Set Up Censys ASM Cloud Connector for GCP
Use this connector to seed the Censys ASM platform with accurate, up-to-date information about Internet-addressable assets in your GCP account for monitoring and enhanced discovery.
In this guide:
For each GCP organization you enable, the cloud connector will connect to the services running in order to extract and send relevant seed data to the Censys ASM platform:
- All Public Virtual Machine Instances
- All Serverless Instances
- DNS and Domain Information
What You'll Need:
- Your GCP organization ID
- Programmatic access to your GCP organization
- Your Censys ASM API key
- A server with Docker and Docker Compose installed
cloud-connectors.tar.gzcode file (please email Censys support for access)
Install the Censys Cloud Connector
cloud-connectors.tar.gzfile to your preferred directory. For access, please contact email@example.com.
Create Config File
gcp_config.yml.exampleand rename as
gcp_config.ymlwith this command:
cp -p gcp_config.yml.example gcp_config.yml
gcp_config.ymlwith an editor and replace the example values with values corresponding to your GCP organization. Add a block for each additional tenant.
Example YAML for Config File
- ORGANIZATION_ID: xxxxxxxxxxxx
Create Environment File
env.exampleand rename as
envwith this command:
cp -p env.example env
cloud-connectors/docker/env file with an editor and replace the example values with your preferences.
Example Config File
Default values are shown.
CENSYS_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx SEARCH_IPS=true SEARCH_CONTAINERS=true SEARCH_DATABASES=true SEARCH_DNS=true LOGGING_LEVEL=warning SCAN_FREQUENCY=-1
These configurations must be set.
CONNECTOR_TYPE- The cloud connector type. Use
CENSYS_API_KEY- Your Censys API key, found on the Censys Admin page.
SEARCH_IPS- Search for public IP addresses in cloud services. Defaults to
SEARCH_CONTAINERS- Search for public IP addresses in cloud container services. Defaults to
SEARCH_DATABASES- Search for public IP addresses in cloud database services. Defaults to
SEARCH_DNS- Search for public domain names in cloud DNS services. Defaults to
LOGGING_LEVEL- Logging level with valid parameters [
info]. Defaults to
SCAN_FREQUENCY- The period of time to wait between collection in minutes. To run the connector once and then exit, set this parameter to
-1. This value can not be a positive number of less than 360 (6 hours). Defaults to
-1(run once and exit).
Copy the Service Account File from GCP into the Root Directory of the Cloud Connector
Create a new Service Account in your GCP organization for the Censys GCP cloud connector to operate under.
Visit the IAM provisioning page in your GCP console. Make sure you have selected the organization that you would like to collect assets in.
Create a new Service Account member.
Assign the following roles:
Security Center Assets Discovery Runner
Security Center Assets Viewer
Create a new key for the service account and download the corresponding
service_account.jsonfile to the server.
GCP Security Command CenterAPI if it isn't already. (Here's a guide to Enabling an API in your Google Cloud project).
Copy the downloaded
service_account.jsonfile into the connector container. Place this file in the root of the
cloud-connectorsso that it is at the project's top level.
To run the Censys cloud connector, navigate to the
cloud-conectors root directory and execute the following command:
docker-compose up --build -d
The connector will begin collecting your GCP assets and uploading them to the Censys ASM platform as seeds.