Google Cloud
Overview
To enable Upwind to retrieve data on your Google Cloud resources and identify potential security risks and compliance issues, you must first connect your Google Cloud project/s. Upwind supports connecting one or more Google Cloud Projects or all projects that are under your Google Cloud Organization. The onboarding workflow guides you through the process of creating a service account and creating association roles with the service account.
Prerequisites
To analyze and monitor your Google Cloud account, Upwind requires access to specific APIs and a service account which is an authorized identity that enables authentication between Upwind and Google Cloud. A predefined or primitive role grants the service account the permissions it needs to complete actions on the assets in your Google Cloud organization or project.
Before proceeding, ensure that you have the following prerequisites in place:
-
Google Cloud Project. You should have a Google Cloud project name with administrative privileges to create and manage resources, such as service accounts and IAM role bindings.
-
Google Cloud APIs & Services. Verify the following APIs are enabled. For more information on how to do this, refer to the guide Enable and Disable APIs .
Mandatory APIs for Operational Use
Title Name Cloud Asset API cloudasset.googleapis.com
Cloud Resource Manager API cloudresourcemanager.googleapis.com
Compute Engine API compute.googleapis.com
Identity and Access Management API iam.googleapis.com
Kubernetes Engine API container.googleapis.com
Mandatory APIs for Posture
Title Name Access Approval API accessapproval.googleapis.com
Admin SDK Directory API admin.googleapis.com
AlloyDB Admin API alloydb.googleapis.com
API Keys API apikeys.googleapis.com
BigQuery API bigquery.googleapis.com
Cloud Dataproc API dataproc.googleapis.com
Cloud DNS API dns.googleapis.com
Cloud Functions API cloudfunctions.googleapis.com
Cloud Key Management Service API cloudkms.googleapis.com
Cloud Logging API logging.googleapis.com
Cloud Monitoring API monitoring.googleapis.com
Cloud Redis API redis.googleapis.com
Cloud SQL Admin API sqladmin.googleapis.com
Cloud Storage API storage.googleapis.com
Essential Contacts API essentialcontacts.googleapis.com
Service Usage API serviceusage.googleapis.com
-
Google Cloud Quotas and Rate Limits. Google Cloud uses quotas to restrict how much of a particular shared Google Cloud resource you can use. Each quota represents a specific countable resource. For example: API calls to a particular service. Rate quotas are typically used to limit the number of requests that you can make to an API or service. Rate quotas reset after a time interval that is specific to the service—for example, the number of API requests per day.
Every request to a Google Cloud APIs is counted against a quota. Because quotas are enforced on each project, that means that every request needs a project to provide a quota. That project is called the quota project. It's also sometimes referred to as the billing project. The billing project and the quota project are the same. To learn more, see How to Set the Quota Project .
The project associated with the service account API key is used as the quota project for all API calls from Upwind.
-
Service Usage Permission. To ensure continuous insights into all your Google Cloud assets and to prevent rate quota exception errors from occurring for Upwind's authorized API calls to Google Cloud, make sure to grant either a new permission
serviceusage.services.use
or add a new roleService Usage Consumer
(roles/serviceusage.serviceUsageConsumer
) to the service account that Upwind uses to access Google Cloud APIs. This enables Upwind to ingest asset metadata across multiple projects without exceeding the Google Cloud API rate quotas by distributing the quota to the project where the resources reside.
noteOnly required if you are using a single service account assigned at a folder or organization level to access multiple projects or accessing a project with a service account from another project.
Setup
Use one of the following methods to integrate your Google Cloud projects with Upwind.
Connect a single Google Cloud Project
Connect Google Cloud Organization
Google Cloud IAM Permissions
The policy attached to the Upwind role is a viewer role. This setup is designed to enable comprehensive security assessments while ensuring the highest standards of security and compliance.