Create GCP Organization Connector

GCP Organizations is an account management service that allows you to consolidate multiple GCP accounts into an organization you create and centrally manage. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organizationQualys lets you set up an Organization connector and attach it to project connectors in minutes.

  1. Basic Details
  2. Organization Details
  3. Project Details
  4. Connector Details
  5. Tags and Activation
  6. Assign Tags

Prerequisites

Enable access to a few API's in the API library for the projectEnable access to a few API's in the API library for the project   

  1. Navigate to the Google Cloud Platform (GCP) console.
  2. Select the organization.
  3. Select a project or create a new project. Ensure that you select the correct project.
  4. On the left sidebar, navigate to APIs and Services > Library.
  5. On the API library, click the following APIs and enable them. If you need help finding the API, use the search field.
    • Compute Engine API (Mandatory)
    • Cloud Resource Manager API (Mandatory)
    • Kubernetes Engine API
    • Cloud SQL Admin API
    • BigQuery API
    • Cloud Functions API
    • Cloud DNS API
    • Cloud Key Management Service (KMS) API
    • Cloud Logging API
    • Stackdriver Monitoring API
    • Identity and Access Management (IAM) API
    • Cloud Pub/Sub API
    • Service Usage API
    • Cloud Dataproc API
    • API Keys API

 The mandatory APIs must be enabled for GCP Organization to onboard with Qualys.

Create a service account in any project and download a configuration file:Create a service account in any project and download a configuration file:  

  1. Login to the GCP console and select an organization.
  2. Select a project or create a new project. Ensure you have selected the correct project.
  3. From the left sidebar, navigate to IAM & admin > Service accounts and click CREATE SERVICE ACCOUNT.
  4. Provide a service account ID, name (optional), and description (optional) for the service account, and click CREATE.
  5. Next, navigate to IAM & Services > IAM and click ADD.
  6. Enter your service account in New Principal.
  7. Add the following roles in the Role field and click SAVE.
    • Viewer

    • Security Reviewer

  8. Select the newly created service account.
  9. Click Actions > Manage Keys > Add Key > Create a new Key.  Select JSON as the key type and click Create (A message saying "Private key saved to your computer" is displayed, and the JSON file is downloaded to your computer).

Upload the configuration (JSON) file to complete GCP connector creation in Qualys Cloud Platform.

Suppose you wish to use the same service account for setting up connectors for additional projects. In that case, you can assign a service account as a member in IAM at the organization level or the project level.

Let us view the steps for the same.

Assign Service Account in IAM at the project leveAssign Service Account in IAM at the project level

1) Login to Google Cloud Platform (GCP) console.

2) From the left navigation bar, select IAM & admin

3) Select the project from the menu in the top-left corner.

4) On the IAM menu bar, click +ADD.

5) On the New Members box, type the name of the service account and click the suggested value.

6) On the Select a role menu, select the appropriate role. Choose the 'Viewer' role and 'Security Reviewer' role to assign at least reader permissions to the service account.

7) Click Save.

8) To add additional projects, repeat steps 3 through 7.

Assign Service Account in IAM at the organization levelAssign Service Account in IAM at the organization level

1) Login to Google Cloud Platform (GCP) console.

2) On the left navigation bar, select IAM & admin

3) Select your organization from the drop-down menu in the top-left corner.

4) On the IAM menu bar, click +ADD.

5) On the New Members box, type the name of the service account and click the suggested value.

6) On the Select a role menu, select the appropriate role. Choose the 'Viewer' role and 'Security Reviewer' role to assign at least reader permissions to the service account.

7) Click Save.

Steps to Create an Organization Connector

Go to the Connectors tab, click Google Cloud Platform Connectors, click Organization, and then click Create Connector, and our wizard can walk you through the steps.

Basic Details

Enter a name and description (optional) for your connector.

Under applications, you can find two checkboxes.

  • AssetView: Asset Inventory - The connector fetches cloud resource data and populates your Asset Inventory on CSAM.  This is active by default for all connectors. This cannot be disabled.
  • CSPM - The connector fetches cloud resource data and populates your Cloud Inventory on TotalCloud.

