First, you need to create a Google Cloud Platform service account. You can do that from the Google Cloud Platform console by selecting your project and going to the IAM & Admin section, Service accounts menu, Keys tab. You will then be able to create a new JSON key.
Next, you need to associate the roles Security Reviewer and Viewer to the service account you just created, so that it has sufficient permissions to list your assets.
Finally, to store the key into Cyberwatch, you need to access the Stored credentials menu from the lateral bar, then click Add. Select type Google Cloud Platform and fill in the form using your JSON key.
- From Discoveries, click Add. Click Google Cloud Platform in the Cloud infrastructure category.
- Enter the name of the scan.
- Select optional groups that will be affected to the scan.
- Choose the source of the scan (the Cyberwatch machine that will run the operation).
- Using the Credentials selector, pick the Google Cloud Platform account registered in previous steps.
- Select the discovery mode in order to choose which information will be used to list the discovered assets.
- Choose a recurrence. The default value 0 days means the scan will be launched only once.
- Optional - Select an agentless mode connection credential.
- Click Confirm.
When created, the discovery is immediately started as a background task. You may check state of the task any time from Discoveries.
Google Cloud Platform discoveries try to scan all the projects accessible by the service account. If it does not have the capability to list them, the discovery will scan only the default project.
To work correctly, the Cloud Resource Manager API must be enabled on all the projects accessible by the service account. This can be done from the Google Cloud Platform console, menu API & Services, submenu Library.
The execution log of the discovery, accessible from its details page, tells if an error occurred while browsing the projects.