GCP Compliance Integration - Manually using the GCP Console

This topic describes how to configure a Lacework GCP compliance integration manually using the GCP Console and the Lacework Console.

GCP Project

When integrating at an Organization level, it is recommended that a project is created specifically for Lacework resources.

When integrating at a Project level, all required resources for Lacework may be provisioned within the project being integrated.

The Project being used must have billing enabled.

Create a GCP Service Account and Grant Access

Follow the procedure provided in Create a GCP Service Account and Grant Access.

Enable the Required GCP APIs

When you manually create a GCP compliance integration, you must enable APIs for the GCP projects you want to integrate with. Follow the procedure provided in Enable the Required GCP APIs.

Create the GCP Compliance Integration on the Lacework Console

When creating the GCP integration, you can either upload GCP credentials or enter all information manually. Finish creating the integration in the Lacework Console by following the steps described in one of the following sections.

Upload GCP Credentials

1. Log in to the Lacework Console.
2. Navigate to Settings > Integrations > Cloud Accounts.
3. Click + Create New.
4. Select GCP and Config and click Next.
5. Enter a unique name for the integration and click Next.

6. In the Upload GCP Credential field, click Choose File and navigate to the JSON key file downloaded when you created the GCP Service Account.
   This populates the credential fields.

7. From the Integration Level drop-down, select Organization or Project. Select Organization if integrating at the organization level. Select Project if integrating at the project level.

8. Copy the appropriate ID value for your integration type:

   1. If integrating at the project level, copy the value of the project_id property from the JSON file into the Org/Project ID field of the Lacework Console.
   2. If integrating at the organization level, log in to the GCP console. Click the down arrow in the top menu bar. From the Select from the drop-down, select an organization that contains the GCP project(s) that you want the integration to monitor. Select IAM & admin > Settings and copy the number from the Organization ID field and paste the value into the Org/Project ID field of the Lacework Console.
      

9. Click Save. A new integration displays in Cloud Accounts.

10. When the integration is complete and successful, the status changes to Integration Successful.

For the “Integration Pending” status, hover over the status text and click the refresh icon to fetch the status result again. This does not retest the integration.

Enter Information Manually

Entering information manually requires a system with the jq utility installed. The jq utility is a flexible command-line JSON processor. For more information, see https://stedolan.github.io/jq/.

1. Verify that the jq (command-line JSON processor) utility is available from your command-line shell. Leave this command-line window open.

     $ jq      

2. If the jq utility is found, skip to the next step. If the jq utility is not installed or not listed in your PATH, install it (https://stedolan.github.io/jq/ and verify that the path to the utility is listed in your PATH environment variable. The jq utility is required for some steps in the following procedure.

3. Locate the JSON key file downloaded when you created the GCP Service Account.

4. Open the file in an editor and leave it open.
5. Log in to the Lacework Console.
6. Navigate to Settings > Integrations > Cloud Accounts.
7. Click + Create New.
8. Select GCP and Config and click Next.
9. Enter a unique name for the integration and click Next.
10. Copy the value of the client_id property from the JSON file and paste the value into the Client ID field of the Lacework Console.
11. Copy the value of the private_key_id property from the JSON file and paste the value into the Private Key ID field of the Lacework Console.
12. Copy the value of the client_email property from the JSON file and paste the value into the Client Email field of the Lacework Console.
13. Exit the editor.
14. You cannot just copy the private key from the editor because of an issue with copying the new line characters. You must copy a raw version of the key using the “jq” utility as described in the following steps.

15. To view the raw text of the private key, enter the following command, where YourFileName.json is the name of the file downloaded when you created the GCP Service Account.

      $ cat YourFileName.json  | jq -r '.private_key'      

16. Copy all text displayed in the output including the Begin and End lines.

      -----BEGIN PRIVATE KEY-----
      YourKeyInfo
      -----END PRIVATE KEY-----      

17. Paste the text into the Private Key field of the Lacework Console.

18. From the Integration Level drop-down, select Organization or Project. Select Organization if integrating at the organization level. Select Project if integrating at the project level.

19. Copy the appropriate ID value for your integration type:

    1. If integrating at the project level, copy the value of the project_id property from the JSON file into the Org/Project ID field of the Lacework Console.
    2. If integrating at the organization level, log in to the GCP console. Click the down arrow in the top menu bar. From the Select from the drop-down, select an organization that contains the GCP project(s) that you want the integration to monitor. Select IAM & admin > Settings and copy the number from the Organization ID field and paste the value into the Org/Project ID field of the Lacework Console.
       

20. Click Save. A new integration displays in Cloud Accounts.

21. When the integration is complete and successful, the status changes to Integration Successful.