Set Up Censys ASM Cloud Connector for GCP
Summary
Use this connector to seed the Censys ASM platform with accurate, up-to-date information about Internet-addressable assets in your GCP Organization for monitoring and enhanced discovery.
Introduction
For each Project in your GCP Organization, the cloud connector will connect to the services running in order to extract and send relevant seed data to the Censys ASM platform:
- All Public Virtual Machine Instances
- All Serverless Instances
- DNS and Domain Information
- GCP Storage Instances
What You'll Need:
- Your GCP organization ID
- A Service Account in your GCP Organization
- Your Censys ASM API key
- A server with Docker and Docker Compose installed
- The
cloud-connectors.tar.gz
code file (please email Censys support for access)
Install the Censys Cloud Connector
cloud-connectors.tar.gz
file to your preferred directory. For access, please contact support@censys.io.Create Config File
cloud-connectors/gcp
directory copy the file named gcp_config.yml.example
and rename as gcp_config.yml
with this command:cp -p gcp_config.yml.example gcp_config.yml
gcp_config.yml
with an editor and replace the example value with your Organization ID. Example YAML for Config File
- ORGANIZATION_ID: xxxxxxxxxxxx
Create Environment File
cloud-connectors/docker
directory, copy the file named env.example
and rename as env
with this command:cp -p env.example env
Open theenv
file with an editor and replace the example values with your preferences.
Example Config File
Default values are shown.
CONNECTOR_TYPE=xxxx
CENSYS_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx SEARCH_IPS=true SEARCH_CONTAINERS=true SEARCH_DATABASES=true SEARCH_DNS=true SEARCH_STORAGE=true LOGGING_LEVEL=info SCAN_FREQUENCY=3600
These configurations must be set.
CONNECTOR_TYPE
- The cloud connector type. Usegcp
CENSYS_API_KEY
- Your Censys API key, found on the Censys Integrations page.
SEARCH_IPS
- Search for public IP addresses in cloud services. Defaults totrue
.SEARCH_CONTAINERS
- Search for public IP addresses in cloud container services. Defaults totrue
.SEARCH_DATABASES
- Search for public IP addresses in cloud database services. Defaults totrue
.SEARCH_DNS
- Search for public domain names in cloud DNS services. Defaults totrue
.SEARCH_STORAGE
- Search for storage domain names in cloud storage service (currently only implemented for Azure). Defaults totrue
.LOGGING_LEVEL
- Logging level with valid parameters [debug
|info
|warning
|error
]. Defaults toinfo
.SCAN_FREQUENCY
- The period of time to wait between scans in seconds. To run the connector once and then exit, set this parameter to-1
.Otherwise, this value should be a positive number greater than 3599. Defaults to3600
(run hourly).
Copy the Service Account File from GCP into the GCP Directory of the Cloud Connector
Create a new Service Account in your GCP Organization for the Censys GCP cloud connector to utilize.
-
Visit the IAM & Admin > Service Accounts page in your GCP console. Make sure you have selected the proper Project within your Organization for the Service Account to be created in.
-
Create a new Service Account for the Censys GCP cloud connector to utilize. No Project level service account access or user access should be configured at this point.
-
Create a new key for the Service Account and download the corresponding
.json
file. Rename the file toservice_account.json
and move it to thecloud-connectors/gcp
directory. - Copy the email of the newly created Service Account, switch to the Organization, and visit the IAM Provisioning page.
- Add the Service Account as a new member and assign the following roles:
Folder Viewer
Organization Viewer
Security Center Assets Discovery Runner
Security Center Assets Viewer
Security Reviewer
- Enable the
GCP Security Command Center
API if it isn't already. (Here's a guide to Enabling an API in your Google Cloud project).
Build and Run the Container
To run the Censys cloud connector, navigate to the cloud-conectors
root directory and execute the following command:
./run.sh
The connector will begin collecting your GCP assets and uploading them to the Censys ASM platform as seeds.
Comments
0 comments
Article is closed for comments.