Google Cloud Provider (GCP)
The RegScale CLI integrates with Google Cloud Platform to synchronize assets, security findings, and compliance data from GCP Security Command Center (SCC) into RegScale for continuous monitoring and compliance automation.
Overview
This integration enables:
- Asset Synchronization: Import GCP resources as RegScale assets
- Findings Synchronization: Import SCC security findings as RegScale issues
- Compliance Automation: Map SCC findings to compliance controls (NIST 800-53, FedRAMP, CIS, PCI-DSS, SOC2)
- Evidence Collection: Automated evidence gathering for audit trails
- Inventory Export: Export GCP resource inventory for analysis
Prerequisites
- Active GCP account with appropriate permissions
- GCP project with Security Command Center enabled
- Service account with required IAM roles
- RegScale CLI installed and configured (
regscale init)
Setup
Step 1: Create a GCP Project (if needed)
- Navigate to the GCP Console
- Click the project dropdown and select New Project
- Enter a project name and click Create
Step 2: Enable Required APIs
Core APIs (Required)
# Security Command Center API - Required for findings and compliance
gcloud services enable securitycenter.googleapis.com
# Cloud Asset API - Required for asset inventory
gcloud services enable cloudasset.googleapis.com
# Resource Manager API - Required for project/org metadata
gcloud services enable cloudresourcemanager.googleapis.com
Optional APIs (based on inventory scope)
Enable these APIs to collect inventory for specific resource types:
# Compute resources
gcloud services enable compute.googleapis.com
gcloud services enable container.googleapis.com
gcloud services enable run.googleapis.com
gcloud services enable cloudfunctions.googleapis.com
gcloud services enable appengine.googleapis.com
# Storage & Database
gcloud services enable storage.googleapis.com
gcloud services enable sqladmin.googleapis.com
gcloud services enable spanner.googleapis.com
gcloud services enable bigtable.googleapis.com
gcloud services enable firestore.googleapis.com
gcloud services enable redis.googleapis.com
# Security & Compliance
gcloud services enable iam.googleapis.com
gcloud services enable cloudkms.googleapis.com
gcloud services enable logging.googleapis.com
# Networking
gcloud services enable dns.googleapis.com
Step 3: Create a Service Account
- Navigate to IAM & Admin > Service Accounts in the GCP Console
- Click Create Service Account
- Enter a name (e.g.,
regscale-integration) and description - Click Create and Continue
- Assign the required roles (see Required IAM Permissions)
- Click Done
Step 4: Generate Service Account Key
- Click on the newly created service account
- Navigate to the Keys tab
- Click Add Key > Create new key
- Select JSON format
- Click Create to download the key file
- Store the key file securely (do not commit to version control)
Required IAM Permissions
Minimum Required Roles
These roles are required for basic functionality:
| Role | Purpose | Required For |
|---|---|---|
roles/securitycenter.findingsViewer | View Security Command Center findings | sync_findings, sync_compliance |
roles/securitycenter.sourcesViewer | View SCC sources and compliance posture | sync_compliance, collect_evidence |
roles/cloudasset.viewer | View Cloud Asset Inventory | sync_assets, inventory |
Optional Roles (for comprehensive inventory)
These roles provide access to additional resource details:
| Role | Purpose |
|---|---|
roles/iam.securityReviewer | IAM policies, service accounts, and roles |
roles/logging.viewer | Log sinks, metrics, and audit logs |
roles/cloudkms.viewer | KMS key rings and crypto keys |
roles/compute.viewer | Compute Engine instances, disks, networks |
