Skip to main content

GCP Inventory

Overview

The Lacework Console provides visibility into Google Cloud Provider (GCP) resources that are integrated with Lacework. A resource can be any entity within the cloud deployment, such as GCE Virtual Machines, Pub/Sub topics, Cloud Storage buckets, security groups, etc. The GCP Resource Inventory page allows you to view and monitor in-use GCP resources’ risk, compliance, and configuration changes and provides visibility for team members with limited or no access to the Google Cloud Console. Because Lacework takes regular snapshots of your resources, you can track their changes (diffs) through the Lacework Console. To access the Resource Inventory page, go to Resources > GCP Inventory.

GCP resources are the components that enable services on GCP. GCP resources are grouped into specific projects, the first hierarchy level. Projects are grouped under a specific folder, the next level of hierarchy for GCP resources. In addition, a specific folder can belong to another folder, which in turn can belong to yet another folder. Folders are grouped under a specific organization or Org, the top level of hierarchy for resources.

For more information about GCP integration with Lacework, see GCP Compliance and Audit Log Integration - Terraform Using Google Cloud Shell and GCP Compliance and Audit Log Integration - Terraform From Any Supported Host.

Lacework takes a snapshot of resources on a periodic time frame. Depending on the time that Lacework takes the snapshot, changes may not be captured until up to 24 hours after the changes are made. See the following examples:

  • A resource change is made on Monday at 1:00 AM and Lacework takes a snapshot on Monday at 2:00 AM, the snapshot includes the change.
  • A resource change is made on Monday at 3:00 AM but Lacework took a snapshot on Monday at 2:00 AM, the snapshot does not include the change. The next snapshot on Tuesday at 2:00 AM will capture the change.

Supported Resource Types

Resource Management supports the following resource type APIs.

