Create GCP Organization Connector

GCP Organizations is an account management service that allows you to consolidate multiple GCP accounts into an organization you create and centrally manage. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organization. Qualys lets you set up an Organization connector and attach it to project connectors in minutes.

1. Basic Details
2. Organization Details
3. Project Details
4. Connector Details
5. Tags and Activation
6. Assign Tags

Prerequisites

Enable access to a few API's in the API library for the project   

Create a service account in any project and download a configuration file:  

Upload the configuration (JSON) file to complete GCP connector creation in Qualys Cloud Platform.

Suppose you wish to use the same service account for setting up connectors for additional projects. In that case, you can assign a service account as a member in IAM at the organization level or the project level.

Let us view the steps for the same.

Assign Service Account in IAM at the project level

Assign Service Account in IAM at the organization level

Steps to Create an Organization Connector

Go to the Connectors tab, click Google Cloud Platform Connectors, click Organization, and then click Create Connector, and our wizard can walk you through the steps.

Basic Details

Enter a name and description (optional) for your connector.

Under applications, you can find two checkboxes.

• AssetView: Asset Inventory - The connector fetches cloud resource data and populates your Asset Inventory on CSAM.  This is active by default for all connectors. This cannot be disabled.
• CSPM - The connector fetches cloud resource data and populates your Cloud Inventory on TotalCloud.

Select Enable Remediation to enable remediation on the connector. One-click remediation is a TotalCloud feature that patches misconfigurations in your account with a single click. However, you need to configure additional permissions before you enable remediation for GCP connectors.

Ensure you have Write access to the Google Cloud Platform project for which you enable remediation. Refer to Configuring Remediation for GCP.

Organization Details

Authenticate your cloud organization account with Qualys.

Provide the name and ID of the Organization.

You can provide a distinct Org ID for a GCP connector. You can use the same service account for multiple projects. As a result, you can create multiple GCP connectors with the same service account but distinct project IDs. 

For detailed steps on using the same service account for multiple projects, see Assigning Service Account for Multiple Projects.

Polling Frequency

Authentication Details

Project Details

Authenticate your cloud project account with Qualys Cloud Platform.

Polling Frequency

Connector Name Pattern

Connector Details

Configure the organization connector. Here, you can select the Folders where project connectors are created for the accounts present under it. Select all GCP Folders, select specific Folders, or exclude Folders.

All- Project connectors will be created for all the accounts under all the Folders.

Select OUs- Project connectors will be created for all the accounts under the selected Folders.

Exclude OUs- Project connectors will not be created for the accounts under the excluded Folders.

The connector details for GCP Organization connectors also allow you to:

1) Automatically create connectors for new projects by selecting the 'Automatically create connectors for new projects' checkbox. 

2) Automatically disable connectors for the projects you delete by selecting 'Disable connectors for deleted projects' checkbox. 

The connector will automatically scan for these changes during the polling frequency interval. 

Tags and Activation

We can activate assets for scanning automatically, so you don't have to take this extra step. Select the required check box to enable activation for the required app. We automatically activate the resources as they are discovered and even assign them tags if you want. Enable Vulnerability Management (VM) Scanning to scan discovered assets for vulnerabilities.

You can enable scanning discovered assets on other Qualys applications for a thorough result. We offer activating scans from Policy Compliance (PC), Software Composition Analysis (SCA).

 Activating assets for PC Scanning can only be accomplished after enabling PC Agent and Compliance Manager. Contact support to enable them.

Select Asset Tags

We recommend you create at least one generic asset tag (for example, gcp) and have the connector automatically apply that tag to all imported assets. Based on discovered GCP metadata, you can add more tags to your assets.

Assign Tags

Assign tags to the connector that you are creating. You can also create a new tag. The tags assigned to the connector are applied to the member connectors and to the assets discovered in the Asset Inventory.

For details on creating new tags, see Configure Tags.

Confirmation

Review the connector settings you configured and then click Create Connector.

That’s it! The connector establishes a connection with GCP to discover resources from each region.

 Any changes made to the GCP account will only reflect on the connectors after manually running it or waiting for the auto-run to sync the changes.

The Google Cloud Platform page displays the list of GCP connectors. The Status column indicates the status of the connector created: Completed successfully, Completed with errors, Queued, Synchronizing, and Disabled.  

Related Topics

Edit GCP Organization connector

Disable GCP Organization connector