roles/storage.objectViewer | Cloud Storage bucket metadata |
roles/container.viewer | GKE clusters and node pools |
Granting Permissions
Organization-Level (Recommended for full visibility)
Organization-level permissions provide visibility across all projects:
# Set variables
SERVICE_ACCOUNT="regscale-integration@YOUR_PROJECT.iam.gserviceaccount.com"
ORG_ID="123456789012" # Your numeric organization ID
# Grant required roles
gcloud organizations add-iam-policy-binding $ORG_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/securitycenter.findingsViewer"
gcloud organizations add-iam-policy-binding $ORG_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/securitycenter.sourcesViewer"
gcloud organizations add-iam-policy-binding $ORG_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/cloudasset.viewer"
# Optional: Additional roles for comprehensive inventory
gcloud organizations add-iam-policy-binding $ORG_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/iam.securityReviewer"
gcloud organizations add-iam-policy-binding $ORG_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/logging.viewer"
Project-Level
For single-project scanning:
# Set variables
SERVICE_ACCOUNT="regscale-integration@YOUR_PROJECT.iam.gserviceaccount.com"
PROJECT_ID="my-gcp-project"
# Grant required roles
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/securitycenter.findingsViewer"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/cloudasset.viewer"
Folder-Level
For folder-scoped scanning:
# Set variables
SERVICE_ACCOUNT="regscale-integration@YOUR_PROJECT.iam.gserviceaccount.com"
FOLDER_ID="987654321098" # Your numeric folder ID
# Grant required roles
gcloud resource-manager folders add-iam-policy-binding $FOLDER_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/securitycenter.findingsViewer"
gcloud resource-manager folders add-iam-policy-binding $FOLDER_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/cloudasset.viewer"
Configuration
Configuration File (init.yaml)
Add the following settings to your init.yaml file:
Required Settings
# Path to service account JSON key file
gcpCredentials: '/path/to/service-account-key.json'
# Scan scope: project, organization, or folder
gcpScanType: 'project'
Scope-Dependent Settings
Based on your gcpScanType, configure the appropriate scope identifier:
# For project scope
gcpProjectId: 'my-gcp-project'
# For organization scope
gcpOrganizationId: '123456789012' # Numeric organization ID
# For folder scope
gcpFolderId: '987654321098' # Numeric folder ID
Optional Settings
# Compliance framework for control mapping
# Options: NIST800-53R5, CIS_GCP, FedRAMP, PCI-DSS, SOC2
gcpComplianceFramework: 'NIST800-53R5'
# Severity levels to include (comma-separated)
gcpSeverityFilter: 'CRITICAL,HIGH,MEDIUM'
# Cache time-to-live in hours (reduces API calls)
gcpCacheTTLHours: 8
# Evidence collection mode: attachments or records
gcpEvidenceMode: 'attachments'
Complete Configuration Examples
Project-Level Scanning
gcpCredentials: '/secure/path/gcp-regscale-sa.json'
gcpScanType: 'project'
gcpProjectId: 'my-gcp-project'
gcpSeverityFilter: 'CRITICAL,HIGH,MEDIUM'
Organization-Level Compliance Scanning
gcpCredentials: '/secure/path/gcp-regscale-sa.json'
gcpScanType: 'organization'
gcpOrganizationId: '123456789012'
gcpComplianceFramework: 'FedRAMP'
gcpSeverityFilter: 'CRITICAL,HIGH'
gcpCacheTTLHours: 8
gcpEvidenceMode: 'attachments'
Folder-Level Scanning
gcpCredentials: '/secure/path/gcp-regscale-sa.json'
gcpScanType: 'folder'
gcpFolderId: '987654321098'
gcpComplianceFramework: 'NIST800-53R5'
Authentication Methods
The GCP integration supports multiple authentication methods to accommodate different deployment scenarios.
