What the GCP script does
The script creates a read-only service account in a GCP project.
First it creates a service account called avid-read-account
in the chosen base project. It prompts you to specify the project.
For each project in the account (or the specific list you've input), the script then does as follows:
- Grants service account
roles/viewer
(for reading all inventory) androles/iam.securityReviewer
(for reading all IAM related data for CIS benchmarks). -
Enables the following APIs required to fetch inventory data:
cloudapis.googleapis.com
admin.googleapis.com
stackdriver.googleapis.com
sqladmin.googleapis.com
storage-api.googleapis.com
cloudbilling.googleapis.com
cloudresourcemanager.googleapis.com
compute.googleapis.com
cloudkms.googleapis.com
dns.googleapis.com
logging.googleapis.com
cloudfunctions.googleapis.com
cloudmonitoring.googleapis.com
monitoring.googleapis.com
storage-component.googleapis.com
-
Enables flow logs for all subnets.
- Creates Storage Buckets for flow logs and activity logs. The retention policy for each bucket is set to 1 day.
-
Enables the following log types in the IAM policy:
[{"logType": "ADMIN_READ"},{"logType": "DATA_READ"},{"logType": "DATA_WRITE"}]
This enables activity logs.
-
Creates sinks for flow logs and activity logs (writes log data from stackdriver to storage account ). Filters are applied to get only flow logs data and only admin and write activity logs.
- Grants each sink permissions to write in the respective buckets. A service account is created and attached to each sink, which is given permission to only write data in the respective storage account.
- Deploys functions to read logs from storage and send to avi-collector. The code of the functions is picked from a zip file stored in the Sophos Cloud Optix Google Cloud storage account. Functions read data from storage accounts whenever a new file is written and send it to Sophos Cloud Optix.
- Automatically ignores system-generated projects with project IDs starting with
sys-
during onboarding. This streamlines onboarding, focusing on user-created projects. - Manages cloud function container images using Artifact Registry instead of Container Registry with Sophos Cloud Optix. Note that Artifact Registry isn't turned on by default. During onboarding, Sophos Cloud Optix will turn on the Artifact Registry for the Google Cloud Platform account being onboarded.
The script then generates a key for your Sophos Cloud Optix account and sends service account information to Sophos Cloud Optix.