Set Up Censys ASM Cloud Connector for GCP
Use this connector to seed the Censys ASM platform with accurate, up-to-date information about Internet-addressable assets in your GCP Organization for monitoring and enhanced discovery.
For each Project in your GCP Organization, the cloud connector will connect to the services running in order to extract and send relevant seed data to the Censys ASM platform:
- All Public Virtual Machine Instances
- All Serverless Instances
- DNS and Domain Information
- GCP Storage Instances
What You'll Need:
- Your GCP organization ID
- A Service Account in your GCP Organization
- Your Censys ASM API key
- A server with Docker and Docker Compose installed
cloud-connectors.tar.gzcode file (please email Censys support for access)
Install the Censys Cloud Connector
cloud-connectors.tar.gzfile to your preferred directory. For access, please contact email@example.com.
Create Config File
cloud-connectors/gcpdirectory copy the file named
gcp_config.yml.exampleand rename as
gcp_config.ymlwith this command:
cp -p gcp_config.yml.example gcp_config.yml
gcp_config.ymlwith an editor and replace the example value with your Organization ID.
Example YAML for Config File
- ORGANIZATION_ID: xxxxxxxxxxxx
Create Environment File
cloud-connectors/dockerdirectory, copy the file named
env.exampleand rename as
envwith this command:
cp -p env.example env
env file with an editor and replace the example values with your preferences.
Example Config File
Default values are shown.
CENSYS_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx SEARCH_IPS=true SEARCH_CONTAINERS=true SEARCH_DATABASES=true SEARCH_DNS=true SEARCH_STORAGE=true LOGGING_LEVEL=info SCAN_FREQUENCY=3600
These configurations must be set.
CONNECTOR_TYPE- The cloud connector type. Use
CENSYS_API_KEY- Your Censys API key, found on the Censys Integrations page.
SEARCH_IPS- Search for public IP addresses in cloud services. Defaults to
SEARCH_CONTAINERS- Search for public IP addresses in cloud container services. Defaults to
SEARCH_DATABASES- Search for public IP addresses in cloud database services. Defaults to
SEARCH_DNS- Search for public domain names in cloud DNS services. Defaults to
SEARCH_STORAGE- Search for storage domain names in cloud storage service (currently only implemented for Azure). Defaults to
LOGGING_LEVEL- Logging level with valid parameters [
error]. Defaults to
SCAN_FREQUENCY- The period of time to wait between scans in seconds. To run the connector once and then exit, set this parameter to
-1.Otherwise, this value should be a positive number greater than 3599. Defaults to
Copy the Service Account File from GCP into the GCP Directory of the Cloud Connector
Create a new Service Account in your GCP Organization for the Censys GCP cloud connector to utilize.
Visit the IAM & Admin > Service Accounts page in your GCP console. Make sure you have selected the proper Project within your Organization for the Service Account to be created in.
Create a new Service Account for the Censys GCP cloud connector to utilize. No Project level service account access or user access should be configured at this point.
Create a new key for the Service Account and download the corresponding
.jsonfile. Rename the file to
service_account.jsonand move it to the
- Copy the email of the newly created Service Account, switch to the Organization, and visit the IAM Provisioning page.
- Add the Service Account as a new member and assign the following roles:
Security Center Assets Discovery Runner
Security Center Assets Viewer
- Enable the
GCP Security Command CenterAPI if it isn't already. (Here's a guide to Enabling an API in your Google Cloud project).
Build and Run the Container
To run the Censys cloud connector, navigate to the
cloud-conectors root directory and execute the following command:
The connector will begin collecting your GCP assets and uploading them to the Censys ASM platform as seeds.
Article is closed for comments.