Sections in this category

Google Cloud

  • Updated

Google Cloud + JupiterOne Integration Benefits

  • Visualize Google Cloud resources in the JupiterOne graph.
  • Map Google users to employees in your JupiterOne account.
  • Monitor visibility and governance of your Google Cloud environment by leveraging hundreds of out of the box queries.
  • Monitor compliance against the Google Cloud CIS Framework and other security benchmarks using the JupiterOne compliance app.
  • Monitor changes to your Google Cloud resources using multiple JupiterOne alert rule packs specific to Google Cloud.

How it Works

  • JupiterOne periodically fetches users and cloud resources from Google Cloud to update the graph.
  • Write JupiterOne queries to review and monitor updates to the graph, or leverage existing queries.
  • Configure alerts to take action when the JupiterOne graph changes, or leverage existing alerts.

Requirements

  • JupiterOne requires the contents of a Google Cloud service account key file with the correct API services enabled (see the Integration Walkthrough).
  • You must have permission in JupiterOne to install new integrations.

Support

If you need help with this integration, please contact JupiterOne Support.

Integration Walkthrough

Customers authorize access by creating a Google Cloud service account and providing the service account key to JupiterOne.

In Google Cloud

A Google Cloud service account and a Google Cloud service account key must be created in order to run the integration. The service account key is used to authenticate on behalf of the integration's Google Cloud project and ingest data into JupiterOne.

Google Cloud has most API services disabled by default. When a Google Cloud service API is disabled, the JupiterOne integration will not ingest the data from that API. The following Google Cloud service APIs must be enabled to ingest all of the supported data into JupiterOne:

Service Name Service API
Service Usage serviceusage.googleapis.com
Cloud Functions cloudfunctions.googleapis.com
Cloud Storage storage.googleapis.com
Identity and Access Management (IAM) iam.googleapis.com
Cloud Resource Manager cloudresourcemanager.googleapis.com
Cloud Engine compute.googleapis.com
Cloud Key Management Service (KMS) cloudkms.googleapis.com
Cloud SQL sqladmin.googleapis.com
BigQuery bigquery.googleapis.com
Cloud DNS dns.googleapis.com
Kubernetes Engine container.googleapis.com
Cloud Logging logging.googleapis.com
Stackdriver Monitoring monitoring.googleapis.com
Binary Authorization binaryauthorization.googleapis.com
Cloud Pub/Sub pubsub.googleapis.com
App Engine Admin appengine.googleapis.com
Cloud Run run.googleapis.com
Cloud Memorystore for Redis redis.googleapis.com
Cloud Memorystore for Memcached memcache.googleapis.com
API Gateway apigateway.googleapis.com
Cloud Spanner spanner.googleapis.com
Certificate Authority privateca.googleapis.com
Cloud Asset cloudasset.googleapis.com

Google Cloud service APIs can be enabled using one of the following methods:

Enabling Google Cloud Service API from Google Cloud Console

  1. Click on the service name link that you'd like to enable from the table above
  2. Select your Google Cloud project from the project dropdown menu
  3. Click the "Enable" button

Enabling Google Cloud Service API from gcloud CLI

Instructions on how to setup the gcloud CLI can be found in the JupiterOne Google Cloud integration developer documentation.

After setting up the gcloud CLI, you can run the following command to enable all services that the JupiterOne integration supports:

NOTE You can only enable 20 services at a time

gcloud services enable \
  serviceusage.googleapis.com \
  cloudfunctions.googleapis.com \
  storage.googleapis.com \
  iam.googleapis.com \
  cloudresourcemanager.googleapis.com \
  compute.googleapis.com \
  cloudkms.googleapis.com \
  sqladmin.googleapis.com \
  bigquery.googleapis.com \
  container.googleapis.com \
  dns.googleapis.com \
  logging.googleapis.com \
  monitoring.googleapis.com \
  binaryauthorization.googleapis.com \
  pubsub.googleapis.com \
  appengine.googleapis.com \
  run.googleapis.com \
  redis.googleapis.com \
  memcache.googleapis.com \
  apigateway.googleapis.com \
  spanner.googleapis.com \
  privateca.googleapis.com \
  cloudasset.googleapis.com

Creating Google Cloud project service account

We must assign the correct permissions to the newly created service account for the integration to be run. We recommend using the following roles managed by Google Cloud:

NOTE: You may also create a service account using the gcloud CLI. There is documentation on how to leverage the CLI in the JupiterOne Google Cloud integration developer documentation.

