GCP Inventory
Overview
The Lacework Console provides visibility into Google Cloud Provider (GCP) resources that are integrated with Lacework. A resource can be any entity within the cloud deployment, such as GCE Virtual Machines, Pub/Sub topics, Cloud Storage buckets, security groups, etc. The GCP Resource Inventory page allows you to view and monitor in-use GCP resources’ risk, compliance, and configuration changes and provides visibility for team members with limited or no access to the Google Cloud Console. Because Lacework takes regular snapshots of your resources, you can track their changes (diffs) through the Lacework Console. To access the Resource Inventory page, go to Resources > GCP Inventory.
GCP resources are the components that enable services on GCP. GCP resources are grouped into specific projects, the first hierarchy level. Projects are grouped under a specific folder, the next level of hierarchy for GCP resources. In addition, a specific folder can belong to another folder, which in turn can belong to yet another folder. Folders are grouped under a specific organization or Org, the top level of hierarchy for resources.
For more information about GCP integration with Lacework, see GCP Compliance and Audit Log Integration - Terraform Using Google Cloud Shell and GCP Compliance and Audit Log Integration - Terraform From Any Supported Host.
Lacework takes a snapshot of resources on a periodic time frame. Depending on the time that Lacework takes the snapshot, changes may not be captured until up to 24 hours after the changes are made. See the following examples:
- A resource change is made on Monday at 1:00 AM and Lacework takes a snapshot on Monday at 2:00 AM, the snapshot includes the change.
- A resource change is made on Monday at 3:00 AM but Lacework took a snapshot on Monday at 2:00 AM, the snapshot does not include the change. The next snapshot on Tuesday at 2:00 AM will capture the change.
Supported Resource Types
Resource inventory supports the following resource type APIs.
| Service | API |
|---|---|
| App Engine | appengine.googleapis.com/Application appengine.googleapis.com/Service appengine.googleapis.com/Version |
| Artifact Registry | artifactregistry.googleapis.com/DockerImage artifactregistry.googleapis.com/Repository |
| BigQuery | bigquery.googleapis.com/Dataset bigquery.googleapis.com/Table bigquery.googleapis.com/Model |
| Cloud Bigtable | bigtableadmin.googleapis.com/AppProfile bigtableadmin.googleapis.com/Backup bigtableadmin.googleapis.com/Cluster bigtableadmin.googleapis.com/Instance bigtableadmin.googleapis.com/Table |
| Cloud Billing | cloudbilling.googleapis.com/BillingAccount |
| Certificate Authority Service | privateca.googleapis.com/CaPool privateca.googleapis.com/CertificateAuthority privateca.googleapis.com/CertificateRevocationList privateca.googleapis.com/CertificateTemplate |
| Cloud Functions | cloudfunctions.googleapis.com/CloudFunction |
| Cloud Run | run.googleapis.com/DomainMapping run.googleapis.com/Revision run.googleapis.com/Service |
| Container Registry | containerregistry.googleapis.com/Image |
| Dataproc | dataproc.googleapis.com/Cluster dataproc.googleapis.com/Job |
| Dialogflow | dialogflow.googleapis.com/Agent dialogflow.googleapis.com/LocationSettings |
| Cloud Data Loss Prevention | dlp.googleapis.com/StoredInfoType dlp.googleapis.com/DeidentifyTemplate dlp.googleapis.com/DlpJob dlp.googleapis.com/InspectTemplate dlp.googleapis.com/JobTrigger |
| Cloud DNS | dns.googleapis.com/ManagedZone dns.googleapis.com/Policy |
| Eventarc | eventarc.googleapis.com/Trigger |
| Identity and Access Management | iam.googleapis.com/Role iam.googleapis.com/ServiceAccount iam.googleapis.com/ServiceAccountKey |
| Cloud Key Management Service | cloudkms.googleapis.com/KeyRing cloudkms.googleapis.com/CryptoKey cloudkms.googleapis.com/CryptoKeyVersion cloudkms.googleapis.com/ImportJob |
| Pub/Sub | pubsub.googleapis.com/Topic pubsub.googleapis.com/Subscription pubsub.googleapis.com/Snapshot |
| Cloud Spanner | spanner.googleapis.com/Instance spanner.googleapis.com/Database spanner.googleapis.com/Backup |
| Cloud SQL | sqladmin.googleapis.com/Instance sqladmin.googleapis.com/BackupRun |
| Cloud Storage | storage.googleapis.com/Bucket |
| Cloud OS Config | osconfig.googleapis.com/PatchDeployment osconfig.googleapis.com/VulnerabilityReport |
