Skip to main content

Google Cloud Inventory

Overview

The Lacework Console provides visibility into Google Cloud resources that are integrated with Lacework. A resource can be any entity within the cloud deployment, such as GCE Virtual Machines, Pub/Sub topics, Cloud Storage buckets, security groups, etc. The GCP Resource Inventory page allows you to view and monitor in-use Google Cloud resources’ risk, compliance, and configuration changes and provides visibility for team members with limited or no access to the Google Cloud Console. Because Lacework takes regular snapshots of your resources, you can track their changes (diffs) through the Lacework Console. To access the Resource Inventory page, go to Resources > GCP Inventory.

Google Cloud resources are the components that enable services on Google Cloud. Google Cloud resources are grouped into specific projects, the first hierarchy level. Projects are grouped under a specific folder, the next level of hierarchy for Google Cloud resources. In addition, a specific folder can belong to another folder, which in turn can belong to yet another folder. Folders are grouped under a specific organization or Org, the top level of hierarchy for resources.

For more information about Google Cloud integration with Lacework, see Google Cloud Compliance and Audit Logs Integration - Terraform Using Google Cloud Shell and Google Cloud Compliance and Audit Logs Integration - Terraform From Any Supported Host.

Lacework takes a snapshot of resources on a periodic time frame. Depending on the time that Lacework takes the snapshot, changes may not be captured until up to 24 hours after the changes are made. See the following examples:

  • A resource change is made on Monday at 1:00 AM and Lacework takes a snapshot on Monday at 2:00 AM, the snapshot includes the change.
  • A resource change is made on Monday at 3:00 AM but Lacework took a snapshot on Monday at 2:00 AM, the snapshot does not include the change. The next snapshot on Tuesday at 2:00 AM will capture the change.
info

Lacework is currently expanding its service coverage in GCP. As we begin assessing these services for the first time, you may notice the New GCP service accessed in region alert on your Lacework Console. This alert will originate from Lacework Service IP Addresses and can be safely disregarded. If you have any questions regarding the alert, please contact Lacework Support for further assistance.

Supported Resource Types

Resource inventory supports the following resource type APIs.