Generate a service account key

NOTE: You may also create a service account key using the gcloud CLI. There is documentation on how to leverage the CLI in the Google Cloud integration developer documentation.

JupiterOne + Google Cloud Organization

Given the correct permissions, JupiterOne has the ability to automatically discover each project under a Google Cloud organization and configure integration instances for each of the projects.

Setup
  1. Select one Google Cloud project to configure a service account for JupiterOne.
  2. Create the service account without a role. Copy the email address of the new service account (e.g. my-sa@my-j1-project.iam.gserviceaccount.com)
  3. Generate and copy a new service account key
  4. Enable all service APIs in the "main" project that you'd like JupiterOne to access across each of the projects we will generate later. Documentation for enabling service APIs is described in an earlier section of this document.
  5. Switch to the organization that you'd like to create individual integration instances for each project
  6. Create a new custom role with the following permissions:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
resourcemanager.organizations.getIamPolicy
cloudasset.assets.searchAllIamPolicies
  1. Navigate to the Cloud Resource Manager for that organization and add a new member to the organization. The new member email address is the email address of the service account that was created earlier. Select the new organization role that was created above, as well as the Google Cloud managed role "Security Reviewer" (roles/iam.securityReviewer) or an alternative JupiterOne custom role that you've created.

  2. Navigate to the JupiterOne Google Cloud integration configuration page to begin configuring the "main" integration instance.

Use the generated service account key as the value for the "Service Account Key File" field.

NOTE: The "Polling Interval" that is selected for the "main" integration instances, will be the same polling interval that is used for each of the child integration instances.

  1. Check the "Configure Organization Projects" checkbox
  2. Place the numerical value of the Google Cloud organization into the "Organization ID" text field (e.g. "1234567890")
  3. Click the CREATE CONFIGURATION button

NOTE: Depending on how many projects exist under a Google Cloud organization, the auto-configuration process may take a few minutes to complete. When the process has been completed, you will see your new integration instances on the JupiterOne Google Cloud integration list page.

JupiterOne + Google Cloud Organization CLI

A CLI is exposed from the graph-google-cloud project on GitHub that can be leveraged to create individual integration instances for every project that is under a specific Google Cloud organization.

Install Dependencies

The following dependencies are needed in order to run the CLI:

Running

The following shows all of the options that are exposed by the CLI.

JupiterOne Google Cloud Organization Integration Setup

Usage:
  $ JupiterOne Google Cloud Organization Integration Setup []

Commands:
  []  Default command: Run the organization setup

For more info, run any command with the `--help` flag:
  $ JupiterOne Google Cloud Organization Integration Setup --help

Options:
    --jupiterone-account-id <jupiteroneAccountId>                         (Required) JupiterOne Account ID
    --jupiterone-api-key <jupiteroneApiKey>                               (Required) JupiterOne API Key
    --google-access-token <googleAccessToken>                             (Required) Google Cloud Access Token
    --organization-id [organizationId]                                    (Optional) Array of organization IDs to collect projects from
    --project-id [projectId]                                              (Optional) Array of project IDs to create integration instances with
    --skip-project-id [projectId]                                         (Optional) Array of project IDs to skip creating integration instances for
    --skip-system-projects [skipSystemProjects]                           (Optional) Skips creation of any projects that have an ID that start with "sys-" (default: true)
    --rotate-service-account-keys [rotateServiceAccountKeys]              (Optional) Creates a new service account key for the JupiterOne service account and PUTs the JupiterOne integration instance (default: false)
    --skip-project-id-regex [skipProjectIdRegex]                          (Optional) Project IDs discovered that match this regex will be skipped
    --integration-instance-name-pattern [integrationInstanceNamePattern]  (Optional) Naming pattern for how the integration instances that are created will be named. Example: 'gcp-{{projectId}}'
    --integration-polling-interval [integrationPollingInterval]           (Optional) Polling interval for the integration instances that are created (default: ONE_DAY)
    -h, --help                                                            Display this message

