Aptible Comply Documentation

Description

Google Cloud Platform (GCP) is a cloud computing platform that provides access to technology services, such as infrastructure as a service and emerging technology services, on an as-needed basis.

Aptible integrates with GCP to give you governance over and visibility into the security of your containers.

Benefits

Up-to-date asset inventory
Once you integrate your GCP project with Comply, Comply will display the Google Container Registry (GCR) assets such as repositories and images within that GCP project. Comply gives you visibility into your GCR assets by automatically updating and tagging repositories and images in the “Container Registry” asset groups in Comply.

Automatic evidence collection
Comply will scan your GCP project settings and container registry contents to ensure that a wide range of security measures are correctly implemented (see the Automations table below for the full scope of what evidence is automatically collected).

Automated issue detection
When a Comply scan identifies something that's against common security practices, the Automation will create an issue. These issues can be automatically tracked and have reminders to help expedite remediation.

Security

Comply's GCP integration relies on utilizing a Comply-generated service account with specified read-only permissions. This service account requests read-only access to GCP APIs and services. Comply leverages a narrow set of read-only API calls and does not write back any information into your GCP project.

Automations

Automation

Service

Description

Returns

Framework Mappings

Container Vulnerability Scanning

GCR

Checks whether Container Scanning is enabled on a GCP project.

Comply creates an issue if Container Scanning is not enabled on a GCP Project.

ISO 27001:2013: A.12.6.1
SOC 2: CC7.1
PCI: 11.2.1, 11.2.2, 11.2.3, 6.1
NIST Cybsecurity V1.1: DE.CM-8, PR.IP-12
FedRAMP: RA-5 (3), RA-5, RA-5 (5)

Container Image Vulnerability Scan

GCR

Checks whether the latest container image in each container repository has been discovered by a container scanner.

Comply creates an issue if a container image was not discovered by a container scanner.

ISO 27001:2013: A.12.6.1
SOC 2: CC7.1
PCI: 11.2.1, 11.2.2, 11.2.3, 6.1
NIST Cybsecurity V1.1: DE.CM-8, PR.IP-12
FedRAMP: RA-5 (3), RA-5, RA-5 (5)

Events

  • Container Vuln Scan Enabled - Vulnerability scanning is enabled on the GCP project (Container Scanning API is enabled).
  • Container Vuln Scan Disabled - Vulnerability scanning is disabled on the GCP project (Container Scanning API is disabled).
  • Container Vuln Scan Discovered - The latest container image in container repo was discovered by the container scanner.
  • Container Vuln Scan Not Discovered - The latest container image in container repo was not discovered by the container scanner.

Setup

  1. Navigate to the Integrations Configuration section: Automations > Integration Configuration
  2. Click Add Integration, and select GCP. Enter a unique name for the integration and the GCP project id.
  1. Follow the instructions in the Comply app to create a new IAM role in the GCP console for the project specified. This IAM role grants the Comply-generated Service Account read-only access to your GCP account.
    a. Log into the GCP IAM console and select the project id.
    b. APIs & Services > Verify and enable (as needed) the following APIs/Services on the project:
    Container Registry API
    Container Analysis API
    Resource Manager API
    c. Roles > Create a new custom IAM role. You can title the role something like “Comply GCP Viewer”. Select “Role launch stage” > “General Availability”. Add the following permissions:
    containeranalysis.occurrences.list
    resourcemanager.projects.get
    storage.objects.list

d. IAM > Add member. Use the Comply-generated service account email from the Comply integration page as the member. Add the custom “Comply GCP Viewer” role and the Google predefined role “Service Usage Viewer”.

  1. In the Comply App, continue clicking through the integration setup steps to test and sync the GCP integration.

IAM Policy and APIs/Services

Summary of permissions required for Comply-generated service account:

Role

Permission

Comply Usage

Custom Role

containeranalysis.occurrences.list

Get container image vulnerability data

Custom Role

resourcemanager.projects.get

Get metadata for the GCP project

Custom Role

storage.objects.list

Get list of container repos and images

Service Usage Viewer

Pre-defined by Google

Note: The underlying permission we require is “serviceusage.services.list”, however that permission is still marked as “testing” by Google, so is more stable to attach the Google predefined “Service Usage” Viewer role to the Aptible Service Account.

Determine if specific GCP services are enabled

Summary of APIs/Services enabled:

GCP API

Comply Usage

Container Analysis API

Read container image vulnerability scan results

Container Registry API

Read metadata for your Google Container Registry

Resource Manager API

Read metadata describing your GCP project

Troubleshooting

Common integration set-up issues include:

  1. Not granting all of the required permissions or enabling all of the required APIs [Fix: Verify that the Service Account is in the correct project, all of the permissions and roles required are attached to the integration-specific Service Account, and the APIs listed above are enabled in your GCP project.]

If you receive an error message when trying to sync your integration, please check the above items and contact [email protected] if the problem persists.

Updated 12 days ago


GCP


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.