You can integrate Google Cloud Platform (GCP) to Drata available under Access Review and Infrastructure connection type on Connections page. Connect GCP to sync data for access review features or to automate monitoring and evidence collection for the infrastructure security controls required for compliance.
You can now automatically collect evidence for a number of monitoring tests and continuously ensure your GCP environment meets compliance standards with Drata.
Learn more about setting up and connecting GCP to Drata.
Prerequisites
Ensure the Google Workspace account has Super admin privileges and is linked to the company's GCP account and that the Google Workspace Super Admin account email has the same email as GCP organization administrator email.
If this account does not exist, the Drata cannot retrieve MFA on your GCP IAM users (Test 88 - MFA on Infrastructure Console).
Ensure that the GCP account that is connecting GCP to Drata has an owner role and GCP Organization Administrator (
resourcemanager.organizationAdmin) at project level or organizational level.Project level: Connect each GCP project within an organization. For more information on migrating projects to an organization, go to Moving a project.
Organizational level: Connect the GCP organization. This is the recommended approach.
Enable (GCP) Google Cloud Platform
Select Connections on the side navigation menu.
Select the Available connections tab, search for GCP, and select Connect.
GCP is available under both Access review and Infrastructure. In the GCP connection drawer, you can enable either type.
Follow the instructions on the connection drawer. The following sections cover the instructions on the connection drawer.
Step 1: Connect your Google Cloud Platform (GCP)
You have two ways to connect your GCP. You can either connect using a script or connect manually. It is recommended to connect using a script.
Connect using a script (Recommended)
Download and run both of the following scripts:
GCP native script instructions: https://github.com/drata/gcp-shell-drata-setup
Terraform script instructions: https://github.com/drata/gcp-terraform-drata-setup
Connect manually
Go to Manually connect GCP for step by step instructions.
Step 2: Provision domain wide delegation client in Google Workspace
Note: If you completed the manually connected GCP, you already completed this step.
Please login to your Google Admin console with an account that has Super Admin privileges, then go to "Security β Access and data control β API controls." Scroll to the bottom to get to Domain wide delegation.
In the Domain wide delegation section, click on Manage Domain Wide Delegation button.
Note: If you are using Google Workspace as your IdP and you have already connected it to Drata, you will see another entry in the Domain Wide Delegation list. It's OAuth scope will be:
https://www.googleapis.com/auth/admin.directory.user.readonly
Ensure this entry remains intact so as not to break your IdP connection.
Click on the Add new button.
Enter the numeric client ID (unique ID - not the service account email address
For those that utilized the script or terraform, you can pull the
client IDfrom the newly created "drata-key-file.json".
Leave the Overwrite existing client ID checkbox un-checked.
Copy and paste the below Cloud Platform Scope into the OAuth scopes (comma-delimited) text field. Once done, click on the AUTHORIZE button.
Comma-delimited Scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly
For improved readability, the same scopes are listed without commas and separated by spaces:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
This step can be completed after establishing the connection in Drata. If you fail to do it, the MFA test for GCP will fail.
Step 3: Upload JSON key
If you connected using the scripts, ensure to upload the JSON key generated.
If you connected manually, upload the file which is download onto your machine on step 6 in the following section: GCP Connection Details | Drata Help Center.
Enable connection types
You can enable Infrastructure or User Access Review.
Monitoring tests covered
Note: These tests are only related if you enabled infrastructure on the connection drawer.
Test 4: SSL/TLS on Admin Page of Infrastructure Console
Test 30: Availability Zones Used
Test 68: Customer Data is Encrypted at Rest
Test 69: Customer Data in Cloud Storage is Encrypted at Rest
Test 88: MFA on Infrastructure Console
Test 95: Infrastructure Accounts Properly Removed
Test 98: Employees have Unique Infrastructure Accounts
Test 102: Public SSH Denied
Test 104: Cloud Data Storage Exposure
Test 107: Daily Database Backups
Test 108: Storage Data Versioned or Retained
Test 112: Database CPU Monitored
Test 118: Infrastructure Instance CPU Monitored
Test 119: Firewall Default Disallows Traffic
Test 122: Web Application Firewall in Place
Test 123: Cloud Infrastructure Linked to Drata
Test 130: Load Balancer Used
Summary of Monitor Tests Associated per each Permission
Compute Engine API
Cloud Resource Manager API
Admin SDK API
Cloud SQL Admin API
Cloud Monitoring API (may also be called "Stackdriver Monitoring API")
Cloud Storage API (comes natively with the Project Viewer role)
Other
Drata runs an SSL cert check on https://console.cloud.google.com
A successful GCP connection satisfies this tes
124 - Root Infrastructure Account Unused - Not implemented for GCP