Skip to main content
All CollectionsConnectionsProvider
GCP (Google Cloud Platform) Connection
GCP (Google Cloud Platform) Connection

Connect the GCP provider which is considered an access review (UAR) or infrastructure connection type to Drata.

Updated over a month ago

You can integrate Google Cloud Platform (GCP) to Drata available under Access Review and Infrastructure connection type on Connections page. Connect GCP to sync data for access review features or to automate monitoring and evidence collection for the infrastructure security controls required for compliance.

You can now automatically collect evidence for a number of monitoring tests and continuously ensure your GCP environment meets compliance standards with Drata.

Learn more about setting up and connecting GCP to Drata.

Prerequisites

  • Ensure the Google Workspace account has Super admin privileges and is linked to the company's GCP account and that the Google Workspace Super Admin account email has the same email as GCP organization administrator email.

    • If this account does not exist, the Drata cannot retrieve MFA on your GCP IAM users (Test 88 - MFA on Infrastructure Console).

  • Ensure that the GCP account that is connecting GCP to Drata has an owner role and GCP Organization Administrator (resourcemanager.organizationAdmin) at project level or organizational level.

    • Project level: Connect each GCP project within an organization. For more information on migrating projects to an organization, go to Moving a project.

    • Organizational level: Connect the GCP organization. This is the recommended approach.

Enable (GCP) Google Cloud Platform

  1. Select Connections on the side navigation menu.

  2. Select the Available connections tab, search for GCP, and select Connect.

    • GCP is available under both Access review and Infrastructure. In the GCP connection drawer, you can enable either type.

  3. Follow the instructions on the connection drawer. The following sections cover the instructions on the connection drawer.

Step 1: Connect your Google Cloud Platform (GCP)

You have two ways to connect your GCP. You can either connect using a script or connect manually. It is recommended to connect using a script.

Connect using a script (Recommended)

Download and run both of the following scripts:

Connect manually

Go to Manually connect GCP for step by step instructions.

Step 2: Provision domain wide delegation client in Google Workspace

Note: If you completed the manually connected GCP, you already completed this step.

  1. Please login to your Google Admin console with an account that has Super Admin privileges, then go to "Security β†’ Access and data control β†’ API controls." Scroll to the bottom to get to Domain wide delegation.

  2. In the Domain wide delegation section, click on Manage Domain Wide Delegation button.

    • Note: If you are using Google Workspace as your IdP and you have already connected it to Drata, you will see another entry in the Domain Wide Delegation list. It's OAuth scope will be:

      • https://www.googleapis.com/auth/admin.directory.user.readonly

    • Ensure this entry remains intact so as not to break your IdP connection.

  3. Click on the Add new button.

    • Enter the numeric client ID (unique ID - not the service account email address

      • For those that utilized the script or terraform, you can pull the client ID from the newly created "drata-key-file.json".

    • Leave the Overwrite existing client ID checkbox un-checked.

    • Copy and paste the below Cloud Platform Scope into the OAuth scopes (comma-delimited) text field. Once done, click on the AUTHORIZE button.

Comma-delimited Scopes:

https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly

For improved readability, the same scopes are listed without commas and separated by spaces:

https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly

This step can be completed after establishing the connection in Drata. If you fail to do it, the MFA test for GCP will fail.

Step 3: Upload JSON key

If you connected using the scripts, ensure to upload the JSON key generated.

If you connected manually, upload the file which is download onto your machine on step 6 in the following section: GCP Connection Details | Drata Help Center.

Enable connection types

You can enable Infrastructure or User Access Review.

Monitoring tests covered

Note: These tests are only related if you enabled infrastructure on the connection drawer.

  • Test 4: SSL/TLS on Admin Page of Infrastructure Console

  • Test 30: Availability Zones Used

  • Test 68: Customer Data is Encrypted at Rest

  • Test 69: Customer Data in Cloud Storage is Encrypted at Rest

  • Test 88: MFA on Infrastructure Console

  • Test 95: Infrastructure Accounts Properly Removed

  • Test 98: Employees have Unique Infrastructure Accounts

  • Test 102: Public SSH Denied

  • Test 104: Cloud Data Storage Exposure

  • Test 107: Daily Database Backups

  • Test 108: Storage Data Versioned or Retained

  • Test 112: Database CPU Monitored

  • Test 118: Infrastructure Instance CPU Monitored

  • Test 119: Firewall Default Disallows Traffic

  • Test 122: Web Application Firewall in Place

  • Test 123: Cloud Infrastructure Linked to Drata

  • Test 130: Load Balancer Used

Summary of Monitor Tests Associated per each Permission

Additional Resources

Did this answer your question?