ServiceAPI
App Engine
Expand to view the list of APIs
  • appengine.googleapis.com/Application
  • appengine.googleapis.com/Service
  • appengine.googleapis.com/Version
  • appengine.googleapis.com/Instance
Artifact Registry
Expand to view the list of APIs
  • artifactregistry.googleapis.com/DockerImage
  • artifactregistry.googleapis.com/Repository
BigQuery
Expand to view the list of APIs
  • bigquery.googleapis.com/Dataset
  • bigquery.googleapis.com/Table
  • bigquery.googleapis.com/Model
Cloud Bigtable
Expand to view the list of APIs
  • bigtableadmin.googleapis.com/AppProfile
  • bigtableadmin.googleapis.com/Backup
  • bigtableadmin.googleapis.com/Cluster
  • bigtableadmin.googleapis.com/Instance
  • bigtableadmin.googleapis.com/Table
Cloud Billingcloudbilling.googleapis.com/BillingAccount
Certificate Authority Service
Expand to view the list of APIs
  • privateca.googleapis.com/CaPool
  • privateca.googleapis.com/CertificateAuthority
  • privateca.googleapis.com/CertificateRevocationList
  • privateca.googleapis.com/CertificateTemplate
Cloud Functionscloudfunctions.googleapis.com/CloudFunction
Cloud Run
Expand to view the list of APIs
  • run.googleapis.com/DomainMapping
  • run.googleapis.com/Revision
  • run.googleapis.com/Service
Container Registrycontainerregistry.googleapis.com/Image
Dataproc
Expand to view the list of APIs
  • dataproc.googleapis.com/Cluster
  • dataproc.googleapis.com/Job
Dialogflow
Expand to view the list of APIs
  • dialogflow.googleapis.com/Agent
  • dialogflow.googleapis.com/LocationSettings
Cloud Data Loss Prevention
Expand to view the list of APIs
  • dlp.googleapis.com/StoredInfoType
  • dlp.googleapis.com/DeidentifyTemplate
  • dlp.googleapis.com/DlpJob
  • dlp.googleapis.com/InspectTemplate
  • dlp.googleapis.com/JobTrigger
Cloud DNS
Expand to view the list of APIs
  • dns.googleapis.com/ManagedZone
  • dns.googleapis.com/Policy
Eventarceventarc.googleapis.com/Trigger
Identity and Access Management
Expand to view the list of APIs
  • iam.googleapis.com/Role
  • iam.googleapis.com/ServiceAccount
  • iam.googleapis.com/ServiceAccountKey
Cloud Key Management Service
Expand to view the list of APIs
  • cloudkms.googleapis.com/KeyRing
  • cloudkms.googleapis.com/CryptoKey
  • cloudkms.googleapis.com/CryptoKeyVersion
  • cloudkms.googleapis.com/ImportJob
Pub/Sub
Expand to view the list of APIs
  • pubsub.googleapis.com/Topic
  • pubsub.googleapis.com/Topic
  • pubsub.googleapis.com/Snapshot
Cloud Spanner
Expand to view the list of APIs
  • spanner.googleapis.com/Instance
  • spanner.googleapis.com/Database
  • spanner.googleapis.com/Backup
Cloud SQL
Expand to view the list of APIs
  • sqladmin.googleapis.com/Instance
  • sqladmin.googleapis.com/BackupRun
Cloud Storagestorage.googleapis.com/Bucket
Cloud OS Config
Expand to view the list of APIs
  • osconfig.googleapis.com/PatchDeployment
  • osconfig.googleapis.com/VulnerabilityReport
Compute Engine
Expand to view the list of APIs
  • compute.googleapis.com/Autoscaler
  • compute.googleapis.com/Address
  • compute.googleapis.com/GlobalAddress
  • compute.googleapis.com/BackendBucket
  • compute.googleapis.com/BackendService
  • compute.googleapis.com/Commitment
  • compute.googleapis.com/Disk
  • compute.googleapis.com/ExternalVpnGateway
  • compute.googleapis.com/Firewall
  • compute.googleapis.com/ForwardingRule
  • compute.googleapis.com/GlobalForwardingRule
  • compute.googleapis.com/HealthCheck
  • compute.googleapis.com/HttpHealthCheck
  • compute.googleapis.com/HttpsHealthCheck
  • compute.googleapis.com/Image
  • compute.googleapis.com/Instance
  • compute.googleapis.com/InstanceGroup
  • compute.googleapis.com/InstanceGroupManager
  • compute.googleapis.com/InstanceTemplate
  • compute.googleapis.com/Interconnect
  • compute.googleapis.com/InterconnectAttachment
  • compute.googleapis.com/License
  • compute.googleapis.com/Network
  • compute.googleapis.com/NetworkEndpointGroup
  • compute.googleapis.com/NodeGroup
  • compute.googleapis.com/NodeTemplate
  • compute.googleapis.com/PacketMirroring
  • compute.googleapis.com/Project
  • compute.googleapis.com/RegionBackendService
  • compute.googleapis.com/RegionDisk
  • compute.googleapis.com/Reservation
  • compute.googleapis.com/ResourcePolicy
  • compute.googleapis.com/Route
  • compute.googleapis.com/Router
  • compute.googleapis.com/SecurityPolicy
  • compute.googleapis.com/Snapshot
  • compute.googleapis.com/SslCertificate
  • compute.googleapis.com/SslPolicy
  • compute.googleapis.com/Subnetwork
  • compute.googleapis.com/TargetHttpProxy
  • compute.googleapis.com/TargetHttpsProxy
  • compute.googleapis.com/TargetInstance
  • compute.googleapis.com/TargetPool
  • compute.googleapis.com/TargetTcpProxy
  • compute.googleapis.com/TargetSslProxy
  • compute.googleapis.com/TargetVpnGateway
  • compute.googleapis.com/UrlMap
  • compute.googleapis.com/VpnGateway
  • compute.googleapis.com/VpnTunnel
Google Kubernetes Engine
Expand to view the list of APIs
  • container.googleapis.com/Cluster
  • container.googleapis.com/NodePool
  • k8s.io/Node
  • k8s.io/Pod
  • k8s.io/Namespace
  • k8s.io/Service
  • rbac.authorization.k8s.io/Role
  • rbac.authorization.k8s.io/RoleBinding
  • rbac.authorization.k8s.io/ClusterRole
  • rbac.authorization.k8s.io/ClusterRoleBinding
  • networking.k8s.io/NetworkPolicy
Resource Manager
Expand to view the list of APIs
  • cloudresourcemanager.googleapis.com/Organization
  • cloudresourcemanager.googleapis.com/Folder
  • cloudresourcemanager.googleapis.com/Project
  • cloudresourcemanager.googleapis.com/TagKey
  • cloudresourcemanager.googleapis.com/TagValue
Service Usageserviceusage.googleapis.com/Service
Cloud Data Fusiondatafusion.googleapis.com/Instance
Cloud Logging
Expand to view the list of APIs
  • logging.googleapis.com/LogBucket
  • logging.googleapis.com/LogMetric
  • logging.googleapis.com/LogSink
Network Management APInetworkmanagement.googleapis.com/ConnectivityTest
Managed Service for Microsoft Active Directorymanagedidentities.googleapis.com/Domain
Game Servers
Expand to view the list of APIs
  • gameservices.googleapis.com/GameServerCluster
  • gameservices.googleapis.com/Realm
  • gameservices.googleapis.com/GameServerConfig
  • gameservices.googleapis.com/GameServerDeployment
Dataflowdataflow.googleapis.com/Job
Hubgkehub.googleapis.com/Membership
Secret Manager
Expand to view the list of APIs
  • secretmanager.googleapis.com/Secret
  • secretmanager.googleapis.com/SecretVersion
Cloud TPUtpu.googleapis.com/Node
Filestorefile.googleapis.com/Instance
Service Directory servicedirectory.googleapis.com/Namespace
Assured Workloadsassuredworkloads.googleapis.com/Workload
API Gateway
Expand to view the list of APIs
  • apigateway.googleapis.com/Api
  • apigateway.googleapis.com/ApiConfig
  • apigateway.googleapis.com/Gateway
App Engine Memcachememcache.googleapis.com/Instance
Document AI
Expand to view the list of APIs
  • documentai.googleapis.com/HumanReviewConfig
  • documentai.googleapis.com/LabelerPool
  • documentai.googleapis.com/Processor
  • documentai.googleapis.com/ProcessorVersion
Memorystore for Redisredis.googleapis.com/Instance
Vertex AI
Expand to view the list of APIs
  • aiplatform.googleapis.com/BatchPredictionJob
  • aiplatform.googleapis.com/CustomJob
  • aiplatform.googleapis.com/DataLabelingJob
  • aiplatform.googleapis.com/Dataset
  • aiplatform.googleapis.com/Endpoint
  • aiplatform.googleapis.com/HyperparameterTuningJob
  • aiplatform.googleapis.com/MetadataStore
  • aiplatform.googleapis.com/Model
  • aiplatform.googleapis.com/ModelDeploymentMonitoringJob
  • aiplatform.googleapis.com/PipelineJob
  • aiplatform.googleapis.com/SpecialistPool
  • aiplatform.googleapis.com/TrainingPipeline
Cloud Monitoringmonitoring.googleapis.com/AlertPolicy
Serverless VPC Accessvpcaccess.googleapis.com/Connector
Service Managementservicemanagement.googleapis.com/ManagedService
Dataproc Metastore
Expand to view the list of APIs
  • metastore.googleapis.com/Service
  • metastore.googleapis.com/MetadataImport
  • metastore.googleapis.com/Backup
note

