds.list
                - cloudfunctions.functions.getIamPolicy
                - cloudfunctions.functions.list
                - cloudkms.cryptoKeys.list
                - cloudkms.keyRings.list
                - cloudkms.locations.list
                - cloudsql.backupRuns.get
                - cloudsql.instances.list
                - cloudsql.users.list
                - composer.environments.list
                - compute.autoscalers.list
                - compute.backendServices.list
                - compute.disks.list
                - compute.firewalls.list
                - compute.images.list
                - compute.instanceGroupManagers.list
                - compute.instanceGroups.list
                - compute.instances.list
                - compute.networks.list
                - compute.projects.get
                - compute.regionUrlMaps.list
                - compute.regions.list
                - compute.resourcePolicies.list
                - compute.routers.list
                - compute.snapshots.list
                - compute.sslPolicies.list
                - compute.subnetworks.list
                - compute.targetHttpsProxies.list
                - compute.urlMaps.list
                - container.clusters.list
                - dataflow.jobs.get
                - dataflow.jobs.list
                - dataproc.clusters.list
                - deploymentmanager.deployments.list
                - dns.managedZones.list
                - dns.policies.list
                - file.instances.list
                - file.locations.list
                - iam.serviceAccountKeys.list
                - iam.serviceAccounts.list
                - logging.logMetrics.list
                - logging.sinks.list
                - monitoring.alertPolicies.list
                - pubsub.subscriptions.list
                - pubsub.topics.getIamPolicy
                - pubsub.topics.list
                - resourcemanager.projects.get
                - resourcemanager.projects.getIamPolicy
                - run.services.getIamPolicy
                - run.services.list
                - serviceusage.services.list
                - spanner.instances.list
                - storage.buckets.getIamPolicy
                - storage.buckets.list
                - resourcemanager.organizations.get
                - resourcemanager.organizations.getIamPolicy
                - logging.views.access
            
        

• Then Go back to Terminal mode by clicking Open Terminal
• Execute the following command to create the custom role.
• To create a custom role at the organization level, execute the following command :

            
                gcloud iam roles create ROLE_ID --organization=ORGANIZATION_ID --file=YAML_FILE_PATH
            
        

How to create Service Account :

• Open the Google Cloud Console, Make sure you have selected the project for which you want to create a service account.
• In the GCP Console, navigate to the IAM & Admin section.
• Click on Service accounts in the left-hand sidebar.
• Click on the Create Service Account button.
• Fill in the Details:
  • Service account name: Give your service account a name.
  • Service account ID: This will be automatically generated based on the name.
  • Role: Choose the Custom role we create above.
• After creating the service account, click on the service account you just created. Navigate to the Keys tab.
• Click on Add Key and choose JSON as the key type. This will create a JSON key file for your service account.
• After clicking Create, the JSON key file will be generated. Download the file to your local machine.
• In that file, project_id, client_email and private_key values are available which are used to configure the account.

Now you have successfully created a service account and downloaded its JSON key file from GCP.

Remember to keep this key file secure, as it contains sensitive information and grants access to your GCP resources. If it's ever compromised, you should regenerate the key and update any services using it.

Activity log: Fetches and shows all the Operations performed on the Cloud Account Services