GCP Onboarding Process For CloudShield.AI

PERMISSION REQUIRED FROM CLIENTS

1. Detection (Read-Only):

Permissions Granted to CloudDefense.AI:

• roles/viewer

• roles/pubsub.publisher

• roles/cloudfunctions.admin

• roles/run.invoker

Permissions Granted to Cloud Function:

• roles/viewer

2. Detection and Enforcement In-network: 

Permissions Granted to CloudDefense.AI

• roles/viewer

• roles/pubsub.publisher

• roles/cloudfunctions.admin

• roles/run.invoker

Permissions Granted to Cloud Function (created in Customer Environment)

• roles/editor

• roles/iam.securityAdmin

STEPS TO ONBOARD GCP ACCOUNT

STEP 1: LOG IN

Log in to the Cloud Security portal using your credentials: https://acs-us.clouddefenseai.com/ 

After logging in, click on the sidebar menu and open "Management" -> "Onboard Accounts" -> "Add New Account"

 Click on "GCP"

STEP 2: CHOOSE THE NUMBER OF GCP PROJECTS YOU HAVE.

• Choose your preferred account option (Single GCP or Multiple GCP Projects)

• Click “Next”

• Enter the GCP or Project ID that you would like to onboard.

• Click “Verify”

STEP 3: BASIC INFORMATION

• Assign a Name for your Account

• Add Labels to categorize each account if you have multiple accounts

• Click “Next”

STEP 4: CHOOSE THE NUMBER OF GCP PROJECTS YOU HAVE.

• Choose a Business Unit assigned to you by your admin.

• Or, create a new Business Unit based on your preference.

• Click “Next”

STEP 5: PERMISSIONS

This is where you need to decide on the permission level. You will see 3 radio button options there:

Detection Permissions

1. Detection (Read-Only)

2. Detection and Enforcement In-network

STEP 6: GET CREDENTIALS

Verify the project ID you specified before. 

• Click “Next”

STEP 7: GET CREDENTIALS

Follow the steps below to upload and execute the setup script using Cloud Shell in your Google Cloud environment.

Download the Setup Script

Download the following file to your local machine:
 GCP_example_cloudShield.sh

Open Google Cloud Console

1. Navigate to Google Cloud Console.
   
   

2. Click on the “Cloud Shell“ icon located in the top-right corner.
   
   

3. The Cloud Shell Editor will open at the bottom of the screen.

Upload the Script File

1. In the Cloud Shell Editor, ensure the Bash terminal is selected.
   
   

2. Click on the “Manage files“ (folder) icon.
   
   

3. Select the “Upload“ option and upload the downloaded GCP_example_cloudShield.sh file.
   
   

4. The file will open in the editor automatically after upload.
   
   

5. Press Ctrl + S to save the file.

   • Keep the default file location and click OK.

   • Alternatively, use the three-dot menu on the file tab to manage uploads.

Authenticate with Google Cloud

In the terminal, enter the following command:

Follow the instructions in the terminal to complete the login process.

• A login URL will be provided—click the link and authenticate using your Google account.

• Even if already logged in, it is recommended to complete this step to ensure proper access.

Set the Project ID

Set the active GCP project to connect to CloudDefense.AI:

Execute the Script

Run the uploaded setup script using the following command:

Copy the Service Account Email

At the end of the script execution, a Client Base Project Service Account Email ID will be generated.

1. Copy the email ID displayed in the terminal.

STEP 8: CONNECT

Paste the Service Account Email

2. Return to the CloudDefense.AI setup interface.

3. Paste the email ID into the provided input field.

4. Click “Connect Project“ to proceed.

RESOURCE SET CREATED ON CLIENT SIDE

1. Service Account: 

   1. cd-cnapp-account@cloudshield-testing.iam.gserviceaccount.com

   2. cd-cloud-shield-remediation@cloudshield-testing.iam.gserviceaccount.com     

2. CloudRun: 

   1. cdremediation

3. Log Router Sinks:

   1. cd-cloud-shield-logging-event-sink

4. PubSub:

   1. topic  cd-cloud-shield-logging-event

   2. subscription cd-cloud-shield-logging-event-subscription