| Compute Engine | compute.googleapis.com/Autoscaler compute.googleapis.com/Address compute.googleapis.com/GlobalAddress compute.googleapis.com/BackendBucket compute.googleapis.com/BackendService compute.googleapis.com/Commitment compute.googleapis.com/Disk compute.googleapis.com/ExternalVpnGateway compute.googleapis.com/Firewall compute.googleapis.com/ForwardingRule compute.googleapis.com/GlobalForwardingRule compute.googleapis.com/HealthCheck compute.googleapis.com/HttpHealthCheck compute.googleapis.com/HttpsHealthCheck compute.googleapis.com/Image compute.googleapis.com/Instance compute.googleapis.com/InstanceGroup compute.googleapis.com/InstanceGroupManager compute.googleapis.com/InstanceTemplate compute.googleapis.com/Interconnect compute.googleapis.com/InterconnectAttachment compute.googleapis.com/License compute.googleapis.com/Network compute.googleapis.com/NetworkEndpointGroup compute.googleapis.com/NodeGroup compute.googleapis.com/NodeTemplate compute.googleapis.com/PacketMirroring compute.googleapis.com/Project compute.googleapis.com/RegionBackendService compute.googleapis.com/RegionDisk compute.googleapis.com/Reservation compute.googleapis.com/ResourcePolicy compute.googleapis.com/Route compute.googleapis.com/Router compute.googleapis.com/SecurityPolicy compute.googleapis.com/Snapshot compute.googleapis.com/SslCertificate compute.googleapis.com/SslPolicy compute.googleapis.com/Subnetwork compute.googleapis.com/TargetHttpProxy compute.googleapis.com/TargetHttpsProxy compute.googleapis.com/TargetInstance compute.googleapis.com/TargetPool compute.googleapis.com/TargetTcpProxy compute.googleapis.com/TargetSslProxy compute.googleapis.com/TargetVpnGateway compute.googleapis.com/UrlMap compute.googleapis.com/VpnGateway compute.googleapis.com/VpnTunnel |
| Google Kubernetes Engine | container.googleapis.com/Cluster container.googleapis.com/NodePool k8s.io/Node k8s.io/Pod k8s.io/Namespace k8s.io/Service rbac.authorization.k8s.io/Role rbac.authorization.k8s.io/RoleBinding rbac.authorization.k8s.io/ClusterRole rbac.authorization.k8s.io/ClusterRoleBinding networking.k8s.io/NetworkPolicy |
| Resource Manager | cloudresourcemanager.googleapis.com/Organization cloudresourcemanager.googleapis.com/Folder cloudresourcemanager.googleapis.com/Project cloudresourcemanager.googleapis.com/TagKey cloudresourcemanager.googleapis.com/TagValue |
| Service Usage | serviceusage.googleapis.com/Service |
| Cloud Data Fusion | datafusion.googleapis.com/Instance |
| Cloud Logging | logging.googleapis.com/LogBucket logging.googleapis.com/LogMetric logging.googleapis.com/LogSink |
| Network Management API | networkmanagement.googleapis.com/ConnectivityTest |
| Managed Service for Microsoft Active Directory | managedidentities.googleapis.com/Domain |
| Game Servers | gameservices.googleapis.com/GameServerCluster gameservices.googleapis.com/Realm gameservices.googleapis.com/GameServerConfig gameservices.googleapis.com/GameServerDeployment |
| Dataflow | dataflow.googleapis.com/Job |
| Hub | gkehub.googleapis.com/Membership |
| Secret Manager | secretmanager.googleapis.com/Secret secretmanager.googleapis.com/SecretVersion |
| Cloud TPU | tpu.googleapis.com/Node |
| Filestore | file.googleapis.com/Instance |
| Service Directory | servicedirectory.googleapis.com/Namespace |
| Assured Workloads | assuredworkloads.googleapis.com/Workload |
| API Gateway | apigateway.googleapis.com/Api apigateway.googleapis.com/ApiConfig apigateway.googleapis.com/Gateway |
| App Engine Memcache | memcache.googleapis.com/Instance |
| Document AI | documentai.googleapis.com/HumanReviewConfig documentai.googleapis.com/LabelerPool documentai.googleapis.com/Processor documentai.googleapis.com/ProcessorVersion |
| Memorystore for Redis | redis.googleapis.com/Instance |
| Vertex AI | aiplatform.googleapis.com/BatchPredictionJob aiplatform.googleapis.com/CustomJob aiplatform.googleapis.com/DataLabelingJob aiplatform.googleapis.com/Dataset aiplatform.googleapis.com/Endpoint aiplatform.googleapis.com/HyperparameterTuningJob aiplatform.googleapis.com/MetadataStore aiplatform.googleapis.com/Model aiplatform.googleapis.com/ModelDeploymentMonitoringJob aiplatform.googleapis.com/PipelineJob aiplatform.googleapis.com/SpecialistPool aiplatform.googleapis.com/TrainingPipeline |
| Cloud Monitoring | monitoring.googleapis.com/AlertPolicy |
| Serverless VPC Access | vpcaccess.googleapis.com/Connector |
| Service Management | servicemanagement.googleapis.com/ManagedService |
| Dataproc Metastore | metastore.googleapis.com/Service metastore.googleapis.com/MetadataImport metastore.googleapis.com/Backup |
note
For the full list of possible resources, see Supported asset types.
To view the list of resources from the GCP console, select Asset Inventory > Resource.
Configure Permissions to Enable Access to GCP Resources
In order to access and manage GCP resources, you must enable certain permissions through the use of updated roles.
