Onboard Google Cloud host assets-Security Center(Security Center)-阿里云帮助中心

Important

The steps for the GCP console described in this topic are for reference only. For specific procedures, see the official GCP documentation.

Step 1: Create a service account and obtain a key

Log on to the GCP console. In the upper-left corner of the console, select the target project.

Note
To log on to the GCP console, you must use a network from a region outside the Chinese mainland, such as China (Hong Kong) or Singapore.
Enable the Compute Engine API.
1. In the left-side navigation pane, choose .
  
  API & Services > Enabled APIs & Services
2. Follow the on-screen instructions to enable the Compute Engine API.
  
  After the API is enabled, the product details page displays the API Enabled status.
Create a service account and grant permissions.
1. In the left-side navigation pane, choose Multi-account Management > Service Account.
2. On the Service Account page, click Create Service Account.
3. On the Create Service Account page, enter a service account name and click Create and Continue.
  
  For example, enter AliSecurityCenter.
4. In the Grant this service account access to project (optional) section, select the Compute Viewer role, and then click Complete.
Create a key for the service account.
1. In the service account list, click the icon in the Actions column for the target service account, and then click AccessKey Leak Detection.
  
  From the expanded action menu, select Manage keys.
2. On the Keys tab for the service account, click AccessKey Leak Detection.
3. In the Create private key dialog box, keep the default Key type of JSON, and then click Create.
4. Download and securely save the private key file.

Step 2: Associate VMs with the service account

Security Center syncs only GCP VM instances associated with a service account. Therefore, you must associate the VM instances that you plan to onboard with the service account created for this purpose.

For new VM instances

On the Create an instance page in the GCP console, click Alert in the left-side navigation pane. In the service account section, select the service account that you created in Step 1: Create a service account and obtain a key, and then create the instance.

For existing VM instances

On the VM instance details page, click Modify.
In the Identity and API access section, change the service account to the one that you created in Step 1: Create a service account and obtain a key, and then click Save.

Important
You must stop the VM instance before you can change its service account.

Step 3: Submit the service account key

Log on to the Security Center console.

Important
Due to network restrictions, you can onboard Google Cloud assets only in the Outside Chinese Mainland region.
In the left-side navigation pane, choose System Settings > Feature Settings. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission, and select GCP from the drop-down list.

Alternatively, navigate to the Assets > Host page. In the Add Multi-cloud Asset section, hover over the icon, and click Add under GCP to open the Add Assets Outside Cloud panel.
In the Permission Description section, select the Host checkbox, and then click Next.
Under Extended Information, click Upload File to upload the private key file that you obtained in Step 1: Create a service account and obtain a key.
Enter an Account Name and click Next.

The account name distinguishes different accounts from the same cloud provider. Use a descriptive name that reflects its purpose.

Important
Do not delete or disable the key. Doing so will disrupt the onboarding of GCP assets.

Step 4: Configure the onboarding policy

In the Add Assets Outside Cloud panel in the Security Center console, in the Policy Configuration wizard, configure settings like the region and data sync frequency for the GCP assets to be onboarded, and then click OK.

Parameter	Description
Select region	Select the region of the assets to be onboarded. Security Center adds these assets to the management center for the Outside Chinese Mainland region.
Region Management	If you select this option, Security Center automatically adds asset data from any new regions under the current GCP account to the data management center for the Outside Chinese Mainland region. If you do not select this option, assets from new regions will not be onboarded to Security Center.
Host Asset Synchronization Frequency	Select the interval at which Security Center automatically syncs GCP host assets. Select Close to disable synchronization.
AK Service Status Check	Select the interval at which Security Center automatically checks the validity of the GCP service account key. Select Close to disable the check.

Click Synchronize Assets to sync all host assets under the GCP service account to Security Center.

Step 5: Verify the results

In the Security Center console, navigate to the Assets > Host page. In the Add Multi-cloud Asset section, click the icon. A list of your GCP assets appears, which confirms that they were successfully onboarded. For more information, see Host assets.

What to do next

Install the Security Center client on your GCP assets.
Associate a Security Center edition with your GCP assets. We recommend that you associate a paid edition to obtain security protection and hardening capabilities. The Free edition provides only basic detection and no protection. For more information about the differences between editions, see Purchase Security Center.