Setup - Google Cloud

Note

Looking for Azure setup instructions? To get started with Fugue on Microsoft Azure, see Setup - Azure & Azure Government.

Looking for Amazon Web Services instructions? To get started with Fugue on AWS, see Setup - AWS & AWS GovCloud.

Looking for Repository setup instructions? To get started with Fugue on Repository, see Setup - Repository.

Ready to create a Fugue environment? An environment contains resources from a single AWS account, Azure subscription, Google project, or code repository – in this case, Google Cloud. Fugue surveys the resource configuration in an environment and reports whether the infrastructure is compliant with the selected compliance standards.

Tip

In a hurry? For an even quicker setup guide, see Get Started in 5 Minutes.

To learn more about the basics of using Fugue, see Fugue 101.

Sign Up for Fugue

Before you can create an environment, you’ll need to sign up for a free account with Fugue. (You’ll start off with a free Enterprise trial, which gives you access to all of Fugue’s features; after 30 days, you’ll be transitioned to the free-forever Developer plan if you choose not to upgrade.)

Once you’re all signed up and logged in, select the Define New Environment button:

_images/hello-define-env.png

Step 1: Setup (Name, Provider)

In the first step of creating an environment, you name it and specify your provider – cloud or repository.

  1. Name your environment.

  2. Select Google as the provider.

  3. Select Continue.

_images/step1_Google_create.png

Step 2: Settings (Enable Google Service APIs & Create a Service Account)

Note

If at any point you want to change something, you can select “Back” at the bottom of the page to return to the previous step, or “Edit” in the sidebar next to the desired step to return to that step.

Note

If you want to add a Google organization, refer to Adding a Google Organization.

Step 2 has two parts, which we’ll detail next:

2a. Enable the Service APIs required to scan your project’s resources.

_images/step_1_enable_APIs.png

2b. Create a Service Account.

Enable Google Service APIs

  1. Log in to the Google Cloud project you would like Fugue to scan.

  2. In the top-right, select Activate Cloud Shell.

_images/activate_cloud_shell.png

3. In the Cloud Shell, run the following command:

gcloud services enable bigquery.googleapis.com \
  bigquerydatatransfer.googleapis.com \
  cloudkms.googleapis.com \
  compute.googleapis.com \
  container.googleapis.com \
  dns.googleapis.com \
  iam.googleapis.com \
  logging.googleapis.com \
  monitoring.googleapis.com \
  redis.googleapis.com \
  sqladmin.googleapis.com

Note

This step is needed to enable the Service APIs required to scan your project’s resources.

Create a Service Account

Fugue securely scans your resources by assuming a properly permissioned service account and generating credentials that are valid for an hour.

Note

If you want to add a Google Organization-level Service Account, refer to Adding a Google Organization.

  1. In the Cloud Shell, run the command shown in Fugue under Create a Service Account. It will look something like this:

Warning

This is example code that will differ from yours. Fugue will generate code for you.

service_account=$(gcloud iam service-accounts create fugue-tests \
  --display-name "Fugue service account" \
  --description "Service account used by Fugue to scan project" \
  --format="value(email)") && project_name=$(gcloud config get-value project) && \
gcloud projects add-iam-policy-binding ${project_name} \
  --member serviceAccount:${service_account} \
  --role roles/iam.securityReviewer \
  --format none --condition None && \
gcloud projects add-iam-policy-binding ${project_name} \
  --member serviceAccount:${service_account} \
  --role roles/viewer \
  --format none --condition None && \
gcloud iam service-accounts add-iam-policy-binding ${service_account} \
  --member serviceAccount:fugue-scanner@fugueco.iam.gserviceaccount.com \
  --role roles/iam.serviceAccountTokenCreator \
  --format none --condition None && \
echo "Your service account email: ${service_account}"

2. Back in the Fugue environment setup, enter the returned email address of the created service account.

3. Click Continue.

Note

It takes Google at least 60 seconds or more to create your service account. If you try to use a service account immediately after you create it, and you receive an error, wait at least 60 seconds and try again. Refer to Creating a service account for more information.

Note

Google limits the service account name to 30 characters. If you get an error message that the service account cannot be created because its name is too long, return to Step 1 and enter a shorter environment name.

Step 3: Compliance

  • If you’d like Fugue to evaluate your infrastructure configuration for all compliance standards, ensure “Yes” is selected.

