Google Cloud
Overview
Google Cloud organizational onboarding enables customers to seamlessly connect their GCP organizations to Upwind, providing centralized visibility, control, and protection across all projects. By leveraging the hierarchical structure of GCP organizations and folders, this integration streamlines project management while safeguarding your cloud environment against misconfigurations and threats. The onboarding process simplifies integration by automating identity creation, permissions assignment, and infrastructure deployment using Terraform.
Architecture
Google Cloud organizational onboarding allows the integration of GCP organizations with Upwind by provisioning service accounts and enabling APIs necessary for discovery and security auditing, and designating an orchestrator project for deploying scanning infrastructure and configuring per-region scanners. This architecture supports centralized security visibility and management across all GCP projects under the organization.
Connecting a GCP organization involves four integration steps:
| Step | Description | Purpose |
|---|---|---|
| 1 | Designate the orchestrator project. This step involves selecting an orchestrator project within Google Cloud with elevated permission to scan all member accounts for misconfigurations, vulnerabilities, malware, and exposed secrets. This allows automatic provisioning and scanning without installing sensors. The orchestrator account provisions the Upwind Cloud Scanner infrastructure, including IAM roles and Auto Scaling Groups, ensuring comprehensive security coverage across your member accounts. | Project discovery |
| 2 | Generate Credentials for Upwind. Generate client credentials to allow the Upwind Orchestrator project to authenticate with the Upwind Authorization Service and interact with Upwind APIs. This enables the organization to connect to Upwind and report scan results to the Upwind backend. | Credentials |
| 3 | Create scoped service accounts in the orchestrator project. Terraform configures a service account with the necessary permissions across projects using IAM policy bindings. | IAM Creation |
| 4 | Generate a Workload Identity Federation configuration. Upwind authenticates via short-lived access tokens using GCP Workload Identity Federation. It is necessary to generate a configuration file after deploying resources through Terraform. | IAM Creation |
| 5 | Select Project Scopes. In this step, you’ll define the scope of your Google Cloud environment by selecting which projects will be connected to Upwind and scanned by the Cloud Scanners. This allows for granular control over visibility and ensures targeted, effective coverage. | Define Coverage |
Integration
The integration method for onboarding GCP to Upwind is via Terraform infrastructure-as-code. gcloud is also required to authenticate against the GCP organization.