Method 1: Service Account JSON File (Recommended for local use)
Store the service account key as a JSON file:
# In init.yaml
gcpCredentials: '/path/to/service-account-key.json'
Or via environment variable:
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.json
Method 2: Base64-Encoded JSON (Recommended for CI/CD and Airflow)
Encode your credentials for secure storage in environment variables or secrets managers:
# Encode the credentials
cat service-account-key.json | base64 > credentials.b64
# View the encoded string
cat credentials.b64
Configure in init.yaml:
gcpCredentialsJsonBase64: 'eyJ0eXBlIjoic2VydmljZV9hY2NvdW50IiwicHJvamVjdF9pZCI6Li4ufQ=='
Or via environment variable:
export GCP_CREDENTIALS_JSON_BASE64=$(cat service-account-key.json | base64)
Method 3: Raw JSON String
For environments where file storage is not available:
# In init.yaml (ensure proper YAML escaping)
gcpCredentialsJson: '{"type": "service_account", "project_id": "my-project", ...}'
Or via environment variable:
export GCP_CREDENTIALS_JSON='{"type": "service_account", "project_id": "my-project", ...}'
Credential Priority Order
When multiple credential sources are configured, the integration uses this priority order:
- Command-line flags (
--credentials-json-base64,--credentials-json,--credentials-file) - Environment variables (
GCP_CREDENTIALS_JSON_BASE64,GCP_CREDENTIALS_JSON,GOOGLE_APPLICATION_CREDENTIALS) - Configuration file settings (
gcpCredentialsJsonBase64,gcpCredentialsJson,gcpCredentials)
CLI Commands
Authentication Test
Validate your GCP credentials and API access:
# Using credentials file path
regscale gcp authenticate --credentials-file /path/to/key.json
# Using base64-encoded credentials
regscale gcp authenticate --credentials-json-base64 "eyJ0eXBlIjoi..."
Asset Synchronization
Sync GCP resources to RegScale as assets:
# Basic usage
regscale gcp sync_assets --regscale-ssp-id 123
# With scope options
regscale gcp sync_assets --regscale-ssp-id 123 \
--scope organization \
--organization-id 123456789012
# With filtering
regscale gcp sync_assets --regscale-ssp-id 123 \
--asset-types "compute.googleapis.com/Instance,storage.googleapis.com/Bucket" \
--labels "env=prod,team=security"
# Force refresh (bypass cache)
regscale gcp sync_assets --regscale-ssp-id 123 --force-refresh
Options:
| Option | Description |
|---|---|
--regscale-ssp-id | RegScale Security Plan ID (required) |
--scope | Scan scope: project, organization, or folder |
--project-id | GCP project ID (for project scope) |
--organization-id | GCP organization ID (for organization scope) |
--asset-types | Filter by asset types (comma-separated) |
--labels | Filter by GCP labels (e.g., env=prod,team=security) |
--force-refresh | Bypass cache and fetch fresh data |
Findings Synchronization
Sync Security Command Center findings to RegScale as issues:
# Basic usage
regscale gcp sync_findings --regscale-ssp-id 123
# With severity filter
regscale gcp sync_findings --regscale-ssp-id 123 \
--severity-filter CRITICAL,HIGH
# With source filter
regscale gcp sync_findings --regscale-ssp-id 123 \
--sources "SECURITY_HEALTH_ANALYTICS,EVENT_THREAT_DETECTION"
# Generate evidence for findings
regscale gcp sync_findings --regscale-ssp-id 123 \
--generate-evidence \
--control-ids "AC-1,AC-2,SC-7"
Options:
| Option | Description |
|---|---|
--regscale-ssp-id | RegScale Security Plan ID (required) |
--severity-filter | Filter by severity: CRITICAL, HIGH, MEDIUM, LOW |
--sources | Filter by SCC sources (comma-separated) |
--generate-evidence | Attach evidence to findings |
--control-ids | Target specific control IDs |
--scope | Scan scope: project, organization, or folder |
Compliance Synchronization
Update RegScale control implementation status based on SCC compliance findings:
# Basic usage with default framework (NIST 800-53 R5)
regscale gcp sync_compliance --regscale-ssp-id 123
# Specify compliance framework
regscale gcp sync_compliance --regscale-ssp-id 123 \
--framework FedRAMP
# Create issues for failed controls
regscale gcp sync_compliance --regscale-ssp-id 123 \
--framework NIST800-53R5 \
--create-issues
# Update control status and create POAMs
regscale gcp sync_compliance --regscale-ssp-id 123 \
--framework FedRAMP \
--update-control-status \
--create-poams