Example usage to create integration instances for every project that is under a Google Cloud organization

yarn jupiterone-organization-setup \
    --google-access-token $(gcloud auth print-access-token) \
    --organization-id 1111111111 \
    --jupiterone-account-id MY_JUPITERONE_ACCOUNT_ID_HERE \
    --jupiterone-api-key MY_JUPITERONE_API_KEY_HERE

Example usage to create integration instances for each project in multiple Google Cloud organizations:

yarn jupiterone-organization-setup \
    --google-access-token $(gcloud auth print-access-token) \
    --organization-id 1111111111 \
    --organization-id 2222222222 \
    --jupiterone-account-id MY_JUPITERONE_ACCOUNT_ID_HERE \
    --jupiterone-api-key MY_JUPITERONE_API_KEY_HERE

Example usage to create integration instances for a selection of projects that the authenticated Google Cloud user has access to:

yarn jupiterone-organization-setup \
    --google-access-token $(gcloud auth print-access-token) \
    --jupiterone-account-id MY_JUPITERONE_ACCOUNT_ID_HERE \
    --jupiterone-api-key MY_JUPITERONE_API_KEY_HERE \
    --project-id MY_GOOGLE_CLOUD_PROJECT_ID_HERE \
    --project-id MY_GOOGLE_CLOUD_PROJECT_ID_HERE_2 \
    --project-id MY_GOOGLE_CLOUD_PROJECT_ID_HERE_3
How it works

The following is the overall flow of how the CLI creates an integration instance for each project:

  • For every project in a GCP org
    • Enable relevant Google Cloud API services that the JupiterOne integration will interact with
    • Create a service account to be used by JupiterOne
    • Create a service account key for the new service account
    • Update the project’s IAM policy with the new service account as a member of the recommended roles/iam.securityReviewer to allow JupiterOne read access to relevant Google Cloud resources
    • Create a JupiterOne integration instance using the newly generated service account key file

In JupiterOne

  1. From the configuration Gear Icon, select Integrations.
  2. Scroll to the Google Cloud integration tile and click it.
  3. Click the Add Configuration button and configure the following settings:
  • Enter the Account Name by which you'd like to identify this Google Cloud account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when Tag with Account Name is checked.
  • Enter a Description that will further assist your team when identifying the integration instance.
  • Select a Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.
  • Enter the Servce Account Key File contents of the Google Cloud service account.
  1. Click Create Configuration once all values are provided.

How to Uninstall

  1. From the configuration Gear Icon, select Integrations.
  2. Scroll to the Google Cloud integration tile and click it.
  3. Identify and click the integration to delete.
  4. Click the trash can icon.
  5. Click the Remove button to delete the integration.

Data Model

Entities

The following entities are created:

