Skip to main content

GCP Inventory


The Lacework Console provides visibility into Google Cloud Provider (GCP) resources that are integrated with Lacework. A resource can be any entity within the cloud deployment, such as GCE Virtual Machines, Pub/Sub topics, Cloud Storage buckets, security groups, etc. The GCP Resource Inventory page allows you to view and monitor in-use GCP resources’ risk, compliance, and configuration changes and provides visibility for team members with limited or no access to the Google Cloud Console. Because Lacework takes regular snapshots of your resources, you can track their changes (diffs) through the Lacework Console. To access the Resource Inventory page, go to Resources > GCP Inventory.

GCP resources are the components that enable services on GCP. GCP resources are grouped into specific projects, the first hierarchy level. Projects are grouped under a specific folder, the next level of hierarchy for GCP resources. In addition, a specific folder can belong to another folder, which in turn can belong to yet another folder. Folders are grouped under a specific organization or Org, the top level of hierarchy for resources.

For more information about GCP integration with Lacework, see GCP Compliance and Audit Log Integration - Terraform Using Google Cloud Shell and GCP Compliance and Audit Log Integration - Terraform From Any Supported Host.

Lacework takes a snapshot of resources on a periodic time frame. Depending on the time that Lacework takes the snapshot, changes may not be captured until up to 24 hours after the changes are made. See the following examples:

  • A resource change is made on Monday at 1:00 AM and Lacework takes a snapshot on Monday at 2:00 AM, the snapshot includes the change.
  • A resource change is made on Monday at 3:00 AM but Lacework took a snapshot on Monday at 2:00 AM, the snapshot does not include the change. The next snapshot on Tuesday at 2:00 AM will capture the change.

Supported Resource Types

Resource Management supports the following resource type APIs.

Certificate Authority
Cloud Data Loss
Identity and Access
Cloud Key Management
Cloud OS
Google Kubernetes
Cloud Data
Network Management
Managed Service for Microsoft Active
App Engine
Memorystore for
Serverless VPC

For the full list of possible resources, see Supported asset types.
To view the list of resources from the GCP console, select Asset Inventory > Resource.

Configure Permissions to Enable Access to GCP Resources

In order to access and manage GCP resources, you must enable certain permissions through the use of updated roles.

Configure GCP Permissions by Updating Terraform Integration

You can use Terraform to integrate Google Cloud environments with Lacework. To enable access to GCP resources if you have an existing Terraform template for GCP integration, you must update and rerun the Lacework GCP Terraform module. Perform the following tasks to access GCP resource types:

  1. Verify that your Terraform template is specifying the minimum Lacework GCP Config module version 1.0. To do this, open and examine your Terraform file for the following:

      1 module "gcp-config" {
    2 source = "lacework/config/gcp"
    3 version = "~> 1.0"
    4 }

    The terraform init -upgrade command in the next step will pull in the latest version. The minimum version 1.2.0 is required to enable permissions to GCP resource types.

  2. Update the Terraform integration to version 1.2.0 to utilize the new permissions for GCP resources in the Lacework GCP Config module by running an update and applying this update:

    terraform init -upgrade
    terraform apply

Configure GCP Permissions Manually

In order to access and manage GCP resources, you must enable certain permissions through the use of updated roles. You can do this automatically through Terraform as discussed in the previous section. Additionally, you can configure the permissions manually.

1. Add the roles/cloudasset.viewer Role to your GCP Service Account

Add the new role roles/cloudasset.viewer to your service account to access your GCP resource types. You can add this new role either at the individual project level or at the organization level.

You can add the role through the GCP console or through the gcloud CLI, as described below.

Add Role through the GCP console
  1. Navigate to IAM and Admin in the GCP console.
  2. Locate the service account for the GCP integration and click the Edit Permissions icon (located right of the entry).
  3. Click + Add Another Role.
  4. Select the role Cloud Asset > Cloud Asset Viewer.
  5. Click Save as.
Add Role through the gcloud CLI

To add the new role to a service account at the individual project level:

gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \
--member \
--role roles/cloudasset.viewer

To add the new role to a service account at the organization level:

gcloud organizations add-iam-policy-binding TARGET_ORGANIZATION_ID \
--member \
--role roles/cloudasset.viewer

2. Enable the API for your GCP Service Account

Enable the API that accesses your resource types on the GCP project to which the service account belongs.

You can enable the API through the GCP console or through the gcloud CLI, as described below:

Enable the API through GCP console for your Project

Using the GCP console, add to enable access to the GCP API:

  1. Log in to the specific project you want to integrate on the GCP Console.
  2. Click gcp_waffle.png.
  3. Select APIs & Services > Library. In the Search for APIs & Services field, enter
  4. Click on the result that matches the API name listed.
  5. Click ENABLE.
Enable the API through the gcloud CLI

Ensure that the gcloud config is set to use a Service Account with the permissions required to enable APIs.

gcloud --project <service_account_project_id> services enable

Resource Summary

Lacework populates this page after at least one GCP integration is configured. The date/time range filter and any optional filters at top of the page apply to all data displayed on the page. If nothing is displayed, consider increasing the date range.

To access the Resource Summary information on the GCP Resource Inventory page, go to Resources > GCP Inventory.

Above the right side of the table, the following icons are available:

download_csv.pngDownload in CSV formatClick the Download in CSV format icon to get a comma-separated file of the table contents.
select_columns.pngSelect display columnsClick the Select display columns icon to hide or show the set of columns that are displayed in the table.
Refresh.pngRefresh dataClick the Refresh data icon to refresh the table data.
full_screen.pngFull screenClick the Full screen icon to view the table on the entire screen.

The columns in the Resources Summary table are described below. Each row in the table represents a resource.

Resource NameDisplays the name of the GCP resource type. Click the name to open the resource’s configuration.
Recently Updated (24hrs)Displays whether there was an update in the last 24 hours.
OrganizationDisplays the specific organization that the resource type belongs to. Organizations contain folders, which in turn contain projects of resource types.
Folder IDDisplays the specific folder identifier that the resource type belongs to. A resource can belong to a folder. That folder can belong to another folder, which in turn can belong to yet another folder. To view the hierarchy of this multiple folder structure, click the specific Folder ID.
Project IDDisplays the specific project that the resource type belongs to. Projects allow you to organize and group together resource types into specific projects.
ServiceDisplays the GCP service that the resource corresponds to.
TypeDisplays the type of resource.
RegionDisplays the region where the resource is located.
StatusDisplays the status of data collection from the resource.
TagsClick {...} to open the resource’s tags.
Last Discovered TimeDisplays the last time the Lacework agent discovered the resource.

Configuration Diffs

To view a configuration diff, click a resource name under the Resource Name column. This opens a pane with configuration details. When a diff is present, it is always compared to the current configuration. If more than two configuration histories exist, click View more to display the Configuration History page.

To view a resource’s tag information, click {...} in the Tags column.

If you change an API (primary API) configuration, then it appears as a diff on the Lacework Console.

Configuration History

This page provides configuration histories for a resource. To open the Configuration History page, click View more. The link is available only if the resource has more than two configuration histories.

To compare two configurations, select their checkboxes and click the diff configurations icon.

The columns in the Configuration History table are described below.

ConfigurationClick to view the configuration.
Start TimeDisplays when data collection started.
End TimeDisplays when data collection ended.