  • If you’d prefer to select the compliance families yourself, click No - select a subset.

Fugue supports the following compliance families for Google environments:

  • CIS Controls (v7.1)

  • CIS Google (v1.1.0)

  • CIS Google (v1.2.0)

  • CSA CCM (v3.0.1)

  • GDPR (v2016)

  • HIPAA (v2013)

  • ISO 27001 (v2013)

  • NIST 800-53 (vRev4)

  • PCI DSS (v3.2.1)

  • SOC 2 (v2017)

  • Custom Rules

  • Custom Families

Step 4: Review

  1. Review the details for your environment, including environment name, Service Account, resource types, and compliance standards.

  2. If anything needs to be changed, click Edit next to the appropriate step.

  3. If everything looks good, select the Approve and Begin Scan button. Fugue will create your environment and start to scan your infrastructure.

_images/review_google.png

When the scan is complete, Fugue brings you to your environment’s dashboard, where you can see your compliance state.

_images/google_cloud_final.png

Note

It takes Google at least 60 seconds or more to create your service account. If you try to use a service account immediately after you create it, and you receive an error, wait at least 60 seconds and try again. Refer to Creating a service account for more information.

Congratulations! You’ve just created a Google environment with Fugue.

Note

Fugue will detect newly created projects if they exist in the API and web console. If the project exists in the API only, you will need to create a new environment to monitor it within Fugue.

Adding a Google Organization-level Service Account

You can use a Google Organization-level Service Account to add multiple projects instead of making a new service account for each project. In Fugue, a project is considered to be an environment. After you create a service account and grant it IAM permissions at the organization level, you use the /CREATE endpoint to add each project within your organization using the same service account’s email address. You will need to enable the Service APIs in every project that you want Fugue to scan.

Note

If you don’t enable the Service APIs in each project, you can still add it to Fugue as an environment, but it will display within Fugue as 0 resources scanned until you enable the Service APIs in the project. Additionally, Fugue does not support scanning of organizational level resources for Google.

Note

You need to have the sufficient permissions within your Google Cloud account to add a Google Organization-level Service Account to Fugue. Refer to Creating and managing organizations for more information.

  1. Create the Service Account.

    1. From the Project drop-down, select a project that is part of the organization.

    2. Navigate to Service Accounts and click Create Service Account.

    3. Enter the Service account name.

    4. The Service Account ID is automatically generated by Google.

    5. Optionally, enter a Service account description.

    6. Click Create and Continue.

    7. From the Role drop-down, select Basic > Viewer.

    8. Select Add Another Role. From Role drop-down, select IAM > Security Reviewer.

    9. Select Add Another Role. From Role drop-down, select Service Accounts > Service Account Token Creator.

    10. Click Done.

    11. Select the Service Account you created.

    12. Select Permissions > Grant Access.

    13. In New members, enter fugue-scanner@fugueco.iam.gserviceaccount.com.

    14. From the Role drop-down, select Security Reviewer.

    15. Select Add Another Role. From Role drop-down, select Service Account Token Creator.

    16. Click Save and copy the email address.

  2. At your organization-level, navigate to IAM > select Add.

    1. In the New members field, enter the email address from the service account created in Step 1.

    2. Select Add Another Role. From the Role drop-down, select Basic > Viewer.

    3. Select Add Another Role. From the Role drop-down, select IAM > Security Reviewer.

    4. Select add another role. From the Role drop-down, select Service Accounts > Service Account Token Creator.

    5. Select Add Another Role. From the Role drop-down, select Resource Manager > Folder Viewer.

    6. Select Add Another Role. From the Role drop-down, select Resource Manager > Organization Viewer.

    7. Select Add Another Role. From the Role drop-down, select Basic > Browser.

    8. Click Save.

  3. Using the Fugue /CREATE endpoint, specify the service account email address from step 1 and project ID.

  4. Enable the Service APIs required to scan your project’s resources in every project you added as an environment in Fugue.

What’s Next?

Fugue will continue to scan the resource configuration in your environment at regular intervals (and on demand). This is how Fugue detects compliance violations in your infrastructure.

Now that you’ve created an environment, learn how to configure it further in Environment Configuration. If you’d like to learn more about checking compliance state, see Compliance. Or, check out the visualizer for an interactive diagram of your cloud infrastructure.