For the full list of possible resources, see Supported asset types.
To view the list of resources from the Google Cloud console, select Asset Inventory > Resource.

Configure Permissions to Enable Access to Google Cloud Resources

In order to access and manage Google Cloud resources, you must enable certain permissions through the use of updated roles.

Configure Google Cloud Permissions by Updating Terraform Integration

You can use Terraform to integrate Google Cloud environments with Lacework. To enable access to Google Cloud resources if you have an existing Terraform template for Google Cloud integration, you must update and rerun the Lacework Google Cloud Terraform module. Perform the following tasks to access Google Cloud resource types:

  1. Verify that your Terraform template is specifying the minimum Lacework Google Cloud Config module version 1.0. To do this, open and examine your Terraform file for the following:

      1 module "gcp-config" {
      2  source  = "lacework/config/gcp"
      3  version = "~> 1.0"
      4 }
    note

    The terraform init -upgrade command in the next step will pull in the latest version. The minimum version 1.2.0 is required to enable permissions to Google Cloud resource types.

  2. Update the Terraform integration to version 1.2.0 to utilize the new permissions for Google Cloud resources in the Lacework Google Cloud Config module by running an update and applying this update:

    terraform init -upgrade
    terraform apply

Configure Google Cloud Permissions Manually

In order to access and manage Google Cloud resources, you must enable certain permissions through the use of updated roles. You can do this automatically through Terraform as discussed in the previous section. Additionally, you can configure the permissions manually.