Options:
| Option | Description |
|---|---|
--regscale-ssp-id | RegScale Security Plan ID (required) |
--framework | Compliance framework (see Supported Frameworks) |
--create-issues | Create RegScale issues for failed controls |
--update-control-status | Update control implementation status |
--create-poams | Mark failed controls as POAMs |
Evidence Collection
Collect compliance evidence from GCP for RegScale controls:
# Collect evidence as SSP attachments
regscale gcp collect_evidence --regscale-ssp-id 123 \
--mode attachments
# Collect evidence as individual records
regscale gcp collect_evidence --regscale-ssp-id 123 \
--mode records
# Target specific controls
regscale gcp collect_evidence --regscale-ssp-id 123 \
--control-ids "AC-1,AC-2,AU-2,SC-7"
Options:
| Option | Description |
|---|---|
--regscale-ssp-id | RegScale Security Plan ID (required) |
--mode | Evidence mode: attachments or records |
--control-ids | Target specific control IDs (comma-separated) |
--evidence-frequency | Collection frequency |
Inventory Export
Export GCP resource inventory to a JSON file for analysis:
# Export project inventory
regscale gcp inventory collect \
--scope project \
--project-id my-gcp-project \
--output-file gcp_inventory.json
# Export organization inventory
regscale gcp inventory collect \
--scope organization \
--organization-id 123456789012 \
--output-file org_inventory.json
# Filter by labels
regscale gcp inventory collect \
--scope project \
--project-id my-gcp-project \
--labels "env=prod" \
--output-file prod_inventory.json
Options:
| Option | Description |
|---|---|
--scope | Scan scope: project, organization, or folder |
--project-id | GCP project ID |
--organization-id | GCP organization ID |
--labels | Filter by GCP labels |
--output-file | Output file path |
Supported Compliance Frameworks
The GCP integration maps Security Command Center findings to the following compliance frameworks:
| Framework | Value | Description | Use Case |
|---|---|---|---|
| NIST 800-53 Rev 5 | NIST800-53R5 | NIST Special Publication 800-53 Revision 5 | Federal agencies, FedRAMP authorization |
| CIS GCP Benchmark | CIS_GCP | CIS Google Cloud Platform Foundation Benchmark | General security hardening |
| FedRAMP | FedRAMP | Federal Risk and Authorization Management Program | Cloud services for US government |
| PCI-DSS | PCI-DSS | Payment Card Industry Data Security Standard | Payment processing systems |
| SOC 2 | SOC2 | Service Organization Control 2 | SaaS providers, service organizations |
Framework Selection
Choose the framework that aligns with your compliance requirements:
# In init.yaml
gcpComplianceFramework: 'FedRAMP'
Or via command line:
regscale gcp sync_compliance --regscale-ssp-id 123 --framework FedRAMP
Severity Mapping
GCP Security Command Center finding severities are mapped to RegScale severity levels:
| GCP SCC Severity | RegScale Severity |
|---|---|
| CRITICAL | Critical |
| HIGH | High |
| MEDIUM | Moderate |
| LOW | Low |
Filtering by Severity
Filter findings to only include specific severity levels:
# In init.yaml - include only Critical and High
gcpSeverityFilter: 'CRITICAL,HIGH'
Or via command line:
regscale gcp sync_findings --regscale-ssp-id 123 --severity-filter CRITICAL,HIGH,MEDIUM
Inventory Resources
The GCP integration collects the following resource types:
Compute Resources
- Compute Engine instances, disks, images, snapshots
- Instance groups and templates
- GKE clusters and node pools
- Cloud Run services and revisions
- Cloud Functions
- App Engine services and versions
Storage Resources
- Cloud Storage buckets
- Filestore instances and backups
Database Resources
- Cloud SQL instances
- Cloud Spanner instances
- BigTable instances
- Firestore databases
- Memorystore (Redis) instances
- BigQuery datasets
Networking Resources
- VPC networks and subnets
- Firewall rules
- Load balancers
- Cloud NAT gateways
- VPN gateways and tunnels
- Cloud DNS zones
Security Resources
- Service accounts and keys
- IAM policies and custom roles
- KMS key rings and crypto keys
- Security Command Center findings
Logging Resources
- Log sinks
- Log-based metrics
- Audit log configurations
Caching
The GCP integration caches inventory data to reduce API calls and improve performance.
