Continuously Scan with a GCP Integration
The Mondoo Google Cloud Platform (GCP) integration lets you continuously scan your GCP resources, such as compute instances and GKE service clusters.
Requirements
-
Create Service Accounts role in GCP
-
The GCP IAM API enabled
-
The GCP CLI
-
A Mondoo account with Editor or Owner permissions for the space in which you want to add the integration.
Create a service account for your GCP integration
To access the data it needs, your GCP integration needs a GCP service account. To learn about service accounts, read Understanding service accounts in the Google documentation.
-
Create a new GCP service account for the Mondoo integration to use.
For instructions, read Creating and managing service accounts in the Google documentation.
Note the email address created for the new service account.
-
Assign the project viewer basic role to the service account:
roles/viewer
For instructions, read Grant a single role in the Google documentation.
-
Create a JSON key for the service account.
For instructions, read Create and manage service account keys in the Google documentation.
Save the JSON file that downloads to your workstation when you create the key. You need it to configure the integration (in the next section below).
Add a new GCP integration
-
Access the Integrations > Add > GCP page in one of two ways:
-
New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select BROWSE INTEGRATIONS and then select GCP.
-
INTEGRATIONS page: In the side navigation bar, under INTEGRATIONS, select Add New Integration. Under Cloud Security, select GCP.
-
-
To integrate your entire GCP organization with Mondoo, select Organization.
OR
To limit the integration to a single project, select Project.
-
In the Choose an integration name box, enter a name for the integration. Make it a name that lets you easily recognize the GCP project or organization.
-
Identify the organization or project to integrate with Mondoo.
-
For an organization: In the Enter the organization resource ID box, enter your organization's resource ID. To learn how to retrieve this value, read Getting your organization resource ID in the Google documentation.
-
For a project: In the Enter the project ID box, enter your project's ID. To learn how to retrieve this value, read Identifying projects in the Google documentation.
-
-
Under Provide your Google service account config, upload the GCP service account's JSON key that you downloaded in the previous section:
Drag the file and drop it in the Drag and drop your .json file here box.
OR
In the Drag and drop your .json file here box, select the cloud icon and choose the file to upload.
-
To complete the integration, select the START SCANNING button.
-
On the Recommended Policies page, enable the policies on which you want to base assessments of your Google Cloud environment. To learn more, read Manage Policies.