Skip to main content

Manual GCP Compliance Integration

This topic describes how to manually configure a Lacework GCP compliance integration using the GCP Console and the Lacework Console.

GCP Project

When integrating at an Organization level, Lacework recommends that you create a project specifically for Lacework resources.

When integrating at a Project level, all required resources for Lacework may be provisioned within the project being integrated.

The project being used must have billing enabled.

Create a GCP Service Account and Grant Access

Follow the procedure provided in Create a GCP Service Account and Grant Access.

Enable the Required GCP APIs

When manually creating a GCP compliance integration, you must enable APIs for the GCP projects you want to integrate. Follow the procedure provided in Enable the Required GCP APIs.

Create the GCP Compliance Integration on the Lacework Console

  1. Log in to the Lacework Console.
  2. Navigate to Settings > Integrations > Cloud accounts.
  3. Click + Add New.
  4. Click Google Cloud Platform and select Configuration to assess GCP configuration compliance.
  5. Click Next.
  6. Click Manual Configuration.
  7. Follow the steps in Create a Configuration Integration.

When creating the GCP integration, you can either upload GCP credentials or enter all information manually. Finish creating the integration in the Lacework Console by following the steps described in one of the following sections.

Create a Configuration Integration

  1. Create a GCP service account and grant access.
  2. Enable the required GCP APIs.
  3. Specify a unique name for the Lacework Console in the Name field.
  4. Enter your GCP client (application) identifier or alias in the Client ID field.
  5. Enter the client private key identifier in the Private Key ID field.
  6. Enter the client email address in the Client Email field.
  7. Specify the secret key value for your client ID in the Private Key field.
  8. Select the GCP integration level as either Organization or Project in the Integration Level field. Lacework integrates with Google Cloud Platform to assess cloud resource configurations at an Organization level, or at a per Project level.
  9. Enter the organization or project identifier to associate with your integration in the Org/Project ID field.
  10. Click Save to finish the GCP integration and save your onboarding progress. The integration appears in the list of cloud accounts under Cloud accounts.

Optionally, you can configure and upload your GCP details from a file. For more information, see the procedure in the following section.

Upload GCP Credentials

To upload GCP credentials, follow these steps:

  1. In the Lacework Console, click Choose File in the Upload GCP Credential field and navigate to the JSON key file downloaded when you created the GCP service account.
    This populates the credential fields.

  2. From the Integration Level drop-down, select Organization or Project. Select Organization if integrating at the organization level. Select Project if integrating at the project level.

  3. Copy the appropriate ID value for your integration type:

    1. If integrating at the project level, copy the value of the project_id property from the JSON file into the Org/Project ID field of the Lacework Console.
    2. If integrating at the organization level, log in to the GCP console. Click the down arrow in the top menu bar. From the Select from the drop-down, select an organization that contains the GCP project(s) that you want the integration to monitor. Select IAM & admin > Settings and copy the number from the Organization ID field and paste the value into the Org/Project ID field of the Lacework Console.

    gcp_select_org.png

  4. Click Save. A new integration displays in Cloud Accounts.

  5. When the integration is complete and successful, the status changes to Integration Successful.

For the “Integration Pending” status, hover over the status text and click the refresh icon to fetch the status result again. This does not retest the integration.

Enter Information Manually

Entering information manually requires a system with the jq utility installed. The jq utility is a flexible command-line JSON processor. For more information, see https://stedolan.github.io/jq/.

To manually enter GCP credentials, follow these steps:

  1. Verify that the jq (command-line JSON processor) utility is available from your command-line shell. Leave this command-line window open.

    jq

  2. If the jq utility is found, skip to the next step. If the jq utility is not installed or not listed in your PATH, install it (https://stedolan.github.io/jq/ and verify that the path to the utility is listed in your PATH environment variable. The jq utility is required for some steps in the following procedure.

  3. Locate the JSON key file downloaded when you created the GCP service account.

  4. Open the file in an editor and leave it open.

  5. Copy the value of the client_id property from the JSON file and paste the value into the Client ID field of the Lacework Console.

  6. Copy the value of the private_key_id property from the JSON file and paste the value into the Private Key ID field of the Lacework Console.

  7. Copy the value of the client_email property from the JSON file and paste the value into the Client Email field of the Lacework Console.

  8. Exit the editor.

  9. You cannot just copy the private key from the editor because of an issue with copying the new line characters. You must copy a raw version of the key using the “jq” utility as described in the following steps.

  10. To view the raw text of the private key, enter the following command, where YourFileName.json is the name of the file downloaded when you created the GCP Service Account.

    cat YourFileName.json  | jq -r '.private_key'

  11. Copy all text displayed in the output including the Begin and End lines.

    -----BEGIN PRIVATE KEY-----
    YourKeyInfo
    -----END PRIVATE KEY-----

  12. Paste the text into the Private Key field of the Lacework Console.

  13. From the Integration Level drop-down, select Organization or Project. Select Organization if integrating at the organization level. Select Project if integrating at the project level.

  14. Copy the appropriate ID value for your integration type:

    1. If integrating at the project level, copy the value of the project_id property from the JSON file into the Org/Project ID field of the Lacework Console.
    2. If integrating at the organization level, log in to the GCP console. Click the down arrow in the top menu bar. From the Select from the drop-down, select an organization that contains the GCP project(s) that you want the integration to monitor. Select IAM & admin > Settings and copy the number from the Organization ID field and paste the value into the Org/Project ID field of the Lacework Console. gcp_select_org.png

  15. Click Save. A new integration displays in Cloud Accounts.

  16. When the integration is complete and successful, the status changes to Integration Successful.