Skip to main content

Google Cloud

Overview

To enable Upwind to retrieve data on your Google Cloud resources and identify potential security risks and compliance issues, you must first connect your Google Cloud project/s. Upwind supports connecting one or more Google Cloud Projects or all projects that are under your Google Cloud Organization. The onboarding workflow guides you through the process of creating a service account and creating association roles with the service account.

Prerequisites

To analyze and monitor your Google Cloud account, Upwind requires access to specific APIs and a service account which is an authorized identity that enables authentication between Upwind and Google Cloud. A predefined or primitive role grants the service account the permissions it needs to complete actions on the assets in your Google Cloud organization or project.

Before proceeding, ensure that you have the following prerequisites in place:

  1. Google Cloud Project. You should have a Google Cloud project name with administrative privileges to create and manage resources, such as service accounts and IAM role bindings.

  2. Google Cloud APIs & Services. Verify the following APIs are enabled. For more information on how to do this, refer to the guide Enable and Disable APIs .


    Mandatory APIs for Operational Use

    TitleName
    Cloud Asset APIcloudasset.googleapis.com
    Cloud Resource Manager APIcloudresourcemanager.googleapis.com
    Compute Engine APIcompute.googleapis.com
    Identity and Access Management API  iam.googleapis.com
    Kubernetes Engine APIcontainer.googleapis.com

    Mandatory APIs for Posture

    TitleName
    Access Approval APIaccessapproval.googleapis.com
    Admin SDK Directory APIadmin.googleapis.com
    AlloyDB Admin APIalloydb.googleapis.com
    API Keys APIapikeys.googleapis.com
    BigQuery APIbigquery.googleapis.com
    Cloud Dataproc APIdataproc.googleapis.com
    Cloud DNS APIdns.googleapis.com
    Cloud Functions APIcloudfunctions.googleapis.com
    Cloud Key Management Service APIcloudkms.googleapis.com
    Cloud Logging APIlogging.googleapis.com
    Cloud Monitoring APImonitoring.googleapis.com
    Cloud Redis APIredis.googleapis.com
    Cloud SQL Admin APIsqladmin.googleapis.com
    Cloud Storage APIstorage.googleapis.com
    Essential Contacts APIessentialcontacts.googleapis.com
    Service Usage APIserviceusage.googleapis.com
  3. Google Cloud Quotas and Rate Limits. Google Cloud uses quotas to restrict how much of a particular shared Google Cloud resource you can use. Each quota represents a specific countable resource. For example: API calls to a particular service. Rate quotas are typically used to limit the number of requests that you can make to an API or service. Rate quotas reset after a time interval that is specific to the service—for example, the number of API requests per day.


    Every request to a Google Cloud APIs is counted against a quota. Because quotas are enforced on each project, that means that every request needs a project to provide a quota. That project is called the quota project. It's also sometimes referred to as the billing project. The billing project and the quota project are the same. To learn more, see How to Set the Quota Project .


    The project associated with the service account API key is used as the quota project for all API calls from Upwind.

  4. Service Usage Permission. To ensure continuous insights into all your Google Cloud assets and to prevent rate quota exception errors from occurring for Upwind's authorized API calls to Google Cloud, make sure to grant either a new permission serviceusage.services.use or add a new role Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) to the service account that Upwind uses to access Google Cloud APIs. This enables Upwind to ingest asset metadata across multiple projects without exceeding the Google Cloud API rate quotas by distributing the quota to the project where the resources reside.


    note

    Only required if you are using a single service account assigned at a folder or organization level to access multiple projects or accessing a project with a service account from another project.

Setup

Use one of the following methods to integrate your Google Cloud projects with Upwind.

Connect a single Google Cloud Project

Connect Google Cloud Organization

Google Cloud IAM Permissions

The policy attached to the Upwind role is a viewer role. This setup is designed to enable comprehensive security assessments while ensuring the highest standards of security and compliance.