Required Roles for Google Cloud Configuration and Audit Log Integrations
Overview
When integrating Google Cloud with Lacework, you must create and configure the necessary roles and resources. To do this, the Google Cloud account you use to create the integration must have certain privileges within the project or organization being integrated.
This topic describes those privileges and why they are required.
Organization Level Integration Roles
The following table lists required Google Cloud account roles for organization level integrations.
Role Name | Role ID | Integration Type | Usage |
---|---|---|---|
Organization Administrator | roles/resourcemanager.organizationAdmin | Audit Log Configuration | Grant IAM privileges:
|
Organization Role Administrator | roles/iam.organizationRoleAdmin | Configuration | Create Lacework custom IAM role for organization |
Logs Configuration Writer | roles/logging.configWriter | Audit Log | Create aggregated log sink at organization level |
Billing Account User | roles/billing.user | Audit Log Configuration | Required only if creating a new project to host the Lacework integration resources |
Additionally, the user performing the integration requires the project level integration roles on the project that will contain the Lacework integration resources.
Project Level Integration Roles
When configuring access for the project that the Lacework integration resources will reside in, you can define the appropriate roles required to create the integration using either project owner access or least privilege access.
Project Owner Access
Role Name | Role ID | Integration Type | Usage |
---|---|---|---|
Project Owner | roles/owner | Audit Log Configuration |
|
Least Privilege Access
Role Name | Role ID | Integration Type | Usage |
---|---|---|---|
Logs Configuration Writer | roles/logging.configWriter | Audit Log | Create log sink |
Project IAM Admin | roles/resourcemanager.projectIamAdmin | Configuration | Grant IAM privileges:
|
Pub/Sub Admin | roles/pubsub.admin | Audit Log | Create Pub/Sub topic and subscription Grant IAM privileges:
|
Role Administrator | roles/iam.roleAdmin | Configuration | roles/lwComplianceRole Lacework custom IAM role with the following permissions for the project:
|
Service Account Admin | roles/iam.serviceAccountAdmin | Audit Log Configuration | Create Lacework service account |
Service Account Key Admin | roles/iam.serviceAccountKeyAdmin | Audit Log Configuration | Create service account key for Lacework service account |
Service Usage Admin | roles/serviceusage.serviceUsageAdmin | Audit Log Configuration | Enable the required Google Cloud service APIs |
Storage Admin | roles/storage.admin | Audit Log (for Storage-based audit log integration only) | Create cloud storage bucket Grant IAM privileges:
|