Cache Settings
# Cache time-to-live in hours (default: 8)
gcpCacheTTLHours: 8
Cache Location
- Inventory cache:
artifacts/gcp/inventory.json - Session cache:
~/.regscale/gcp_sessions/
Bypassing Cache
To fetch fresh data and bypass the cache:
regscale gcp sync_assets --regscale-ssp-id 123 --force-refresh
Troubleshooting
Common Issues
"Permission denied" or "403 Forbidden" Errors
Cause: Service account lacks required IAM roles.
Solution:
- Verify the service account has the required roles at the correct scope level
- Organization-level permissions are required for
sync_compliance - Wait a few minutes after granting permissions for propagation
# Verify service account roles
gcloud projects get-iam-policy PROJECT_ID \
--flatten="bindings[].members" \
--filter="bindings.members:serviceAccount:YOUR_SERVICE_ACCOUNT"
"API not enabled" Errors
Cause: Required GCP API is not enabled for the project.
Solution: Enable the required API:
gcloud services enable securitycenter.googleapis.com
gcloud services enable cloudasset.googleapis.com
"Security Command Center is not enabled" Errors
Cause: SCC is not enabled for the organization/project.
Solution:
- Navigate to Security Command Center in the GCP Console
- Enable Security Command Center for your organization
- Wait for initial scan to complete (may take several hours)
Stale or Outdated Data
Cause: Cached data is being returned.
Solution: Use the --force-refresh flag:
regscale gcp sync_assets --regscale-ssp-id 123 --force-refresh
No Findings Returned
Cause: Severity filter is excluding all findings, or no findings exist.
Solution:
- Check the
--severity-filtersetting - Verify Security Health Analytics is enabled in SCC
- Check that findings exist in the SCC Console
# Include all severities
regscale gcp sync_findings --regscale-ssp-id 123 --severity-filter CRITICAL,HIGH,MEDIUM,LOW
Authentication Failures
Cause: Invalid or expired credentials.
Solution:
- Verify the JSON key file is valid and not corrupted
- Check that the service account has not been deleted
- Generate a new key if necessary
# Test authentication
regscale gcp authenticate --credentials-file /path/to/key.json
Validation Commands
Use these commands to validate your setup:
# Test authentication and credentials
regscale gcp authenticate --credentials-file /path/to/key.json
# Check what assets are visible
regscale gcp inventory collect \
--scope project \
--project-id my-project \
--output-file test_inventory.json
# Verify API access with gcloud
gcloud asset list --project=my-project --limit=5
gcloud scc findings list organizations/ORG_ID --limit=5
Debug Logging
Enable debug logging for detailed troubleshooting:
# Set log level to DEBUG
export REGSCALE_LOG_LEVEL=DEBUG
# Run command with verbose output
regscale gcp sync_findings --regscale-ssp-id 123
Security Best Practices
- Least Privilege: Grant only the minimum required permissions
- Key Rotation: Rotate service account keys regularly
- Secure Storage: Never commit credentials to version control
- Environment Variables: Use environment variables or secrets managers for CI/CD
- Audit Logging: Enable Cloud Audit Logs to track API access
- Service Account Naming: Use descriptive names to identify purpose (e.g.,
regscale-integration)
Environment Variables Reference
| Variable | Description | Example |
|---|---|---|
GOOGLE_APPLICATION_CREDENTIALS | Path to service account JSON key | /path/to/key.json |
GCP_CREDENTIALS_JSON | Raw JSON credentials string | {"type": "service_account"...} |
GCP_CREDENTIALS_JSON_BASE64 | Base64-encoded JSON credentials | eyJ0eXBlIjoi... |
GCP_PROJECT_ID | GCP project ID | my-gcp-project |
GCP_ORGANIZATION_ID | GCP organization ID | 123456789012 |
Related Resources
Updated 8 days ago