To install Lacework for GCP Compliance, you must be a Lacework administrator and have access to a GCP service account and credentials. Lacework provides both a Docker container and a Python script to help configure a Lacework service account in GCP.
The focus of this article is Lacework-GCP integration using a Docker container.
Lacework will create a GCP service account with permission at the organization or project level to audit your GCP resources. To create the Lacework service account (Lacework SA Audit), you must have an existing service account with permissions as described below and a service account key. If you don’t have an existing service account, you must create one. For help with creating a service account with the correct permissions, see Creating a GCP Service Account
Requirements
Docker
- Docker Desktop (Mac or Windows)
Organization Integration
- A service account, which will be used to create the Lacework SA Audit service account, with the following roles at the organization level:
- roles/owner
- roles/resourcemanager.organizationAdmin
- A service account key (.json file) for the service account
- The following APIs enabled in each project to be integrated:
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
After creation, the Lacework SA Audit service account will have the following permissions at the organization level:
- roles/viewer - permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data
- roles/iam.securityReviewer - provides permissions to list all resources and Cloud IAM policies on them
- roles/resourcemanager.organizationViewer - provides access to view an organization
Project Integration
- A service account, which will be used to create the Lacework SA Audit service account, with the following roles at the organization level:
- roles/owner
- A service account key (.json file) for the service account
- The following APIs enabled in the project to be integrated:
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
After creation, the Lacework SA Audit service account will have the following permissions at the project level:
- roles/viewer - permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data
- roles/iam.securityReviewer - provides permissions to list all resources and Cloud IAM policies on them
For more information about GCP roles, please see Cloud Identity and Access Management - Understanding Roles.
Script Operation
After issuing the Docker run command, the script prompts you to choose between integrating an organization or an individual project:
What do you want to integrate (ORGANIZATION/PROJECT):
After typing 'ORGANIZATION' or 'PROJECT', the script prompts you to enter the appropriate ID.
Enter your PROJECT Id :
Enter your ORGANIZATION Id :
If integrating at the organization level, you are prompted to choose a project where the Lacework SA Audit service account will be created.
Projects
+-----+---------------------+------------------+
| No. | Project Id | Project Name |
+-----+---------------------+------------------+
| 1 | project-id | My First Project |
+-----+---------------------+------------------+
Enter the projectId where you want to create the Service Account: 1
After choosing a project or if integrating a single project, the script lists the APIs that will be enabled and used. Enter 'Yes' if you want the script to enable the APIs.
APIs to be enabled
+-----+-------------------------------------+
| No. | API |
+-----+-------------------------------------+
| 1 | iam.googleapis.com |
| 2 | cloudkms.googleapis.com |
| 3 | cloudresourcemanager.googleapis.com |
| 4 | compute.googleapis.com |
| 5 | dns.googleapis.com |
| 6 | monitoring.googleapis.com |
| 7 | logging.googleapis.com. |
| 8 | storage-component.googleapis.com |
+-----+-------------------------------------+ Projects
+-----+---------------------+------------------+
| No. | Project Id | Project Name |
+-----+---------------------+------------------+
| 1 | sharp-matter-228919 | My First Project |
+-----+---------------------+------------------+
Do You want to enable APIs in the projects(yes/no):
After confirming the APIs, the script lists the roles that will be assigned to the Lacework SA Audit service account and prompts for confirmation.
Organization Integration
Roles Required
+-----+------------------------------------------+
| No. | Role |
+-----+------------------------------------------+
| 1 | roles/resourcemanager.organizationViewer |
| 2 | roles/viewer |
+-----+------------------------------------------+
Do you want to modify ORGANIZATION IAM Policy(yes/no):
Project Integration
Roles Required
+-----+--------------+
| No. | Role |
+-----+--------------+
| 1 | roles/viewer |
+-----+--------------+
Do you want to modify PROJECT IAM Policy(yes/no):
The script displays your choice and prompts for additional confirmation
Modify ORGANIZATION IAM Policy
True
---------------------------------------- Do You Want to continue(yes/no):
The script finishes and outputs the data required to complete the integration in the Lacework UI.
Id Type
PROJECT
Id
project-id-938457
Client Email
lacework-cfg-sa@project-id-938457.iam.gserviceaccount.com
Client Id
034728346290337494836
Private Key Id
65ab34c6987dcc83d345ca03d4823aa7b42136c6
Private Key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Running the Script
To run the script, you must have the path to your credentials file. After you have the path, issue the docker run command :
docker run -it -v '/path/to/service_account_key.json:/home/gcp-cfg-cli/client/sa_credentials.json' lacework/gcp-cfg-cli:latest --mode interactive
- /path/to/service_account_key.json is the path to the service_account_key that you are using to create the Lacework SA Audit service account
After the script completes, the Docker container exits. The script outputs values that are required to complete the integration in the Lacework UI.
Completing the Integration
From the Lacework UI, select Integrations > GCP and click + ADD INTEGRATION. Copy the script output into the matching fields in the Lacework UI and click Save.