The Lacework integration script is run as a Docker container. To complete the integration, you will need access to a Docker environment and the Docker cli.
To activate Lacework for GCP from the Lacework UI, select Integrations >> GCP Config and click the [+ ADD INTEGRATION] button.
Lacework will create a service account with permission at the organization or project level to audit your GCP resources. To create the Lacework service account, you will need an existing service account with a service account key. If you don’t have one, you will have to create one.
Requirements
Organization Integration
- A service account with the following roles at the organization level, which will be used to create the Lacework service account:
- roles/owner
- roles/resourcemanager.organizationAdmin
- A service account key (.json file) for the above service account
- The following APIs enabled in each project in the organization to be integrated:
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
When created, the Lacework service account will have the following permissions at the organization level:
- roles/viewer - permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data
- roles/iam.securityReviewer - provides permissions to list all resources and Cloud IAM policies on them
- roles/resourcemanager.organizationViewer - provides access to view an organization
Project Integration
- A service account with the following roles at the project level, which will be used to create the Lacework service account:
- roles/owner
- A service account key (.json file) for the above service account
- The following APIs enabled in the project to be integrated:
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
When created, the Lacework service account will have the following permissions at the project level:
- roles/viewer - permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data
- roles/iam.securityReviewer - provides permissions to list all resources and Cloud IAM policies on them
For more informationFor more information about GCP roles, please see Cloud Identity and Access Management - Understanding Roles.
Script Operation
When launched, the script will ask you to choose whether you want to integrate an organization or an individual project:
What do you want to integrate (ORGANIZATION/PROJECT):
After typing 'ORGANIZATION' or 'PROJECT', you will be prompted to enter the associated ID.
Enter your PROJECT Id :
Enter your ORGANIZATION Id :
If integrating at the organization level, you will then be asked choose a project in which to create the Lacework service account.
Projects
+-----+---------------------+------------------+
| No. | Project Id | Project Name |
+-----+---------------------+------------------+
| 1 | project-id | My First Project |
+-----+---------------------+------------------+
Enter the projectId where you want to create the Service Account: 1
After choosing a project or if integrating a single project, the script lists the APIs that will be used by Lacework and asks for confirmation.
APIs to be enabled
+-----+-------------------------------------+
| No. | API |
+-----+-------------------------------------+
| 1 | iam.googleapis.com |
| 2 | cloudkms.googleapis.com |
| 3 | cloudresourcemanager.googleapis.com |
| 4 | compute.googleapis.com |
| 5 | dns.googleapis.com |
| 6 | monitoring.googleapis.com |
| 7 | logging.googleapis.com. |
| 8 | storage-component.googleapis.com |
+-----+-------------------------------------+ Projects
+-----+---------------------+------------------+
| No. | Project Id | Project Name |
+-----+---------------------+------------------+
| 1 | sharp-matter-228919 | My First Project |
+-----+---------------------+------------------+
Do You want to enable APIs in the projects(yes/no):
After confirming the APIs, the script lists the roles that will be used by Lacework and asks for confirmation.
Roles Required
+-----+------------------------------------------+
| No. | Role |
+-----+------------------------------------------+
| 1 | roles/resourcemanager.organizationViewer |
| 2 | roles/viewer |
+-----+------------------------------------------+
Do you want to modify ORGANIZATION IAM Policy(yes/no):
Roles Required
+-----+--------------+
| No. | Role |
+-----+--------------+
| 1 | roles/viewer |
+-----+--------------+
Do you want to modify PROJECT IAM Policy(yes/no):
The script will then display your choice and ask for additional confirmation
Modify ORGANIZATION IAM Policy
True
---------------------------------------- Do You Want to continue(yes/no):
The script will then finish and output Integration data that can be used to complete the integration in the Lacework UI.
Id Type
PROJECT
Id
project-id-938457
Client Email
lacework-cfg-sa@project-id-938457.iam.gserviceaccount.com
Client Id
034728346290337494836
Private Key Id
65ab34c6987dcc83d345ca03d4823aa7b42136c6
Private Key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Running the Script
From the Docker cli enter:
docker run -it -v '/path/to/service_account_key.json:/home/gcp-cfg-cli/client/sa_credentials.json' lacework/gcp-cfg-cli:latest --mode interactive
/path/to/service_account_key.json is the service_account_key that you are using to create the Lacework service account
When the script completes, the Docker container will exit. To finish the integration copy the script output into the fields in the Lacework UI and click the [Save] button.