Create GCP Organization Connector

1. Navigate to the Google Cloud Platform (GCP) console.
2. Select the organization.
3. Select a project or create a new project. Ensure that you select the correct project.
4. In the left sidebar, navigate to APIs and Services > Library.
5. In the API library, click the following APIs and enable them. If you need help finding the API, use the search field.
   • Compute Engine API
   • Cloud Resource Manager API
   • Kubernetes Engine API
   • Cloud SQL Admin API
   • BigQuery API
   • Cloud Functions API
   • Cloud DNS API
   • Cloud Key Management Service (KMS) API
   • Cloud Logging API
   • Stackdriver Monitoring API

1. Login to the GCP console and select an Organization.
2. Select a project or create a new project. Ensure you have selected the correct project.
3. From the left sidebar, navigate to IAM & admin > Service accounts and click CREATE SERVICE ACCOUNT.
4. Provide a service account id, name (optional), and description (optional) for the service account, and click CREATE.
5. Next, navigate to IAM & Services > IAM and click ADD.
6. Enter your service account in New Principal.
7. Add the following roles in the Role field and click SAVE.
   • Resource Manager -> Organization Viewer
   • Resource Manager -> Folder Viewer
   • IAM -> Security Reviewer
8. Select the newly created service account.
9. Click Actions > Manage Keys > Add Key > Create a new Key.  Select JSON as the key type and click Create (A message saying "Private key saved to your computer" is displayed, and the JSON file is downloaded to your computer).

(1) Login to Google Cloud Platform (GCP) console.

(2) From the left navigation bar, select IAM & admin. 

(3) Select the project from the drop-down menu in the top-left corner.

(4) In the IAM menu bar, click +ADD.

(5) In the New Members box, type the name of the service account and click the suggested value.

(6) In the Select a role drop-down box, select the appropriate role. Choose Viewer role and Security Reviewer role to assign at least reader permissions to the service account.

(7) Click Save.

(8) To add additional projects, repeat steps 3 through 7.

(1) Login to Google Cloud Platform (GCP) console.

(2) In the left navigation bar, select IAM & admin. 

(3) Select your organization from the drop-down menu in the top-left corner.

(4) In the IAM menu bar, click +ADD.

(5) In the New Members box, type the name of the service account and click the suggested value.

(6) In the Select a role drop-down box, select the appropriate role. Choose Viewer role and Security Reviewer role to assign at least reader permissions to the service account.

(7) Click Save.

Enter a name and description (optional) for your connector.

Select applications that are applicable for the connector.  GCP connector can only be created in TotalCloud application.

Select Enable Remediation to enable remediation on the connector. You need to configure additional permissions before you enable remediation for GCP connectors.

Ensure that you have write access to the Google Cloud Platform project for which you enable remediation. Refer to Configuring Remediation for GCP .

Polling Frequency

Select a frequency at which the connector should poll the cloud provider and fetch data. The designated interval for the Org connector determines when it scans for new or deleted accounts. Choose any period under 24 hours as the interval to run the scan.

By default, the connector polling frequency is configured for every 4 hours. As a result, the connector connects with the cloud provider every 4 hours to fetch the data.

Authentication Details

- Project ID: Enter your project ID.

You can provide a distinct project ID for a GCP connector. You can use same service account for multiple projects. As a result, you can create multiple GCP connectors with same service account but distinct project IDs. 

For detailed steps on using the same service account for multiple projects, see Assigning Service Account for Multiple Projects.

- Configuration File: Create a service account and download the configuration file from the GCP console and then upload it to Qualys Cloud Platform.

Ensure that you have uploaded the configuration file with correct project details for the connector to successfully fetch resource details.

Test Connection

Click Test Connection to verify if the connector can successfully authenticate using the provided service account credentials in GCP cloud environment. If the test connection is successful, proceed with the connector creation process. If the test connection fails, you may need to check and update the authentication details (configuration file) you uploaded for the connection to work.

Polling Frequency

Select a frequency at which the org connector should poll the cloud provider and fetch data. The designated interval for the project connector determine when the connectors will be run. Choose any period under 24 hours as the interval to run the scan.

By default, the connector polling frequency is configured for every 4 hours. As a result, the connector connects with the cloud provider every 4 hours to fetch the data.

Connector Name Pattern

Enter the prefix that is added to the project account connector. This prefix shows which organization the member account connector is connected to.

Configure the organization connector. Here, you can select the Folders where project connectors are created for the accounts present under it. Select all GCP Folders, select specific Folders or exclude Folders.

All- Project connectors will be created for all the accounts under all the Folders.

Select OUs- Project connectors will be created for all the accounts under the selected Folders.

Exclude OUs- Project connectors will not be created for the accounts present under the excluded Folders.

The connector details for GCP Organization connectors also allows you to:

1) Automatically create connectors for new projects by selecting the 'Automatically create connectors for new projects' checkbox. 

2) Automatically disable connectors for the projects you delete by selecting 'Disable connectors for deleted projects' checkbox. 

The connector will automatically scan for these changes during the polling frequency interval. 

Assign tags to the connector that you are creating. You can also create a new tag. For details on creating new tags, see Configure Tags in Qualys CyberSecurity Asset Management documentation. 

Review the connector settings you configured and then click Create Connector.