What does the Sophos Cloud Optix script for GCP do?

The script creates a read-only service account in a GCP project.

The script does the following to add the GCP projects:

  • Creates service account avid-read-account in the chosen base project (it prompts you to specify the project where you need to create the service account).
  • For each project in the account (or the specific list as input by you), the script does as follows:
    • Grants service account roles/viewer (for reading all inventory) and roles/iam.securityReviewer (for reading all IAM related data for CIS benchmarks).
    • Enables APIs required to fetch inventory data. APIs enabled are cloudapis.googleapis.com, admin.googleapis.com, stackdriver.googleapis.com,sqladmin.googleapis.com, storage-api.googleapis.com, cloudbilling.googleapis.com, cloudresourcemanager.googleapis.com, compute.googleapis.com, cloudkms.googleapis.com, dns.googleapis.com, logging.googleapis.com, cloudfunctions.googleapis.com, cloudmonitoring.googleapis.com, monitoring.googleapis.com and storage-component.googleapis.com.
    • Enables flow logs for all subnets.
    • Creates Storage Buckets to store flow logs and activity logs with a retention policy for buckets to be 1 day.
    • Enables activity logs by modifying IAM policy (Enable various log types [{"logType": "ADMIN_READ"},{"logType": "DATA_READ"},{"logType": "DATA_WRITE"}]).
    • Creates sink for flow logs and activity logs (writes log data from stackdriver to storage account ). Filters are applied to get only flow logs data and only admin and write activity logs.
    • Grants sinks permissions to write in the respective buckets. (A service account is created and attached to each sink, which is given permission to only write data in the respective storage account).
    • Deploys functions to read logs from storage and send to avi-collector. The code of functions is picked from a zip file stored in Sophos Cloud Optix Google Cloud storage account. Functions read data from storage accounts whenever a new file is written and send it to the Sophos Cloud Optix platform.
  • Generates key for Sophos Cloud Optix account.
  • Sends service account information to the Sophos Cloud Optix platform.