Skip to main content

HYMDL Getting Started GCP

This documentation provides a detailed guide on how HYMDL connects to client GCP accounts to access Audit Logs, Cost Data and resource metadata. The integration follows cross-organization best practices, ensuring secure and efficient access through the HYMDL Bifrost Service Account. This setup supports security scanning for Cloud Security Posture Management (CSPM) and cost visualization using Amazon Quicksight.

Overview

The integration architecture includes:

  • HYMDL SaaS: The primary GCP project for HYMDL.
  • HYMDL Bifrost Service Account: A service account used to access client GCP resources.
  • Client GCP: The client’s Google Cloud Platform environment.
  • HYMDL BI: HYMDL AWS account hosting Analytics and Reporting services.

The following diagram illustrates the integration setup:

HYMDL Bifrost

Advantages of Cross-Organization Access and Least Privilege Approach

Security

  • Minimized Attack Surface: By granting the HYMDL Bifrost Service Account only the necessary read-only permissions, the risk of unauthorized actions is minimized.
  • Data Isolation: Ensures that only specific, required data (audit logs and cost data) is accessible, maintaining data integrity and confidentiality.

Compliance

  • Auditability: Read-only access ensures that data can be audited and verified without the risk of modifications.
  • Regulatory Compliance: Helps in adhering to industry standards and regulatory requirements by providing controlled access.

Operational Efficiency

  • Streamlined Access Management: Simplifies the management of permissions and roles across different organizations.
  • Cost Efficiency: Reduces overhead associated with managing multiple service accounts and permissions.

Best Practices

  • Role-Based Access Control (RBAC): Implements RBAC by creating specific roles with precise permissions.
  • Principle of Least Privilege: Ensures that the HYMDL Bifrost Service Account has the minimum permissions necessary to perform its functions.

Integration Steps

1. Creating and Assigning the Custom Role in GCP

  1. Create Custom Role: Define a custom role with read-only permissions required for accessing Audit Logs and BigQuery datasets.
  2. Assign Custom Role: Grant the HYMDL Bifrost Service Account this custom role.
  3. Assign Managed Role: Grant the HYMDL Bifrost Service Account to roles/recommender.viewer managed role.

Step-by-Step Instructions:

  • Create Custom Role:
    • Navigate to IAM & Admin > Roles in your GCP Console.
    • Click Create Role and enter the role details:
      • Title: HYMDL_Bifrost_ReadOnly
      • ID: hymdl_bifrost_readonly
      • Description: Custom role for HYMDL Bifrost Service Account to access audit logs and cost data
    • Add the following permissions:
      IAM permissions
      - "resourcemanager.organizations.get"
      - "resourcemanager.folders.list"
      - "resourcemanager.folders.get"
      - "resourcemanager.projects.list"
      - "resourcemanager.projects.get"
      - "securitycenter.findings.list"
      - "securitycenter.sources.list"
      - "cloudkms.keyRings.list"
      - "cloudkms.cryptoKeys.list"
      - "cloudkms.cryptoKeyVersions.list"
      - "cloudkms.locations.list"
      - "cloudkms.cryptoKeys.get"
      - "cloudkms.cryptoKeyVersions.get"
      - "serviceusage.services.list"
      - "apikeys.keys.list"
      - "iam.serviceAccounts.list"
      - "iam.serviceAccountKeys.list"
      - "bigquery.jobs.create"
      - "bigquery.tables.create"
      - "bigquery.tables.delete"
      - "bigquery.tables.getData"
      - "bigquery.tables.export"
      - "cloudasset.assets.searchAllResources"
      - "cloudasset.assets.analyzeIamPolicy"
      - "serviceusage.services.use"
    • Add conditions to restrict access to the bucket and dataset holding data required for HYMDL.
    • Click Create.
  • Assign Custom Role:
    • Navigate to IAM & Admin > IAM.
    • Click Add and enter the HYMDL Bifrost Service Account:
      • New Principal: hymdl-bifrost@hymdl-bifrost.iam.gserviceaccount.com
      • Role: Select the custom role HYMDL_Bifrost_ReadOnly
    • Click Save.

Automation for Creating and Assigning Roles in GCP

To ensure smooth setup, we suggest using our Terraform scripts for IAM role configuration.

