Compliance frameworks like SOC 2 require organizations to have clear visibility and control over their assets. Utilize Drata to build your GCP asset inventory comprehensively.
Prerequisites
Ensure you set up an active GCP connection in Drata to use this feature. Go to the GCP Connection Details page to learn how to create a GCP connection in Drata.
The specific API permission Drata needs to sync virtual assets is the
Cloud Asset Inventory API
permission. Even if you had connected GCP prior to Drata releasing the virtual asset sync, you may need to add this permission to the project where your service account was created.
Drata supports eight GCP services:
Google Compute Engine
Google Persistent Disk
Google Cloud Run
Google Container Registry
GKE (Google Kubernetes Engine)
Google Cloud Storage Regional and Multi-Regional
Cloud SQL
Google Cloud CDN
Only the primary owner is imported into Drata for GCP Virtual Assets.
Find all your GCP asset inventory
You can find all of your GCP asset inventory within Drata.
Navigate to Assets on the left navigation. Here, you can filter GCP assets by selecting the appropriate values for the Types and Providers.
Types: Select Virtual.
Providers: Select GCP.
Owners automatically assigned for assets
You can assign an owner to each asset, but if an asset does not have an assigned owner or has multiple owners, Drata automatically assigns one.
Drata identifies the asset's owner within your GCP systems and verifies their employment status within the Drata to assign that individual as the owner if the individual has an active employment status.
If an asset has multiple owners in GCP, Drata assigns the first individual with an active employment status
If no personnel was found within Drata or no owners were attached to the asset within GCP, then the first admin in Drata is assigned as the owner.
When GCP resources move into different subscriptions or resource groups, their Resource ID changes, creating a new asset record with updated information.
You can view the Notes section for each asset and other details on the table. You can use notes to tag each asset.
Daily sync
Drata syncs the GCP asset inventory daily.
Assets that are not in scope for your audit
For the assets within your GCP instance that are not in scope for your audit, you can create a GCP tag drataexclude
. To learn more, go to our Exclusion labels within GCP article.
To prevent assets from syncing daily, tag them with drataexclude
. After they are tagged, they will not be synced any longer and will have a timestamp in the 'Deleted On' column indicating when they stopped being synced.
If you added the drataexclude
tag before syncing assets into Drata, those assets will not appear on the table or be synced.