To integrate GCP with MVISION Cloud, perform the following steps
- In MVISION Cloud go to Settings > Service Management.
- Click Add Service Instance.
- Select Google Cloud Platform, enter an Instance Name, and click Done.
- Under Setup, for API, click Enable.
- Select the features you want to enable for your GCP account.
- DLP. Use On-Demand Scans to examine cloud services for content that violates your policies and support targeted investigations. Enable On-Demand Scan to run your scan immediately or set the scan schedule to daily or weekly.
- Activity Monitoring. Activity Monitoring allows forensic auditing and investigation of individual activities.
- Security Configuration Audit. Security Configuration Audit allows your policy team to monitor and discover if your cloud services have been configured per industry best practices.
- Review Pre-Requisites, copy the Service Account as shown in the following screenshot, and click Next.
- Add the Service Account to the GCP project in your GCP console. This is needed to allow MVISION Cloud to access your GCP resources. To do this, refer Add a Service Account in GCP.
- Under Project Settings, add projects using one of two options:
- Enter my projects info manually. Enter the Project ID of an existing project.
- Discover projects under my organization. Select a project from the list of available projects under your organization, and click Authenticate Projects.
- Select an admin from the generated list, or enter an email to search for a specific person. Click Next.
- In the Summary page, verify your settings and click Save.
Once authenticated, the API is enabled and the Instance setup is complete.
Add a Service Account in GCP
You need a Service Account to allow MVISION Cloud to access your GCP resources. To do this, use the Service Account to your GCP project (or organization) as an IAM member, and grant the following roles:
- Project > Viewer
- IAM > Security Reviewer
- Service Usage > Service Usage Consumer This role is required to fetch GCP activities using your organization's API quota. In order to avoid issues with API rate limiting by GCP while using McAfee Enterprise's project, MVISION Cloud now leverages your organization's API quota to fetch the activities.
- Custom role with 'container.nodes.proxy' permission. This role is required only for GKE policies. Alternatively, you may also use predefined roles like Kubernetes Engine Developer or Kubernetes Engine Admin.
- Custom role with 'Storage Legacy Bucket Writer' permission. This role is required if you want to Quarantine files as part of DLP or Malware On Demand Scans.
To add a service account, perform the following steps:
- In the GCP console, go to the IAM page.
- Click Add.
- Add the roles.
- Click Save.
Enable APIs & Services for Config audit scan
You need to enable the GCP APIs & Services for the active configuration audit policies before you run the config audit scan.
Refer the supported resource types to know the corresponding APIs & Services which is depending on the policies you enable. For example when you enable a Configuration audit policy that includes checks for the Key Management service in Google Cloud Platform, make sure you enable the Key Management Services & API.
When you create custom Config audit policies, it might be required to enable additional APIs & Services in Google Cloud Platform to enable MVISION Cloud to use these APIs & Services to check the configuration of the relevant resources.
Some APIs & Services that are required for several policies from the policy template list for GCP are:
Compute Engine API
Cloud DNS API
Cloud Key Management Service (KMS) API
Cloud Logging API
Granular Permissions for DLP scan
You need to create custom role with permissions mentioned in this section to run GCP DLP scan.
Basic Permissions to run DLP scan
Provide the following permissions if you want to run DLP scan without quarantine as response action
Additional Permissions to run DLP scan
Along with the basic permissions , provide following additional permissions to support quarantine as response action
Note: The above permissions are also valid when the cloud storage buckets are encrypted using Customer Managed Key (Generated)