lacework-global-256
2.13 Enable Cloud Asset Inventory (Automated)
Profile Applicability
• Level 1
Description
GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and Identity and Access Management (IAM) policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.
Rationale
The GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing.
Impact
It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.
Audit
From Console: Ensure that the Cloud Asset API is enabled:
- Go to
API & Services/Libraryby visiting https://console.cloud.google.com/apis/library - Search for
Cloud Asset APIand select the result for Cloud Asset API - Ensure that
API Enabledis displayed.
From Command Line: Ensure that the Cloud Asset API is enabled:
- Query enabled services:
gcloud services list --enabled --filter=name:cloudasset.googleapis.com
If the API is listed, then it is enabled. If the response is Listed 0 items the API is not enabled.
Remediation
From Console: Enable the Cloud Asset API:
- Go to
API & Services\Libraryby visiting https://console.cloud.google.com/apis/library. - Search for
Cloud Asset APIand select the result for Cloud Asset API. - Click the
ENABLEbutton.
From Command Line: Enable the Cloud Asset API:
- Enable the Cloud Asset API through the services interface:
gcloud services enable cloudasset.googleapis.com
References
https://cloud.google.com/asset-inventory/docs
Additional Information
- Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you desire a longer history, evaluate automation to export the history to Cloud Storage or BigQuery.