Google Cloud

Overview

To enable Upwind to retrieve data on your Google Cloud resources and identify potential security risks and compliance issues, you must first connect your Google Cloud project/s. Upwind supports connecting one or more Google Cloud Projects or all projects that are under your Google Cloud Organization. The onboarding workflow guides you through the process of creating a service account and creating association roles with the service account.

Prerequisites

To analyze and monitor your Google Cloud account, Upwind requires access to specific APIs and a service account which is an authorized identity that enables authentication between Upwind and Google Cloud. A predefined or primitive role grants the service account the permissions it needs to complete actions on the assets in your Google Cloud organization or project.

Google Cloud Quotas and Rate Limits

Google Cloud uses quotas to restrict how much of a particular shared Google Cloud resource you can use. Each quota represents a specific countable resource. For example: API calls to a particular service. Rate quotas are typically used to limit the number of requests that you can make to an API or service. Rate quotas reset after a time interval that is specific to the service—for example, the number of API requests per day.

Every request to a Google Cloud APIs is counted against a quota. Because quotas are enforced on each project, that means that every request needs a project to provide a quota. That project is called the quota project. It's also sometimes referred to as the billing project. The billing project and the quota project are the same. To learn more, see How to Set the Quota Project.

The project associated with the service account API key is used as the quota project for all API calls from Upwind.

Permission required to set and use the quota project

Only required if you are using a single service account assigned at a folder or organization level to access multiple projects or accessing a project with a service account from another project.

To ensure continuous insights into all your Google Cloud assets and to prevent rate quota exception errors from occurring for Upwind's authorized API calls to Google Cloud, make sure to:

• Grant either a new permission serviceusage.services.use or add a new role Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) to the service account that Upwind uses to access Google Cloud APIs.

This enables Upwind to ingest asset metadata across multiple projects without exceeding the Google Cloud API rate quotas by distributing the quota to the project where the resources reside.

Setup

Use one of the following methods to integrate your Google Cloud projects with Upwind.

Connect a single Google Cloud Project

• Terraform
• Service Account Creation

Connect Google Cloud Organization

• Organization

Google Cloud IAM Permissions

The policy attached to the Upwind role is a viewer role. This setup is designed to enable comprehensive security assessments while ensuring the highest standards of security and compliance.