gcp-assessment-setup

Give ScaleSec limited access to your GCP organization for a security assessment.

scalesec-assessment@scalesec.com will be added with minimal privileges into your GCP organization.

Prerequisites

The following items are required for a successful setup.

• You must have the following IAM Roles on the Organization Level
  • Organization Role Admin
  • Organization Admin
• The gcloud SDK CLI
• The jq CLI utility for your chosen platform

Optional: Add the scalesec.com domain to the list of allowed domains:

If you have implemented the "Domain Restrited Sharing" Organization Policy, you will not be allowed to add a member from the scalesec.com domain without adding Scalesecs GCP customer ID to your Organization Policy.

To add ScaleSec to the allow list, following the instructions to set the domain restricted sharing organization policy

ScaleSecs GCP customer ID is C00lp9p1o

Setup instructions

1. Open your Google Cloud console.
2. Open Cloud Shell

3. Clone this repositry and switch to its directory:

git clone https://github.com/ScaleSec/gcp-assessment-setup.git
cd gcp-assessment-setup/

4. Edit the manage_security_assessment_role.sh and set the organization name:

ORG_NAME="example.com"

Note: other variables including the ROLE_ID, YAML_PATH, and GROUP should not be changed.

5. Run the script to set permissions:

bash manage_security_assessment_role.sh create

From the Admin Console (https://admin.google.com):

The Service Account is required to have permission to impersonate a Super Admin in order to use the Directory API to test if all users have MFA enabled (CIS 1.2). This Service Account will have minimal permission scopes as laid out in Step 9.

Google Documentation around this subject is located here. The Customer will also need to provide the email address of the Super Admin to impersonate.

7. Sign into the Admin Console with a Super User Account:

8. Select Security --> Advanced Settings --> Manage API Client Access

9. Input 101417956419715946363 into the Client Name Field. Add https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonlyto the API Scopes Field

Removing Access Instructions

1. Run the script to remove permissions:

bash manage_security_assessment_role.sh delete

2. Sign into the Admin Console with a Super User Account:

3. Select Security --> Advanced Settings --> Manage API Client Access

4. Select the "Remove" button for the appropriate Client Name