GCP setup overview

Secberus is completely agentless and uses a read-only API permission to securely access your GCP metadata. In order to create a GCP data source in Secberus you will need administrator access to the Google Cloud console.

❗️

SETUP ORGANIZATIONS FIRST

Secberus uses "Organizations" to allow users to segment visibility, posture, teams, and actions within the platform.

It is important to setup your organizational structure first before onboarding cloud environments, as the data collected from a cloud environment is only visible in the Organization in which the data source was created.

Click here to Setup Organizations.

Connecting a GCP account

📘

What to Expect

Connecting a GCP account takes about 10 minutes and requires administrative access to the cloud environment you wish to connect.

Create a Service Account specifically for Secberus

Choose a project to house the Secberus service account, or create a new one.

❗️

Important

The GCP project, in which the service account is created, must have the Cloud Resource Manager API enabled. You can ensure it is by visiting:

https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview

1. From the GCP console, in the search bar, type IAM, and click on IAM & Admin..

2. From the left-hand navigation menu, click on Roles, then + CREATE ROLE.

3. Give the role a meaningful name, click on + ADD PERMISSIONS.
4. Search for and select storage.buckets.getIamPolicy. Click ADD.

5. Click on CREATE.
6. From the left-hand navigation menu, click on Service Accounts.

7. Select + CREATE SERVICE ACCOUNT.

8. Populate the Service account name and Service account description fields, then click CREATE AND CONTINUE.

9. Using the Role selector to select the Basic > Viewer role.
10. Click + ADD ANOTHER ROLE and add the custom role you created in step 5.
11. Click on DONE

12. Click on the newly created service account from the Service accounts screen.

13. With the service account open, select the KEYS tab and use the ADD KEY menu to Create new key.

14. In the Create private key window leave the Key type as JSON and click CREATE.

15. The private key will be saved to your computer. Keep this file in a safe location. Secberus will need the credentials to connect to your project.

📘

Multi-project setup

If you want Secberus to monitor multiple GCP projects, the service account you created must have a role/permission in each project that should be monitored. The service account can be added to each project individually, or the roles/permissions can be conferred via folder or organization settings.

Learn more about GCP service accounts here.

Secberus - Connect GCP Data Source

1. Log into Secberus and select the org you want to create the data source connection in.
2. Click on Settings and then click on Data sources.
3. Choose the GCP data source type in the Add new data source section.

4. Populate the Name field for the new data source.
5. The Projects field is meant as a filter to limit the data that Secberus will collect. You can add a comma separated list of project names, as well as strings with asterisks as wildcard characters to match on a group of similarly named projects. For example, my-project-1,production-*. Leave this field empty (the default) to allow Secberus to collect the data for all projects which the service account has access.
6. Finally, drag and drop or select the credentials json file from step 15 and click Connect.

👍

CONGRATULATIONS 🎉

You have successfully onboarded a data source for your Google Cloud Platform account. You can now add more GCP accounts, onboard other cloud provider accounts, or apply a policy to this GCP account. Additionally, you can view the connection status of each data source monitored once Secberus begins collection resource data for evaluation.