You can integrate Google Cloud Platform (GCP) to Drata available under Access Review and Infrastructure connection type on Connections page. Connect GCP to sync data for access review features or to automate monitoring and evidence collection for the infrastructure security controls required for compliance.
You can now automatically collect evidence for a number of monitoring tests and continuously ensure your GCP environment meets compliance standards with Drata.
Learn more about setting up and connecting GCP to Drata.
Prerequisites
Ensure the Google Workspace account has Super admin privileges and is linked to the company's GCP account and that the Google Workspace Super Admin account email has the same email as GCP organization administrator email.
If this account does not exist, the Drata cannot retrieve MFA on your GCP IAM users (Test 88 - MFA on Infrastructure Console).
Ensure that the GCP account that is connecting GCP to Drata has an owner role and GCP Organization Administrator (
resourcemanager.organizationAdmin
) at project level or organizational level.Project level: Connect each GCP project within an organization. For more information on migrating projects to an organization, go to Moving a project.
Organizational level: Connect the GCP organization. This is the recommended approach.
Enable (GCP) Google Cloud Platform
Select Connections on the side navigation menu.
Select the Available connections tab, search for GCP, and select Connect.
GCP is available under both Access review and Infrastructure. In the GCP connection drawer, you can enable either type.
Follow the instructions on the connection drawer. The following sections cover the instructions on the connection drawer.
Step 1: Connect your Google Cloud Platform (GCP)
You have two ways to connect your GCP. You can either connect using a script or connect manually. It is recommended to connect using a script.
Connect using a script (Recommended)
Download and run both of the following scripts:
GCP native script instructions: https://github.com/drata/gcp-shell-drata-setup
Terraform script instructions: https://github.com/drata/gcp-terraform-drata-setup
Connect manually
Go to Manually connect GCP for step by step instructions.
Step 2: Provision domain wide delegation client
Note: If you completed the manually connected GCP, you already completed this step.
This step can be completed after establishing the connection in Drata. If you fail to do it, the MFA test for GCP will fail. Full instructions can be found here (the last section of the help document).
Step 3: Upload JSON key
If you connected using the scripts, ensure to upload the JSON key generated.
If you connected manually, upload the file which is download onto your machine on step 6 in the following section: GCP Connection Details | Drata Help Center.
Enable connection types
You can enable Infrastructure or User Access Review.
Monitoring tests covered
Note: These tests are only related if you enabled infrastructure on the connection drawer.
Test 4: SSL/TLS on Admin Page of Infrastructure Console
Test 30: Availability Zones Used
Test 68: Customer Data is Encrypted at Rest
Test 69: Customer Data in Cloud Storage is Encrypted at Rest
Test 88: MFA on Infrastructure Console
Test 95: Infrastructure Accounts Properly Removed
Test 98: Employees have Unique Infrastructure Accounts
Test 102: Public SSH Denied
Test 104: Cloud Data Storage Exposure
Test 107: Daily Database Backups
Test 108: Storage Data Versioned or Retained
Test 112: Database CPU Monitored
Test 118: Infrastructure Instance CPU Monitored
Test 119: Firewall Default Disallows Traffic
Test 122: Web Application Firewall in Place
Test 123: Cloud Infrastructure Linked to Drata
Test 130: Load Balancer Used
Summary of Monitor Tests Associated per each Permission
Compute Engine API
Cloud Resource Manager API
Admin SDK API
Cloud SQL Admin API
Cloud Monitoring API (may also be called "Stackdriver Monitoring API")
Cloud Storage API (comes natively with the Project Viewer role)
Other
Drata runs an SSL cert check on https://console.cloud.google.com
A successful GCP connection satisfies this tes
124 - Root Infrastructure Account Unused - Not implemented for GCP