Select Enable Remediation to enable remediation on the connector. One-click remediation is a TotalCloud feature that patches misconfigurations in your account with a single click. However, you need to configure additional permissions before you enable remediation for GCP connectors.

Ensure you have Write access to the Google Cloud Platform project for which you enable remediation. Refer to Configuring Remediation for GCP.

Organization Details

Authenticate your cloud organization account with Qualys.

Provide the name and ID of the Organization.

You can provide a distinct Org ID for a GCP connector. You can use the same service account for multiple projects. As a result, you can create multiple GCP connectors with the same service account but distinct project IDs. 

For detailed steps on using the same service account for multiple projects, see Assigning Service Account for Multiple Projects.

Polling FrequencyPolling Frequency

Select a frequency at which the connector should poll the cloud provider and fetch data. The designated interval for the Org connector determines when it scans for new or deleted accounts. Choose any period under 24 hours as the interval to run the scan.

By default, the connector polling frequency is configured for every 4 hours. As a result, the connector connects with the cloud provider every 4 hours to fetch the data.

Authentication DetailsAuthentication Details

- Configuration File: Create a service account and download the configuration file from the GCP console and then upload it to Qualys Cloud Platform.

 Ensure you have uploaded the configuration file with the correct project details for the connector to fetch resource details.

Test Connection

Click Test Connection to verify if the connector can successfully authenticate using the provided service account credentials in GCP cloud environment. If the test connection is successful, proceed with the connector creation process. If the test connection fails, you may need to check and update the authentication details (configuration file) you uploaded for the connection to work.

Project Details

Authenticate your cloud project account with Qualys Cloud Platform.

Polling FrequencyPolling Frequency

Select a frequency at which the org connector should poll the cloud provider and fetch data. The designated interval for the project connector determines when the connectors will be run. Choose any period under 24 hours as the interval to run the scan.

By default, the connector polling frequency is configured for every 4 hours. As a result, the connector connects with the cloud provider every 4 hours to fetch the data.

Connector Name PatternConnector Name Pattern

Enter the prefix that is added to the project account connector. This prefix shows which organization the member account connector is connected to.

Connector Details

Configure the organization connector. Here, you can select the Folders where project connectors are created for the accounts present under it. Select all GCP Folders, select specific Folders, or exclude Folders.

All- Project connectors will be created for all the accounts under all the Folders.

Select OUs- Project connectors will be created for all the accounts under the selected Folders.

Exclude OUs- Project connectors will not be created for the accounts under the excluded Folders.

The connector details for GCP Organization connectors also allow you to:

1) Automatically create connectors for new projects by selecting the 'Automatically create connectors for new projects' checkbox. 

2) Automatically disable connectors for the projects you delete by selecting 'Disable connectors for deleted projects' checkbox. 

The connector will automatically scan for these changes during the polling frequency interval. 

Tags and Activation

We can activate assets for scanning automatically, so you don't have to take this extra step. Select the required check box to enable activation for the required app. We automatically activate the resources as they are discovered and even assign them tags if you want. Enable Vulnerability Management (VM) Scanning to scan discovered assets for vulnerabilities.

You can enable scanning discovered assets on other Qualys applications for a thorough result. We offer activating scans from Policy Compliance (PC), Software Composition Analysis (SCA).

 Activating assets for PC Scanning can only be accomplished after enabling PC Agent and Compliance Manager. Contact support to enable them.

Select Asset Tags

We recommend you create at least one generic asset tag (for example, gcp) and have the connector automatically apply that tag to all imported assets. Based on discovered GCP metadata, you can add more tags to your assets.

Assign Tags

Assign tags to the connector that you are creating. You can also create a new tag. The tags assigned to the connector are applied to the member connectors and to the assets discovered in the Asset Inventory.

For details on creating new tags, see Configure Tags.

Confirmation

Review the connector settings you configured and then click Create Connector.

That’s it! The connector establishes a connection with GCP to discover resources from each region.

 Any changes made to the GCP account will only reflect on the connectors after manually running it or waiting for the auto-run to sync the changes.

The Google Cloud Platform page displays the list of GCP connectors. The Status column indicates the status of the connector created: Completed successfully, Completed with errors, Queued, Synchronizing, and Disabled.  

Related Topics

Edit GCP Organization connector

Disable GCP Organization connector