Create GCP Organization Connector

GCP Organizations is an account management service that allows you to consolidate multiple GCP accounts into an organization that you create and centrally manage. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organizationQualys lets you set up an Organization connector and attach it to project connectors in minutes.

Prerequisites

Enable access to a few API's in the API library for the project:   

For all projects to be on board, navigate to API & Services > Library and enable the following APIs from the API library.

Create a service account in any project and download a configuration file:  

Attach role to the Service account created earlier:

  1. Navigate to Organization.

  2. Navigate to IAM & admin > IAM.

  3. Click Add tab.

  4. Paste the service account email address in the New Member field.

  5. Add the following roles in the Role field and click SAVE.

    1. Resource Manager -> Organization Viewer
    2. Resource Manager -> Folder Viewer
    3. IAM -> Security Reviewer

Create GCP Organization Connector

Go to the Connectors tab, click Google Cloud Platform Connectors, click Organization and then click Create Connector and our wizard can walk you through the steps.

Step 1: Basic DetailsBasic Details 

Enter a name and description (optional) for your connector.

Select applications that are applicable for the connector.  GCP connector can only be created in CloudView application.

Select Enable Remediation to enable remediation on the connector. You need to configure additional permissions before you enable remediation for GCP connectors.

Ensure that you have write access to the Google Cloud Platform project for which you enable remediation. 

Step 2: Organization Details

Polling FrequencyPolling Frequency

Select a frequency at which the connector should poll the cloud provider and fetch data. The designated interval for the Org connector determines when it scans for new or deleted accounts. Choose any period under 24 hours as the interval to run the scan.

By default, the connector polling frequency is configured for every 4 hours. As a result, the connector connect with the cloud provider every 4 hours to fetch the data.

Authentication DetailsAuthentication Details

- Project ID: Enter your project ID.

You can provide a distinct project ID for a GCP connector. You can use same service account for multiple projects. As a result, you can create multiple GCP connectors with same service account but distinct project IDs. 

For detailed steps on using the same service account for multiple projects, see Assigning Service Account for Multiple Projects.

- Configuration File: Create a service account and download the configuration file from the GCP console and then upload it to Qualys Cloud Platform.

gcp connector authentication details

Note: Ensure that you have uploaded the configuration file with correct project details for the connector to successfully fetch resource details.

Test ConnectionTest Connection

Click Test Connection to verify if the connector can successfully authenticate using the provided service account credentials in GCP cloud environment. If the test connection is successful, proceed with the connector creation process. If the test connection fails, you may need to check and update the authentication details (configuration file) you uploaded for the connection to work.

Note: The next steps are enabled only after the test connection is successful.

Step 3: Project Details

- Polling FrequencyPolling Frequency 

Select a frequency at which the org connector should poll the cloud provider and fetch data. The designated interval for the project connector determine when the connectors will be run. Choose any period under 24 hours as the interval to run the scan.

By default, the connector polling frequency is configured for every 4 hours. As a result, the connector connects with the cloud provider every 4 hours to fetch the data.

- Connector Name PatternConnector Name Pattern

Enter the prefix that is added to the project account connector. This prefix shows which organization the member account connector is connected to.

Step 4: Connector DetailsConnector Details

Configure the organization connector. Here, you can select the Folders where project connectors are created for the accounts present under it. Select all GCP Folders, select specific Folders or exclude Folders.

All- Project connectors will be created for all the accounts under all the Folders.

Select OUs- Project connectors will be created for all the accounts under the selected Folders.

Exclude OUs- Project connectors will not be created for the accounts present under the excluded Folders.

The connector details for GCP Organization connectors also allows you to:

1) Automatically create connectors for new projects by selecting the 'Automatically create connectors for new projects' checkbox. 

2) Automatically disable connectors for the projects you delete by selecting 'Disable connectors for deleted projects' checkbox. 

The connector will automatically scan for these changes during the polling frequency interval. 

Step 5: Assign TagsAssign Tags 

Assign tags to the connector that you are creating. You can also create a new tag. For details on creating new tags, see Configure Tags in Qualys CyberSecurity Asset Management documentation. 

Step 6: ConfirmationConfirmation

Review the connector settings you configured and then click Create Connector.

That’s it! The connector establishes a connection with GCP to start discovering resources from each region.

Note: Any changes made to the GCP account will only reflect on the connectors after manually running it or waiting for the auto-run to sync the changes.

The Google Cloud Platform page displays the list of GCP connectors. The Status column indicates the status of the connector created, that is, Completed successfully, Completed with errors, Queued, Synchronizing, and Disabled.  

Related Topics

Edit GCP Organization connector

Disable GCP Organization connector