Resources Entity _type Entity _class
Access Context Manager Access Level google_access_context_manager_access_level Ruleset
Access Context Manager Access Policy google_access_context_manager_access_policy AccessPolicy
Access Context Manager Service Perimeter google_access_context_manager_service_perimeter Configuration
Access Context Manager Service Perimeter Api Operation google_access_context_manager_service_perimeter_api_operation Configuration
Access Context Manager Service Perimeter Egress Policy google_access_context_manager_service_perimeter_egress_policy ControlPolicy
Access Context Manager Service Perimeter Ingress Policy google_access_context_manager_service_perimeter_ingress_policy ControlPolicy
Access Context Manager Service Perimeter Method Selector google_access_context_manager_service_perimeter_method_selector Configuration
Api Gateway Api google_api_gateway_api Service
Api Gateway Api Config google_api_gateway_api_config Configuration
Api Gateway Gateway google_api_gateway_gateway Gateway
AppEngine Application google_app_engine_application Application
AppEngine Instance google_app_engine_instance Host
AppEngine Service google_app_engine_service Container
AppEngine Version google_app_engine_version Service
Big Query Dataset google_bigquery_dataset DataStore, Database
Big Query Model google_bigquery_model Model
Big Query Table google_bigquery_table DataCollection
Binary Authorization Policy google_binary_authorization_policy AccessPolicy
Cloud API Service google_cloud_api_service Service
Cloud Function google_cloud_function Function
Cloud Run Configuration google_cloud_run_configuration Configuration
Cloud Run Route google_cloud_run_route Configuration
Cloud Run Service google_cloud_run_service Service
Cloud Storage Bucket google_storage_bucket DataStore
Compute Backend Bucket google_compute_backend_bucket Gateway
Compute Backend Service google_compute_backend_service Service
Compute Disk google_compute_disk DataStore, Disk
Compute Firewalls google_compute_firewall Firewall
Compute Health Check google_compute_health_check Service
Compute Image google_compute_image Image
Compute Instance google_compute_instance Host
Compute Instance Group google_compute_instance_group Group
Compute Instance Group Named Port google_compute_instance_group_named_port Configuration
Compute Load Balancer google_compute_url_map Gateway
Compute Networks google_compute_network Network
Compute Project google_compute_project Project
Compute SSL Policy google_compute_ssl_policy Policy
Compute Snapshot google_compute_snapshot Image
Compute Subnetwork google_compute_subnetwork Network
Compute Target HTTP Proxy google_compute_target_http_proxy Gateway
Compute Target HTTPS Proxy google_compute_target_https_proxy Gateway
Compute Target SSL Proxy google_compute_target_ssl_proxy Gateway
Container Cluster google_container_cluster Cluster
Container Node Pool google_container_node_pool Group
DNS Managed Zone google_dns_managed_zone DomainZone
Folder google_cloud_folder Group
IAM Binding google_iam_binding AccessPolicy
IAM Managed Role google_iam_role AccessRole
IAM Service Account google_iam_service_account User
IAM Service Account Key google_iam_service_account_key AccessKey
IAM User google_user User
KMS Crypto Key google_kms_crypto_key Key, CryptoKey
KMS Key Ring google_kms_key_ring Vault
Logging Metric google_logging_metric Configuration
Logging Project Sink google_logging_project_sink Logs
Memcache Instance google_memcache_instance Database, DataStore, Cluster
Memcache Instance Node google_memcache_instance_node Database, DataStore, Host
Monitoring Alert Policy google_monitoring_alert_policy Policy
Organization google_cloud_organization Organization
Private CA Certificate google_privateca_certificate Certificate
Private CA Certificate Authority google_privateca_certificate_authority Service
Project google_cloud_project Account
PubSub Subscription google_pubsub_subscription Service
PubSub Topic google_pubsub_topic Channel
Redis Instance google_redis_instance Database, DataStore, Host
SQL Admin MySQL Instance google_sql_mysql_instance Database
SQL Admin Postgres Instance google_sql_postgres_instance Database
SQL Admin SQL Server Instance google_sql_sql_server_instance Database
Spanner Instance google_spanner_instance Database, Cluster
Spanner Instance Config google_spanner_instance_config Configuration
Spanner Instance Database google_spanner_database Database

Relationships

The following relationships are created/mapped:

