GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Ensure Cloud Asset Inventory Is Enabled
More Info:
The GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing.
Risk Level
Medium
Address
Security
Compliance Standards
CISGCP, CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Ensure Cloud Asset Inventory Is Enabled” for GCP using GCP console, please follow the below steps:
-
Open the GCP console and go to the Navigation menu.
-
Select the “Security Command Center” option under the “Security” section.
-
Click on the “Organization” tab and select your organization from the dropdown list.
-
Click on the “Asset Inventory” tab and select the project for which you want to enable the Cloud Asset Inventory.
-
Click on the “Enable” button to enable the Cloud Asset Inventory for the selected project.
-
Review the configuration settings and click on the “Save” button to save the changes.
-
Once the Cloud Asset Inventory is enabled, you can view the assets and their metadata in the Security Command Center dashboard.
-
To ensure that the Cloud Asset Inventory is continuously enabled, you can set up a periodic review of the configuration settings.
By following these steps, you can remediate the misconfiguration “Ensure Cloud Asset Inventory Is Enabled” for GCP using GCP console.
To remediate the misconfiguration “Ensure Cloud Asset Inventory is enabled” for GCP using GCP CLI, you can follow the below steps:
Step 1: Open the GCP Cloud Shell or any other terminal where GCP CLI is installed.
Step 2: Run the following command to enable the Cloud Asset Inventory API:
gcloud services enable cloudasset.googleapis.com
Step 3: Next, run the following command to create a new asset inventory:
gcloud asset create-feed <FEED_NAME> --content-type=resource --asset-names=<ASSET_NAME> --project=<PROJECT_ID>
Note: Replace <FEED_NAME> with the desired name for the new feed, <ASSET_NAME> with the name of the asset you want to inventory, and <PROJECT_ID> with the ID of the project where the asset is located.
Step 4: Run the following command to list all the feeds that have been created:
gcloud asset feeds list --project=<PROJECT_ID>
Step 5: Finally, run the following command to view the details of the new feed:
gcloud asset feeds describe <FEED_NAME> --project=<PROJECT_ID>
Note: Replace <FEED_NAME> with the name of the feed you created in Step 3, and <PROJECT_ID> with the ID of the project where the asset is located.
By following these steps, you can ensure that the Cloud Asset Inventory is enabled for your GCP project.
To remediate the “Ensure Cloud Asset Inventory Is Enabled” misconfiguration for GCP using Python, follow these steps:
- Install the necessary libraries:
!pip install google-cloud-asset google-auth
- Set up authentication:
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file(
'path/to/your/credentials.json')
- Import the necessary libraries:
from google.cloud import asset_v1
from google.cloud.asset_v1 import enums
- Create a client instance:
client = asset_v1.AssetServiceClient(credentials=credentials)
- Check if Cloud Asset Inventory is enabled:
response = client.search_all_resources(
scope='organizations/your_organization_id',
asset_types=['cloudasset.googleapis.com/Asset'],
query='resourceProperties.enableAssetDiscovery:true'
)
if len(response) > 0:
print("Cloud Asset Inventory is already enabled.")
else:
print("Cloud Asset Inventory is not enabled.")
- If Cloud Asset Inventory is not enabled, enable it:
operation = client.set_iam_policy(
resource='organizations/your_organization_id',
policy={
'policy': {
'bindings': [
{
'role': 'roles/cloudasset.viewer',
'members': [
'user:[email protected]'
]
}
]
}
}
)
print("Cloud Asset Inventory has been enabled.")
Note: Replace your_organization_id and [email protected] with the appropriate values for your GCP organization and email address. Also, make sure that the service account used for authentication has the necessary permissions to enable Cloud Asset Inventory.