1. Add the roles/cloudasset.viewer Role to your Google Cloud Service Account

Add the new role roles/cloudasset.viewer to your service account to access your Google Cloud resource types. You can add this new role either at the individual project level or at the organization level.

You can add the role through the Google Cloud console or through the gcloud CLI, as described below.

Add Role through the Google Cloud console
  1. Navigate to IAM and Admin in the Google Cloud console.
  2. Locate the service account for the Google Cloud integration and click the Edit Permissions icon (located right of the entry).
  3. Click + Add Another Role.
  4. Select the role Cloud Asset > Cloud Asset Viewer.
  5. Click Save as.
Add Role through the gcloud CLI

To add the new role to a service account at the individual project level:

gcloud projects add-iam-policy-binding TARGET_PROJECT_ID \
       --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
       --role roles/cloudasset.viewer

To add the new role to a service account at the organization level:

gcloud organizations add-iam-policy-binding TARGET_ORGANIZATION_ID \
      --member serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
      --role roles/cloudasset.viewer

2. Enable the API for your Google Cloud Service Account

Enable the API that accesses your resource types on the Google Cloud project to which the service account belongs.

You can enable the API through the Google Cloud console or through the gcloud CLI, as described below:

Enable the API through Google Cloud console for your Project

Using the Google Cloud console, add cloudasset.googleapis.com to enable access to the Google Cloud API:

  1. Log in to the specific project you want to integrate on the Google Cloud Console.
  2. Click gcp_waffle.png.
  3. Select APIs & Services > Library. In the Search for APIs & Services field, enter cloudasset.googleapis.com.
  4. Click on the result that matches the API name listed.
  5. Click ENABLE.
Enable the API through the gcloud CLI

Ensure that the gcloud config is set to use a Service Account with the permissions required to enable APIs.

gcloud --project <service_account_project_id> services enable cloudasset.googleapis.com

Resource Summary

Lacework populates this page after at least one Google Cloud integration is configured. The date/time range filter and any optional filters at top of the page apply to all data displayed on the page. If nothing is displayed, consider increasing the date range.

To access the Resource Summary information on the GCP Resource Inventory page, go to Resources > GCP Inventory.

Above the right side of the table, the following icons are available:

IconLabelDescription
download_csv.pngDownload in CSV formatClick the Download in CSV format icon to get a comma-separated file of the table contents.
select_columns.pngSelect display columnsClick the Select display columns icon to hide or show the set of columns that are displayed in the table.
Refresh.pngRefresh dataClick the Refresh data icon to refresh the table data.
full_screen.pngFull screenClick the Full screen icon to view the table on the entire screen.

The columns in the Resources Summary table are described below. Each row in the table represents a resource.

ColumnDescription
Resource NameDisplays the name of the Google Cloud resource type. Click the name to open the resource’s configuration.
Recently Updated (24hrs)Displays whether there was an update in the last 24 hours.
OrganizationDisplays the specific organization that the resource type belongs to. Organizations contain folders, which in turn contain projects of resource types.
Folder IDDisplays the specific folder identifier that the resource type belongs to. A resource can belong to a folder. That folder can belong to another folder, which in turn can belong to yet another folder. To view the hierarchy of this multiple folder structure, click the specific Folder ID.
Project IDDisplays the specific project that the resource type belongs to. Projects allow you to organize and group together resource types into specific projects.
ServiceDisplays the Google Cloud service that the resource corresponds to.
TypeDisplays the type of resource.
RegionDisplays the region where the resource is located.
StatusDisplays the status of data collection from the resource.
TagsClick {...} to open the resource’s tags.
Last Discovered TimeDisplays the last time the Lacework agent discovered the resource.

Configuration Diffs

To view a configuration diff, click a resource name under the Resource Name column. This opens a pane with configuration details. When a diff is present, it is always compared to the current configuration. If more than two configuration histories exist, click View more to display the Configuration History page.

To view a resource’s tag information, click {...} in the Tags column.

If you change an API (primary API) configuration, then it appears as a diff on the Lacework Console.

Configuration History

This page provides configuration histories for a resource. To open the Configuration History page, click View more. The link is available only if the resource has more than two configuration histories.

To compare two configurations, select their checkboxes and click the diff configurations icon.

The columns in the Configuration History table are described below.

ColumnDescription
ConfigurationClick to view the configuration.
Start TimeDisplays when data collection started.
End TimeDisplays when data collection ended.