Configure GCP Permissions by Updating Terraform Integration
You can use Terraform to integrate Google Cloud environments with Lacework. To enable access to GCP resources if you have an existing Terraform template for GCP integration, you must update and rerun the Lacework GCP Terraform module. Perform the following tasks to access GCP resource types:
Verify that your Terraform template is specifying the minimum Lacework GCP Config module version
1.0. To do this, open and examine your Terraform file for the following:1 module "gcp-config" {
2 source = "lacework/config/gcp"
3 version = "~> 1.0"
4 }note
The
terraform init -upgradecommand in the next step will pull in the latest version. The minimum version1.2.0is required to enable permissions to GCP resource types.Update the Terraform integration to version 1.2.0 to utilize the new permissions for GCP resources in the Lacework GCP Config module by running an update and applying this update:
terraform init -upgradeterraform apply
Configure GCP Permissions Manually
In order to access and manage GCP resources, you must enable certain permissions through the use of updated roles. You can do this automatically through Terraform as discussed in the previous section. Additionally, you can configure the permissions manually.
1. Add the roles/cloudasset.viewer Role to your GCP Service Account
Add the new role roles/cloudasset.viewer to your service account to access your GCP resource types. You can add this new role either at the individual project level or at the organization level.
You can add the role through the GCP console or through the gcloud CLI, as described below.
Add Role through the GCP console
- Navigate to IAM and Admin in the GCP console.
- Locate the service account for the GCP integration and click the Edit Permissions icon (located right of the entry).
- Click + Add Another Role.
- Select the role Cloud Asset > Cloud Asset Viewer.
- Click Save as.
Add Role through the gcloud CLI
To add the new role to a service account at the individual project level:
gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \
--member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
--role roles/cloudasset.viewer
To add the new role to a service account at the organization level:
gcloud organizations add-iam-policy-binding TARGET_ORGANIZATION_ID \
--member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
--role roles/cloudasset.viewer
2. Enable the API for your GCP Service Account
Enable the API that accesses your resource types on the GCP project to which the service account belongs.
You can enable the API through the GCP console or through the gcloud CLI, as described below:
Enable the API through GCP console for your Project
Using the GCP console, add cloudasset.googleapis.com to enable access to the GCP API:
- Log in to the specific project you want to integrate on the GCP Console.
- Click
. - Select APIs & Services > Library.
In the Search for APIs & Services field, enter
cloudasset.googleapis.com. - Click on the result that matches the API name listed.
- Click ENABLE.
Enable the API through the gcloud CLI
Ensure that the gcloud config is set to use a Service Account with the permissions required to enable APIs.
gcloud --project <service_account_project_id> services enable cloudasset.googleapis.com
Resource Summary
Lacework populates this page after at least one GCP integration is configured. The date/time range filter and any optional filters at top of the page apply to all data displayed on the page. If nothing is displayed, consider increasing the date range.
To access the Resource Summary information on the GCP Resource Inventory page, go to Resources > GCP Inventory.
Above the right side of the table, the following icons are available:
| Icon | Label | Description |
|---|---|---|
 | Download in CSV format | Click the Download in CSV format icon to get a comma-separated file of the table contents. |
 | Select display columns | Click the Select display columns icon to hide or show the set of columns that are displayed in the table. |
 | Refresh data | Click the Refresh data icon to refresh the table data. |
 | Full screen | Click the Full screen icon to view the table on the entire screen. |
The columns in the Resources Summary table are described below. Each row in the table represents a resource.
| Column | Description |
|---|---|
| Resource Name | Displays the name of the GCP resource type. Click the name to open the resource’s configuration. |
| Recently Updated (24hrs) | Displays whether there was an update in the last 24 hours. |
| Organization | Displays the specific organization that the resource type belongs to. Organizations contain folders, which in turn contain projects of resource types. |
| Folder ID | Displays the specific folder identifier that the resource type belongs to. A resource can belong to a folder. That folder can belong to another folder, which in turn can belong to yet another folder. To view the hierarchy of this multiple folder structure, click the specific Folder ID. |
| Project ID | Displays the specific project that the resource type belongs to. Projects allow you to organize and group together resource types into specific projects. |
| Service | Displays the GCP service that the resource corresponds to. |
| Type | Displays the type of resource. |
| Region | Displays the region where the resource is located. |
| Status | Displays the status of data collection from the resource. |
| Tags | Click {...} to open the resource’s tags. |
| Last Discovered Time | Displays the last time the Lacework agent discovered the resource. |
Configuration Diffs
To view a configuration diff, click a resource name under the Resource Name column. This opens a pane with configuration details. When a diff is present, it is always compared to the current configuration. If more than two configuration histories exist, click View more to display the Configuration History page.
To view a resource’s tag information, click {...} in the Tags column.
If you change an API (primary API) configuration, then it appears as a diff on the Lacework Console.
Configuration History
This page provides configuration histories for a resource. To open the Configuration History page, click View more. The link is available only if the resource has more than two configuration histories.
To compare two configurations, select their checkboxes and click the diff configurations icon.
The columns in the Configuration History table are described below.
| Column | Description |
|---|---|
| Configuration | Click to view the configuration. |
| Start Time | Displays when data collection started. |
| End Time | Displays when data collection ended. |