Give ScaleSec limited access to your GCP organization for a security assessment.
scalesec-assessment@scalesec.com
will be added with minimal privileges into your GCP organization.
The following items are required for a successful setup.
- You must have the following IAM Roles on the Organization Level
- The gcloud SDK CLI
- The
jq
CLI utility for your chosen platform
If you have implemented the "Domain Restrited Sharing" Organization Policy, you will not be allowed to add a member from the scalesec.com domain without adding Scalesecs GCP customer ID to your Organization Policy.
To add ScaleSec to the allow list, following the instructions to set the domain restricted sharing organization policy
ScaleSecs GCP customer ID is C00lp9p1o
- Open your Google Cloud console.
- Open Cloud Shell
- Clone this repositry and switch to its directory:
git clone https://github.com/ScaleSec/gcp-assessment-setup.git
cd gcp-assessment-setup/
- Edit the
manage_security_assessment_role.sh
and set the organization name:
ORG_NAME="example.com"
Note: other variables including the ROLE_ID
, YAML_PATH
, and GROUP
should not be changed.
- Run the script to set permissions:
bash manage_security_assessment_role.sh create
From the Admin Console (https://admin.google.com):
The Service Account is required to have permission to impersonate a Super Admin in order to use the Directory API to test if all users have MFA enabled (CIS 1.2). This Service Account will have minimal permission scopes as laid out in Step 9.
Google Documentation around this subject is located here. The Customer will also need to provide the email address of the Super Admin to impersonate.
- Sign into the Admin Console with a
Super User
Account:
- Select Security --> Advanced Settings --> Manage API Client Access
- Input
101417956419715946363
into theClient Name
Field. Addhttps://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly
to the API Scopes Field
- Run the script to remove permissions:
bash manage_security_assessment_role.sh delete
- Sign into the Admin Console with a
Super User
Account:
- Select Security --> Advanced Settings --> Manage API Client Access
- Select the "Remove" button for the appropriate
Client Name