Google Cloud organization

This topic describes how to connect a Google Cloud organization or project to CEM, along with the root discovery process and roles and permissions used by CEM to connect.

Before you begin

Make sure you have the following:

  • A Google Cloud project

  • Admin user that has been assigned the following permission: roles/resourcemanager.organizationAdmin

Add Google Cloud to CEM

The following flow chart describes the different options for adding Google Cloud to CEM. Click on one of the options to learn more.

Add a new Google Cloud organization

To add a new organization, CEM has to discover the related resources and their hierarchies. This process involves the steps described below.

Step 1: Provide the organization details to CEM

In CEM, provide the following information about your Google Cloud organization:

Item

Description

Organization ID

ID assigned to the organization

Dataset name

If you already have a dataset for log collection, provide the name.

Project ID

ID of the project where your current log collection dataset is located, or where a new log collection dataset should be created by CEM.

Step 2: Create a service account in your Google Cloud organization

Next, run a CEM deploy script on your organization using Cloud Shell to create a service account called cem-service-account, which includes the resources that CEM needs to connect to your organization and scan your Google Cloud organization resources.

After the deploy script creates the service account, paste the finalValue from Google Cloud in the CyberArk interface so CEM has the required permissions.

Step 3: Start discovery

When you click Start discovery, CEM scans your organization to discover the resources and their hierarchies.

Step 4: Start scanning your Google Cloud organization for insights

After the discovery process is finished, you can begin to scan your workspace and get insights from CEM on how to reduce your risk exposure.

To start scanning for insights

  1. In CEM, go to the Setup > Platform management > GCP page.

  2. For each resource you want to scan, open the options menu and click Connect.

For details, see View and manage workspace connections.

For detailed information about the each operation in the deploy script that's used to create the CEM service account, see Enable APIs below.

Add a new Google Cloud project

Do the following steps to add a Google Cloud project to CEM.

Step 1: Provide the Google Cloud project details to CEM

CEM needs the following information about your Google Cloud project:

Item

Description

Project ID

The assigned project ID

Project name

Optional name that describes the project

Project description

Optional project description

Step 2: Create a CyberArk service account in your Google Cloud project

Configure Google Cloud to give CyberArk access to your resources .

In this step, you run a CEM deploy script on your project using the Cloud Shell to create a service account called cem-service-account, which includes the resources that CEM needs to connect to your project and scan your Google Cloud project resources.

After the deploy script creates the CEM service account, paste the finalValue from Google Cloud back in to CEM so it has the required permissions.

CEM automatically connects and begins to scan your Google Cloud project.

For detailed information about the each operation in the deploy script that's used to create the CEM service account, see Enable APIs below.

Enable APIs

This section describes how CEM uses Cloud APIs to gain access to a required resource.

CEM enables the following APIs:

  • deploymentmanger.googleapis.com

  • cloudresourcemanager.googleapis.com

  • iam.googleapis.com

  • bigquery.googleapis.com

  • recommender.googleapis.com

Step 1: Create a custom role

The deploy script creates a custom role with the minimum permissions required for the CEM service account to work.

The following is a list of permissions granted to the CEM service account:

Permission

Description

iam.roles.list

Lists the service account cloud roles.

iam.roles.get

Enables CEM to get role data.

iam.serviceAccounts.getIamPolicy

account

Enables CEM to get the IAM policy that is attached to the service.

iam.serviceAccounts.list

Lists all of the user-managed service accounts.

iam.serviceAccountKeys.list

Lists every ServiceAccountKey for a service account.

logging.logEntries.list

Lists the log entries that originated from a project. /folder/organization/billing account

managedidentities.domains.getIamPolicy

Enables CEM to get the access control policy for a resource.

bigquery.datasets.get

Enables CEM to get metadata about a dataset.

bigquery.tables.list

Lists the dataset's existing tables, and the tables' metadata.

bigquery.tables.get

Enables CEM to get table metadata.

bigquery.tables.getData

Enables CEM to get table metadata.

bigquery.jobs.create

Enables CEM to run jobs (including queries) within the project.

recommender.iamPolicyInsights.list

Lists the recommended insights.

recommender.iamPolicyInsights.get

Enables CEM to get a recommended insight that includes data about used permissions.

resourcemanager.projects.getIamPolicy

Enables CEM to get the IAM access control policy for the specified project.

resourcemanager.projects.list

Lists the projects that are accessible by the active account.

resourcemanager.folders.get

Enables CEM to get the Folder identified by the specified folder ID.

resourcemanager.folders.getIamPolicy

Enables CEM to get the IAM access control policy for the specified folder.

resourcemanager.folders.list

Lists the folders that are accessible by the active account.

resourcemanager.organizations.get

Enables CEM to get the organization identified by the specified organization ID.

resourcemanager.organizations.getIamPolicy

Enables CEM to get the IAM access control policy for the specified organization.

policyanalyzer.serviceAccountKeyLastAuthenticationActivities.query

Enables CEM to get the last authentication activity that was performed with this service account key.

policyanalyzer.serviceAccountLastAuthenticationActivities.query

Step 2: Create a service account

The deploy script enables CEM to specify all the resources needed for CEM's application, including a service account used by CEM.

When the service account is created, the script binds the custom role described in the first step to this service account.

Step 3: Add the service account to the organization IAM

Service accounts can be created only at the project level. However, to gain access to the entire organization, the service account must sit above the organization IAM. After adding the service account to the organization IAM, the script grants the role bigquery.jobUser to the service account.

Step 4: Define the log collection

CEM collects logs using an aggregated sink and a bigQuery dataset.

If CEM hasn't received the details of an existing bigQuery dataset, CEM creates an aggregated sink called cem-aggregated-sink and grants it the following roles:

  • roles/logging.logWriter

  • roles/bigquery.dataeditor

In addition, CEM creates a bigQuery dataset called cem_aggregated_logs_dataset.