Source Entity _type Relationship _class Target Entity _type
google_access_context_manager_access_policy HAS google_access_context_manager_access_level
google_access_context_manager_access_policy HAS google_access_context_manager_service_perimeter
google_access_context_manager_service_perimeter_api_operation HAS google_access_context_manager_service_perimeter_method_selector
google_access_context_manager_service_perimeter_egress_policy HAS google_access_context_manager_service_perimeter_api_operation
google_access_context_manager_service_perimeter HAS google_access_context_manager_service_perimeter_egress_policy
google_access_context_manager_service_perimeter HAS google_access_context_manager_service_perimeter_ingress_policy
google_access_context_manager_service_perimeter_ingress_policy HAS google_access_context_manager_service_perimeter_api_operation
google_access_context_manager_service_perimeter LIMITS google_cloud_api_service
google_access_context_manager_service_perimeter PROTECTS google_cloud_project
google_api_gateway_api_config USES google_iam_service_account
google_api_gateway_api HAS google_api_gateway_gateway
google_api_gateway_api USES google_api_gateway_api_config
google_app_engine_application HAS google_app_engine_service
google_app_engine_application USES google_storage_bucket
google_app_engine_service HAS google_app_engine_version
google_app_engine_version HAS google_app_engine_instance
google_bigquery_dataset HAS google_bigquery_model
google_bigquery_dataset HAS google_bigquery_table
google_bigquery_dataset USES google_kms_crypto_key
google_cloud_api_service HAS google_iam_role
internet ALLOWS google_compute_firewall
google_cloud_folder HAS google_cloud_folder
google_cloud_function USES google_iam_service_account
google_cloud_organization HAS google_cloud_folder
google_cloud_project HAS google_cloud_api_service
google_cloud_project HAS google_binary_authorization_policy
google_cloud_run_service MANAGES google_cloud_run_configuration
google_cloud_run_service MANAGES google_cloud_run_route
google_compute_backend_bucket HAS google_storage_bucket
google_compute_backend_service HAS google_compute_health_check
google_compute_backend_service HAS google_compute_instance_group
google_compute_backend_service HAS google_compute_target_ssl_proxy
google_compute_disk CREATED google_compute_snapshot
google_compute_disk USES google_compute_image
google_compute_disk USES google_kms_crypto_key
google_compute_firewall PROTECTS google_compute_network
google_compute_image USES google_compute_image
google_compute_image USES google_kms_crypto_key
google_compute_instance_group HAS google_compute_instance
google_compute_url_map HAS google_compute_backend_service
google_compute_instance TRUSTS google_iam_service_account
google_compute_instance USES google_compute_disk
google_compute_network CONTAINS google_compute_subnetwork
google_compute_network HAS google_compute_firewall
google_compute_project HAS google_compute_instance
google_compute_snapshot CREATED google_compute_image
google_compute_subnetwork HAS google_compute_instance
google_compute_target_https_proxy HAS google_compute_ssl_policy
google_compute_target_ssl_proxy HAS google_compute_ssl_policy
google_compute_url_map HAS google_compute_backend_bucket
google_compute_url_map HAS google_compute_backend_service
google_compute_url_map HAS google_compute_target_http_proxy
google_compute_url_map HAS google_compute_target_https_proxy
google_container_cluster HAS google_container_node_pool
google_container_node_pool HAS google_compute_instance_group
google_cloud_folder HAS google_cloud_project
google_group ASSIGNED google_iam_role
google_iam_service_account ASSIGNED google_iam_role
google_iam_service_account CREATED google_app_engine_version
google_iam_service_account HAS google_iam_service_account_key
google_kms_key_ring HAS google_kms_crypto_key
google_logging_metric HAS google_monitoring_alert_policy
google_logging_project_sink USES google_storage_bucket
google_memcache_instance HAS google_memcache_instance_node
google_memcache_instance USES google_compute_network
google_cloud_organization HAS google_cloud_project
google_privateca_certificate_authority CREATED google_privateca_certificate
google_privateca_certificate_authority USES google_storage_bucket
google_pubsub_subscription USES google_pubsub_topic
google_pubsub_topic USES google_kms_crypto_key
google_redis_instance USES google_compute_network
google_spanner_database USES google_kms_crypto_key
google_spanner_instance HAS google_spanner_database
google_spanner_instance USES google_spanner_instance_config
google_sql_mysql_instance USES google_kms_crypto_key
google_sql_postgres_instance USES google_kms_crypto_key
google_sql_sql_server_instance USES google_kms_crypto_key
google_user ASSIGNED google_iam_role
google_user CREATED google_app_engine_version

🔝

Was this article helpful?

0 out of 0 found this helpful