Skip to main content

Required Roles for GCP Integration

Overview

When integrating Lacework into your Google Cloud Platform, you must create and configure the necessary roles and resources. To do this, the account used to create the integration must have certain privileges within the Project and Organization being integrated.

This article defines those privileges and why they are required.

GCP Account Roles

Organization Level Integration Roles

Role NameRole IDIntegration TypeUsage
Organization Administratorroles/resourcemanager.organizationAdminAudit Log
Compliance
  • Grant IAM Privileges:
    • roles/browseron Organization to LW Service Account
    • roles/iam.securityReviewer on Organization to LW Service Account
    • roles/cloudasset.viewer on Organization to LW Service Account
    • LW Custom IAM Role on Organization to LW Service Account
    Organization Role Administratorroles/iam.organizationRoleAdminCompliance
  • Create LW Custom IAM Role for Organization
    • Logs Configuration Writerroles/logging.configWriterAudit Log
  • Create Aggregated Log Sink at Organization level
    • Billing Account Userroles/billing.userAudit Log
    Compliance
  • Required only if creating a new Project to host the LW Integration resources

    • Additionally, the user performing the integration requires the Project Level Integration Roles on the Project that will contain the Lacework Integration resources.

    Project Level Integration Roles

    When configuring access for the Project that the Lacework Integration resources will reside within, you can define the appropriate roles required to create the integration using either Project Owner access, or Least Privilege access.

    Project Owner Access

    Role NameRole IDIntegration TypeUsage
    Project Ownerroles/ownerAudit Log
    Compliance
  • Create LW Service Account
  • Create Service Account Key for LW Service Account
  • Create Log Sink
  • Create Cloud Storage Bucket
  • Create Pub/Sub Topic
  • Create Pub/Sub Subscription
  • Create LW Custom IAM role
  • Grant IAM Privileges:
    • roles/browser on Project to LW Service Account
    • roles/cloudasset.viewer on Project to LW Service Account
    • roles/iam.securityReviewer on Project to LW Service Account
    • roles/pubsub.publisher on Pub/Sub Topic to Project Storage Account
    • roles/pubsub.subscriber to Pub/Sub Subscription to LW Service Account
    • roles/storage.objectCreator on Bucket to Project Logging Account
    • roles/storage.objectViewer on Bucket to LW Service Account
    • LW Custom IAM role on Project to LW Service Account

    Least Privilege Access

    Role NameRole IDIntegration TypeUsage
    Logs Configuration Writerroles/logging.configWriterAudit Log
  • Create Log Sink
    • Project IAM Adminroles/resourcemanager.projectIamAdminCompliance
  • Grant IAM Privileges:
    • roles/browser on Project to LW Service Account
    • roles/cloudasset.viewer on Project to LW Service Account
    • roles/iam.securityReviewer on Project to LW Service Account
    Pub/Sub Adminroles/pubsub.adminAudit Log
  • Create Pub/Sub Topic and Subscription
  • Grant IAM Privileges:
    • roles/pubsub.publisher on Pub/Sub Topic to Project Storage Account
    • roles/pubsub.subscriber to Pub/Sub Subscription to LW Service Account
    Role Administratorroles/iam.roleAdminCompliance
  • Create LW Custom IAM role for Project
    • Service Account Adminroles/iam.serviceAccountAdminAudit Log
    Compliance
  • Create LW Service Account
    • Service Account Key Adminroles/iam.serviceAccountKeyAdminAudit Log
    Compliance
  • Create Service Account Key for LW Service Account
    • Service Usage Adminroles/serviceusage.serviceUsageAdminAudit Log
    Compliance
  • Enable the required GCP Service APIs
    • Storage Adminroles/storage.adminAudit Log
  • Create Cloud Storage Bucket
  • Grant IAM Privileges:
    • roles/storage.objectCreator on Bucket to Project Logging Account
    • roles/storage.objectViewer on Bucket to LW Service Account