ServiceAPI
App Engineappengine.googleapis.com/Application
appengine.googleapis.com/Service
appengine.googleapis.com/Version
Artifact Registryartifactregistry.googleapis.com/DockerImage
artifactregistry.googleapis.com/Repository
BigQuerybigquery.googleapis.com/Dataset
bigquery.googleapis.com/Table
bigquery.googleapis.com/Model
Cloud Bigtablebigtableadmin.googleapis.com/AppProfile
bigtableadmin.googleapis.com/Backup
bigtableadmin.googleapis.com/Cluster
bigtableadmin.googleapis.com/Instance
bigtableadmin.googleapis.com/Table
Cloud Billingcloudbilling.googleapis.com/BillingAccount
Certificate Authority Serviceprivateca.googleapis.com/CaPool
privateca.googleapis.com/CertificateAuthority
privateca.googleapis.com/CertificateRevocationList
privateca.googleapis.com/CertificateTemplate
Cloud Functionscloudfunctions.googleapis.com/CloudFunction
Cloud Runrun.googleapis.com/DomainMapping
run.googleapis.com/Revision
run.googleapis.com/Service
Container Registrycontainerregistry.googleapis.com/Image
Dataprocdataproc.googleapis.com/Cluster
dataproc.googleapis.com/Job
Dialogflowdialogflow.googleapis.com/Agent
dialogflow.googleapis.com/LocationSettings
Cloud Data Loss Preventiondlp.googleapis.com/StoredInfoType
dlp.googleapis.com/DeidentifyTemplate
dlp.googleapis.com/DlpJob
dlp.googleapis.com/InspectTemplate
dlp.googleapis.com/JobTrigger
Cloud DNSdns.googleapis.com/ManagedZone
dns.googleapis.com/Policy
Eventarceventarc.googleapis.com/Trigger
Identity and Access Managementiam.googleapis.com/Role
iam.googleapis.com/ServiceAccount
iam.googleapis.com/ServiceAccountKey
Cloud Key Management Servicecloudkms.googleapis.com/KeyRing
cloudkms.googleapis.com/CryptoKey
cloudkms.googleapis.com/CryptoKeyVersion
cloudkms.googleapis.com/ImportJob
Pub/Subpubsub.googleapis.com/Topic
pubsub.googleapis.com/Subscription
pubsub.googleapis.com/Snapshot
Cloud Spannerspanner.googleapis.com/Instance
spanner.googleapis.com/Database
spanner.googleapis.com/Backup
Cloud SQLsqladmin.googleapis.com/Instance
sqladmin.googleapis.com/BackupRun
Cloud Storagestorage.googleapis.com/Bucket
Cloud OS Configosconfig.googleapis.com/PatchDeployment
osconfig.googleapis.com/VulnerabilityReport
Compute Enginecompute.googleapis.com/Autoscaler
compute.googleapis.com/Address
compute.googleapis.com/GlobalAddress
compute.googleapis.com/BackendBucket
compute.googleapis.com/BackendService
compute.googleapis.com/Commitment
compute.googleapis.com/Disk
compute.googleapis.com/ExternalVpnGateway
compute.googleapis.com/Firewall
compute.googleapis.com/ForwardingRule
compute.googleapis.com/GlobalForwardingRule
compute.googleapis.com/HealthCheck
compute.googleapis.com/HttpHealthCheck
compute.googleapis.com/HttpsHealthCheck
compute.googleapis.com/Image
compute.googleapis.com/Instance
compute.googleapis.com/InstanceGroup
compute.googleapis.com/InstanceGroupManager
compute.googleapis.com/InstanceTemplate
compute.googleapis.com/Interconnect
compute.googleapis.com/InterconnectAttachment
compute.googleapis.com/License
compute.googleapis.com/Network
compute.googleapis.com/NetworkEndpointGroup
compute.googleapis.com/NodeGroup
compute.googleapis.com/NodeTemplate
compute.googleapis.com/PacketMirroring
compute.googleapis.com/Project
compute.googleapis.com/RegionBackendService
compute.googleapis.com/RegionDisk
compute.googleapis.com/Reservation
compute.googleapis.com/ResourcePolicy
compute.googleapis.com/Route
compute.googleapis.com/Router
compute.googleapis.com/SecurityPolicy
compute.googleapis.com/Snapshot
compute.googleapis.com/SslCertificate
compute.googleapis.com/SslPolicy
compute.googleapis.com/Subnetwork
compute.googleapis.com/TargetHttpProxy
compute.googleapis.com/TargetHttpsProxy
compute.googleapis.com/TargetInstance
compute.googleapis.com/TargetPool
compute.googleapis.com/TargetTcpProxy
compute.googleapis.com/TargetSslProxy
compute.googleapis.com/TargetVpnGateway
compute.googleapis.com/UrlMap
compute.googleapis.com/VpnGateway
compute.googleapis.com/VpnTunnel
Google Kubernetes Enginecontainer.googleapis.com/Cluster
container.googleapis.com/NodePool
k8s.io/Node
k8s.io/Pod
k8s.io/Namespace
k8s.io/Service
rbac.authorization.k8s.io/Role
rbac.authorization.k8s.io/RoleBinding
rbac.authorization.k8s.io/ClusterRole
rbac.authorization.k8s.io/ClusterRoleBinding
networking.k8s.io/NetworkPolicy
Resource Managercloudresourcemanager.googleapis.com/Organization
cloudresourcemanager.googleapis.com/Folder
cloudresourcemanager.googleapis.com/Project
cloudresourcemanager.googleapis.com/TagKey
cloudresourcemanager.googleapis.com/TagValue
Service Usageserviceusage.googleapis.com/Service
Cloud Data Fusiondatafusion.googleapis.com/Instance
Cloud Logginglogging.googleapis.com/LogBucket
logging.googleapis.com/LogMetric
logging.googleapis.com/LogSink
Network Management APInetworkmanagement.googleapis.com/ConnectivityTest
Managed Service for Microsoft Active Directorymanagedidentities.googleapis.com/Domain
Game Serversgameservices.googleapis.com/GameServerCluster
gameservices.googleapis.com/Realm
gameservices.googleapis.com/GameServerConfig
gameservices.googleapis.com/GameServerDeployment
Dataflowdataflow.googleapis.com/Job
Hubgkehub.googleapis.com/Membership
Secret Managersecretmanager.googleapis.com/Secret
secretmanager.googleapis.com/SecretVersion
Cloud TPUtpu.googleapis.com/Node
Filestorefile.googleapis.com/Instance
Service Directoryservicedirectory.googleapis.com/Namespace
Assured Workloadsassuredworkloads.googleapis.com/Workload
API Gatewayapigateway.googleapis.com/Api
apigateway.googleapis.com/ApiConfig
apigateway.googleapis.com/Gateway
App Engine Memcachememcache.googleapis.com/Instance
Document AIdocumentai.googleapis.com/HumanReviewConfig
documentai.googleapis.com/LabelerPool
documentai.googleapis.com/Processor
documentai.googleapis.com/ProcessorVersion
Memorystore for Redisredis.googleapis.com/Instance
Vertex AIaiplatform.googleapis.com/BatchPredictionJob
aiplatform.googleapis.com/CustomJob
aiplatform.googleapis.com/DataLabelingJob
aiplatform.googleapis.com/Dataset
aiplatform.googleapis.com/Endpoint
aiplatform.googleapis.com/HyperparameterTuningJob
aiplatform.googleapis.com/MetadataStore
aiplatform.googleapis.com/Model
aiplatform.googleapis.com/ModelDeploymentMonitoringJob
aiplatform.googleapis.com/PipelineJob
aiplatform.googleapis.com/SpecialistPool
aiplatform.googleapis.com/TrainingPipeline
Cloud Monitoringmonitoring.googleapis.com/AlertPolicy
Serverless VPC Accessvpcaccess.googleapis.com/Connector
Service Managementservicemanagement.googleapis.com/ManagedService
Dataproc Metastoremetastore.googleapis.com/Service
metastore.googleapis.com/MetadataImport
metastore.googleapis.com/Backup
note

