1. Censys
  2. Censys Attack Surface Management
  3. Cloud Connectors
  4. Legacy Cloud Connectors

Other Articles In This Section

In this article:

Set Up Censys ASM Cloud Connector for GCP

  • Updated

Summary

Use this connector to seed the Censys ASM platform with accurate, up-to-date information about Internet-addressable assets in your GCP Organization for monitoring and enhanced discovery.

Introduction

For each Project in your GCP Organization, the cloud connector will connect to the services running in order to extract and send relevant seed data to the Censys ASM platform:

  • All Public Virtual Machine Instances
  • All Serverless Instances
  • DNS and Domain Information
  • GCP Storage Instances

What You'll Need:

Ready to get started? Here's what you need:
  • Your GCP organization ID
  • A Service Account in your GCP Organization
  • Your Censys ASM API key
  • A server with Docker and Docker Compose installed
  • The cloud-connectors.tar.gz code file (please email Censys support for access)

Install the Censys Cloud Connector

Extract the contents of the cloud-connectors.tar.gz file to your preferred directory. For access, please contact support@censys.io.
 

Create Config File

In the cloud-connectors/gcp directory copy the file named gcp_config.yml.example and rename as gcp_config.yml with this command:
cp -p gcp_config.yml.example gcp_config.yml
 
Open the gcp_config.yml with an editor and replace the example value with your Organization ID. 
 
Need help obtaining your Organization ID? Learn how here.
 

Example YAML for Config File

- ORGANIZATION_ID: xxxxxxxxxxxx
 

Create Environment File

In the cloud-connectors/docker directory, copy the file named env.example and rename as env with this command:
cp -p env.example env

Open theenv file with an editor and replace the example values with your preferences.

 

Example Config File

Default values are shown.

CONNECTOR_TYPE=xxxx
CENSYS_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

SEARCH_IPS=true
SEARCH_CONTAINERS=true
SEARCH_DATABASES=true
SEARCH_DNS=true
SEARCH_STORAGE=true

LOGGING_LEVEL=info

SCAN_FREQUENCY=3600

 

Required Fields

These configurations must be set.

  • CONNECTOR_TYPE - The cloud connector type. Use gcp
  • CENSYS_API_KEY - Your Censys API key, found on the Censys Integrations page.

Optional Fields

  • SEARCH_IPS - Search for public IP addresses in cloud services. Defaults to true.
  • SEARCH_CONTAINERS - Search for public IP addresses in cloud container services. Defaults to true.
  • SEARCH_DATABASES - Search for public IP addresses in cloud database services. Defaults to true.
  • SEARCH_DNS - Search for public domain names in cloud DNS services. Defaults to true.
  • SEARCH_STORAGE - Search for storage domain names in cloud storage service (currently only implemented for Azure). Defaults to true.
  • LOGGING_LEVEL - Logging level with valid parameters [debug | info | warning | error]. Defaults to info.
  • SCAN_FREQUENCY - The period of time to wait between scans in seconds. To run the connector once and then exit, set this parameter to -1.
    Otherwise, this value should be a positive number greater than 3599. Defaults to 3600 (run hourly).

Copy the Service Account File from GCP into the GCP Directory of the Cloud Connector

Create a new Service Account in your GCP Organization for the Censys GCP cloud connector to utilize.

  1. Visit the IAM & Admin > Service Accounts page in your GCP console. Make sure you have selected the proper Project within your Organization for the Service Account to be created in.
  2. Create a new Service Account for the Censys GCP cloud connector to utilize. No Project level service account access or user access should be configured at this point.
  3. Create a new key for the Service Account and download the corresponding .json file. Rename the file to service_account.json and move it to the cloud-connectors/gcp directory.
  4. Copy the email of the newly created Service Account, switch to the Organization, and visit the IAM Provisioning page.
  5. Add the Service Account as a new member and assign the following roles:
    • Folder Viewer
    • Organization Viewer
    • Security Center Assets Discovery Runner
    • Security Center Assets Viewer
    • Security Reviewer
  6. Enable theGCP Security Command Center API if it isn't already. (Here's a guide to Enabling an API in your Google Cloud project).

Build and Run the Container

To run the Censys cloud connector, navigate to the cloud-conectors root directory and execute the following command:

./run.sh

The connector will begin collecting your GCP assets and uploading them to the Censys ASM platform as seeds.

Related articles

Comments

0 comments

Article is closed for comments.