Terraform to automate IAM role Creation
terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 4.0"
    }
  }
}

provider "google" {}


variable "service_account_member" {
  description = "Service account email to grant the custom role"
  type        = string
  default     = "serviceAccount:hymdl-bifrost@hymdl-bifrost.iam.gserviceaccount.com"
}

variable "org_id" {
  description = "Numeric Organization ID"
  type        = string
  default     = "<YOUR_ORG_ID>" # Replace <YOUR_ORG_ID> with your numeric Organization ID (e.g. 123456789012)
}


resource "google_organization_iam_custom_role" "hymdl_bifrost_role" {
  org_id      = var.org_id
  role_id     = "hymdlbifrostrole"
  title       = "HymdlBifrostRole"
  description = "Custom role for Hymdl Bifrost"
  stage       = "GA"

  permissions = [
    "resourcemanager.organizations.get",
    "resourcemanager.folders.list",
    "resourcemanager.folders.get",
    "resourcemanager.projects.list",
    "resourcemanager.projects.get",
    "securitycenter.findings.list",
    "securitycenter.sources.list",
    "cloudkms.keyRings.list",
    "cloudkms.cryptoKeys.list",
    "cloudkms.cryptoKeyVersions.list",
    "cloudkms.locations.list",
    "cloudkms.cryptoKeys.get",
    "cloudkms.cryptoKeyVersions.get",
    "serviceusage.services.list",
    "apikeys.keys.list",
    "iam.serviceAccounts.list",
    "iam.serviceAccountKeys.list",
    "bigquery.jobs.create",
    "bigquery.tables.create",
    "bigquery.tables.delete",
    "bigquery.tables.getData",
    "bigquery.tables.export",
    "cloudasset.assets.searchAllResources",
    "cloudasset.assets.analyzeIamPolicy",
    "serviceusage.services.use",
  ]
}

resource "google_organization_iam_member" "hymdl_bifrost_cross_org_binding" {
  org_id = var.org_id
  role   = google_organization_iam_custom_role.hymdl_bifrost_role.id
  member = var.service_account_member
}

resource "google_organization_iam_member" "grant_predefined_recommender_viewer" {
  org_id = var.org_id
  role   = "roles/recommender.viewer"
  member = var.service_account_member
}

Deploy the Terraform Configuration

First, authenticate with your Google Cloud account:

# Login to Google Cloud
gcloud auth login

Then run the Terraform commands:

terraform init
terraform plan  # Review changes
terraform apply

2. Adding the Viewer Role to a Service Account at the Organization Level in GCP

To provide the HYMDL Bifrost Service Account with the necessary Viewer permissions at the organization level in Google Cloud Platform (GCP), follow these detailed instructions. This role grants read-only access to resources across the entire organization, which is essential for HYMDL to perform security scans and cost analysis.

Step-by-Step Instructions

Navigating to Organization Settings

  • In the IAM & Admin dashboard, ensure you have selected your organization from the dropdown at the top of the page.
  • Click on Organization to manage roles and permissions at the organization level.

Adding the Viewer Role to the Service Account

  • In the Organization settings, navigate to the IAM section.
  • Click on the Add button at the top of the IAM page to add a new member.
  • In the New members field, enter the HYMDL Bifrost Service Account email: hymdl-bifrost@hymdl-bifrost.iam.gserviceaccount.com.
  • In the Select a role dropdown, search for and select the Viewer role:
    • Role: Viewer
  • Click Save to apply the changes.

3. Enabling Audit Logs Export to GCS Bucket

HYMDL will process Audit events from a GCS bucket. Audit logs for the GCP Organization can be written to one GCS bucket. Follow below process to setup a sink at the Organization scope.

  • Navigate to Logging > Logs Router.
  • Click Create Sink.
  • Enter the sink details:
    • Sink name: org-audit-logs
    • Sink destination: Select Cloud Storage and specify a bucket (e.g., gs://your-audit-logs-bucket)
  • Click Next and set the Include logs to All logs or customize to specific logs if required.
  • Click Create Sink.

4. Configuring Cost Data Export to BigQuery

  • Navigate to Billing > Reports.
  • Click Cost Table Export.
  • Select BigQuery as the export destination.
  • Choose the desired BigQuery dataset or create a new one.
  • Click Save.

Additional details.

Final Configuration and Verification

  • Verify that the HYMDL Bifrost Service Account can list and read objects in the GCS bucket.
  • Ensure that the service account can query the BigQuery dataset.

Conclusion

By following these steps, you can securely integrate HYMDL with your GCP environment, ensuring robust security and compliance while enabling efficient cloud management and cost visualization. For further assistance, contact HYMDL Support at support@hymdl.io.