Skip to content

What the GCP script does

The script creates a read-only service account in a GCP project.

First it creates a service account called avid-read-account in the chosen base project. It prompts you to specify the project.

For each project in the account (or the specific list you've input), the script then does as follows:

  • Grants service account roles/viewer (for reading all inventory) and roles/iam.securityReviewer (for reading all IAM related data for CIS benchmarks).

  • Enables the following APIs required to fetch inventory data:

    • cloudapis.googleapis.com
    • admin.googleapis.com
    • stackdriver.googleapis.com
    • sqladmin.googleapis.com
    • storage-api.googleapis.com
    • cloudbilling.googleapis.com
    • cloudresourcemanager.googleapis.com
    • compute.googleapis.com
    • cloudkms.googleapis.com
    • dns.googleapis.com
    • logging.googleapis.com
    • cloudfunctions.googleapis.com
    • cloudmonitoring.googleapis.com
    • monitoring.googleapis.com
    • storage-component.googleapis.com

  • Enables flow logs for all subnets.

  • Creates Storage Buckets for flow logs and activity logs. The retention policy for each bucket is set to 1 day.

  • Enables the following log types in the IAM policy:

    [{"logType": "ADMIN_READ"},{"logType": "DATA_READ"},{"logType": "DATA_WRITE"}]

    This enables activity logs.

  • Creates sinks for flow logs and activity logs (writes log data from stackdriver to storage account ). Filters are applied to get only flow logs data and only admin and write activity logs.

  • Grants each sink permissions to write in the respective buckets. A service account is created and attached to each sink, which is given permission to only write data in the respective storage account.
  • Deploys functions to read logs from storage and send to avi-collector. The code of the functions is picked from a zip file stored in the Sophos Cloud Optix Google Cloud storage account. Functions read data from storage accounts whenever a new file is written and send it to Sophos Cloud Optix.
  • Automatically ignores system-generated projects with project IDs starting with sys- during onboarding. This streamlines onboarding, focusing on user-created projects.
  • Manages cloud function container images using Artifact Registry instead of Container Registry with Sophos Cloud Optix. Note that Artifact Registry isn't turned on by default. During onboarding, Sophos Cloud Optix will turn on the Artifact Registry for the Google Cloud Platform account being onboarded.

The script then generates a key for your Sophos Cloud Optix account and sends service account information to Sophos Cloud Optix.