Skip to content
/ gcp-assessment-setup Public
forked from rolyv/gcp-assessment-setup

Give ScaleSec limited access to your GCP organization for a security assessment.

License

Apache-2.0 license
0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

redlinejoes/gcp-assessment-setup

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

77 Commits

IMG

IMG

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

enable_service_apis.sh

enable_service_apis.sh

 
 

manage_security_assessment_role.sh

manage_security_assessment_role.sh

 
 

security_assessment_role.yaml

security_assessment_role.yaml

 
 

Repository files navigation

gcp-assessment-setup

Give ScaleSec limited access to your GCP organization for a security assessment.

scalesec-assessment@scalesec.com will be added with minimal privileges into your GCP organization.

Prerequisites

The following items are required for a successful setup.

Optional: Add the scalesec.com domain to the list of allowed domains:

If you have implemented the "Domain Restrited Sharing" Organization Policy, you will not be allowed to add a member from the scalesec.com domain without adding Scalesecs GCP customer ID to your Organization Policy.

To add ScaleSec to the allow list, following the instructions to set the domain restricted sharing organization policy

ScaleSecs GCP customer ID is C00lp9p1o

Setup instructions

  1. Open your Google Cloud console.
  2. Open Cloud Shell

Alt Text

  1. Clone this repositry and switch to its directory:
git clone https://github.com/ScaleSec/gcp-assessment-setup.git
cd gcp-assessment-setup/
  1. Edit the manage_security_assessment_role.sh and set the organization name:
ORG_NAME="example.com"

Note: other variables including the ROLE_ID, YAML_PATH, and GROUP should not be changed.

  1. Run the script to set permissions:
bash manage_security_assessment_role.sh create

From the Admin Console (https://admin.google.com):

The Service Account is required to have permission to impersonate a Super Admin in order to use the Directory API to test if all users have MFA enabled (CIS 1.2). This Service Account will have minimal permission scopes as laid out in Step 9.

Google Documentation around this subject is located here. The Customer will also need to provide the email address of the Super Admin to impersonate.

  1. Sign into the Admin Console with a Super User Account:

drawing

  1. Select Security --> Advanced Settings --> Manage API Client Access

drawing

  1. Input 101417956419715946363 into the Client Name Field. Add https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonlyto the API Scopes Field

drawing

Removing Access Instructions

  1. Run the script to remove permissions:
bash manage_security_assessment_role.sh delete
  1. Sign into the Admin Console with a Super User Account:

drawing

  1. Select Security --> Advanced Settings --> Manage API Client Access

drawing

  1. Select the "Remove" button for the appropriate Client Name

About

Give ScaleSec limited access to your GCP organization for a security assessment.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%