For the full list of possible resources, see Supported asset types.
To view the list of resources from the GCP console, select Asset Inventory > Resource.

Configure Permissions to Enable Access to GCP Resources

In order to access and manage GCP resources, you must enable certain permissions through the use of updated roles.

Configure GCP Permissions by Updating Terraform Integration

You can use Terraform to integrate Google Cloud environments with Lacework. To enable access to GCP resources if you have an existing Terraform template for GCP integration, you must update and rerun the Lacework GCP Terraform module. Perform the following tasks to access GCP resource types:

  1. Verify that your Terraform template is specifying the minimum Lacework GCP Config module version 1.0. To do this, open and examine your Terraform file for the following:

      1 module "gcp-config" {
    2 source = "lacework/config/gcp"
    3 version = "~> 1.0"
    4 }
    note

    The terraform init -upgrade command in the next step will pull in the latest version. The minimum version 1.2.0 is required to enable permissions to GCP resource types.

  2. Update the Terraform integration to version 1.2.0 to utilize the new permissions for GCP resources in the Lacework GCP Config module by running an update and applying this update:

    terraform init -upgrade
    terraform apply

Configure GCP Permissions Manually

In order to access and manage GCP resources, you must enable certain permissions through the use of updated roles. You can do this automatically through Terraform as discussed in the previous section. Additionally, you can configure the permissions manually.

1. Add the roles/cloudasset.viewer Role to your GCP Service Account

Add the new role roles/cloudasset.viewer to your service account to access your GCP resource types. You can add this new role either at the individual project level or at the organization level.

You can add the role through the GCP console or through the gcloud CLI, as described below.

Add Role through the GCP console
  1. Navigate to IAM and Admin in the GCP console.
  2. Locate the service account for the GCP integration and click the Edit Permissions icon (located right of the entry).
  3. Click + Add Another Role.
  4. Select the role Cloud Asset > Cloud Asset Viewer.
  5. Click Save as.
Add Role through the gcloud CLI

To add the new role to a service account at the individual project level:

gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \
--member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
--role roles/cloudasset.viewer

To add the new role to a service account at the organization level:

gcloud organizations add-iam-policy-binding TARGET_ORGANIZATION_ID \
--member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
--role roles/cloudasset.viewer

2. Enable the API for your GCP Service Account

Enable the API that accesses your resource types on the GCP project to which the service account belongs.

You can enable the API through the GCP console or through the gcloud CLI, as described below:

Enable the API through GCP console for your Project

Using the GCP console, add cloudasset.googleapis.com to enable access to the GCP API:

  1. Log in to the specific project you want to integrate on the GCP Console.
  2. Click gcp_waffle.png.
  3. Select APIs & Services > Library. In the Search for APIs & Services field, enter cloudasset.googleapis.com.
  4. Click on the result that matches the API name listed.
  5. Click ENABLE.
Enable the API through the gcloud CLI

Ensure that the gcloud config is set to use a Service Account with the permissions required to enable APIs.

gcloud --project <service_account_project_id> services enable cloudasset.googleapis.com

Resource Summary

Lacework populates this page after at least one GCP integration is configured. The date/time range filter and any optional filters at top of the page apply to all data displayed on the page. If nothing is displayed, consider increasing the date range.

To access the Resource Summary information on the GCP Resource Inventory page, go to Resources > GCP Inventory.

Above the right side of the table, the following icons are available:

IconLabelDescription
download_csv.pngDownload in CSV formatClick the Download in CSV format icon to get a comma-separated file of the table contents.
select_columns.pngSelect display columnsClick the Select display columns icon to hide or show the set of columns that are displayed in the table.
Refresh.pngRefresh dataClick the Refresh data icon to refresh the table data.
full_screen.pngFull screenClick the Full screen icon to view the table on the entire screen.

The columns in the Resources Summary table are described below. Each row in the table represents a resource.

ColumnDescription
Resource NameDisplays the name of the GCP resource type. Click the name to open the resource’s configuration.
Recently Updated (24hrs)Displays whether there was an update in the last 24 hours.
OrganizationDisplays the specific organization that the resource type belongs to. Organizations contain folders, which in turn contain projects of resource types.
Folder IDDisplays the specific folder identifier that the resource type belongs to. A resource can belong to a folder. That folder can belong to another folder, which in turn can belong to yet another folder. To view the hierarchy of this multiple folder structure, click the specific Folder ID.
Project IDDisplays the specific project that the resource type belongs to. Projects allow you to organize and group together resource types into specific projects.
ServiceDisplays the GCP service that the resource corresponds to.
TypeDisplays the type of resource.
RegionDisplays the region where the resource is located.
StatusDisplays the status of data collection from the resource.
TagsClick {...} to open the resource’s tags.
Last Discovered TimeDisplays the last time the Lacework agent discovered the resource.

Configuration Diffs

To view a configuration diff, click a resource name under the Resource Name column. This opens a pane with configuration details. When a diff is present, it is always compared to the current configuration. If more than two configuration histories exist, click View more to display the Configuration History page.

To view a resource’s tag information, click {...} in the Tags column.

If you change an API (primary API) configuration, then it appears as a diff on the Lacework Console.

Configuration History

This page provides configuration histories for a resource. To open the Configuration History page, click View more. The link is available only if the resource has more than two configuration histories.

To compare two configurations, select their checkboxes and click the diff configurations icon.

The columns in the Configuration History table are described below.

ColumnDescription
ConfigurationClick to view the configuration.
Start TimeDisplays when data collection started.
End TimeDisplays when data collection ended.