GCP
Overview
Visualize and analyze GCP resources across compute, networking, storage, security, serverless, messaging, observability, and DevOps services. Gain actionable insights into resource utilization, governance, and security posture. Monitor resource visibility, identify misconfigurations, ensure compliance with organizational policies, and detect vulnerabilities in infrastructure and data.
Configurations
| Configuration | Description |
|---|---|
| Blueprint Account Name | A human-readable name for your account that will be used to identify this account across the application. |
| Gcp Project ID | The unique identifier for your Google Cloud project. |
| Client ID | The ID of the client associated with the service account for authentication. |
| Client Email | The email address associated with the service account used for authentication. |
| Private Key ID | The unique identifier for the private key associated with the service account. |
| Private Key | The private key used to authenticate the service account. |
| Regions | The GCP regions where resources will be discovered and monitored. |
| Billing Export Project | (Optional) The GCP project that hosts the BigQuery billing export. Defaults to the main GCP Project ID if not specified. Required for cost enrichment lookups. |
| Billing Export Dataset | (Optional) The BigQuery dataset containing the billing export. Required for cost enrichment lookups. |
| Billing Export Table | (Optional) The BigQuery table name of the billing export (e.g., gcp_billing_export_v1_XXXXXX_XXXXXX). Required for cost enrichment lookups. |
| Data Crawl Frequency | The frequency at which Kscope will crawl the account for resources. |
| Event Crawl Frequency | The frequency at which Kscope will crawl for events and activity logs. |
Permissions
The GCP blueprint requires a Service Account with appropriate IAM roles.
Automated Setup (Recommended)
Use our Terraform configuration to automatically create the service account and assign all required roles.
Infrastructure Manager requires a service account to execute Terraform on your behalf. This service account needs the following roles:
| Role | Purpose |
|---|---|
roles/config.agent | Required by Infrastructure Manager to manage deployments |
roles/iam.serviceAccountAdmin | Create the Kscope crawl service account and generate keys |
roles/resourcemanager.projectIamAdmin | Bind IAM roles to the crawl service account |
Create the service account and assign the roles:
# Create the service account for Infrastructure Manager
gcloud iam service-accounts create infra-manager-sa \
--display-name="Infrastructure Manager SA" \
--project=YOUR_PROJECT_ID
# Assign required roles
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:infra-manager-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/config.agent"
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:infra-manager-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/iam.serviceAccountAdmin"
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:infra-manager-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/resourcemanager.projectIamAdmin"
Then deploy (replace YOUR_REGION with your preferred Infrastructure Manager location, e.g. us-central1):
gcloud infra-manager deployments apply \
projects/YOUR_PROJECT_ID/locations/YOUR_REGION/deployments/kscope-crawl \
--service-account projects/YOUR_PROJECT_ID/serviceAccounts/infra-manager-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com \
--gcs-source gs://kscope-blueprint-configs/gcp/gcp-latest.zip \
--tf-version-constraint="1.5.7" \
--input-values=project_id=YOUR_PROJECT_ID
[!NOTE] The region above is where Infrastructure Manager stores deployment metadata — it does not affect where resources are created. The Terraform configuration only creates project-level IAM resources, which are global.
After the deployment completes, retrieve the credentials from the Outputs tab:
- Open the Infrastructure Manager console
- Click on the kscope-crawl deployment
- Go to the Outputs tab
The outputs map directly to the Kscope blueprint configuration:
| Output | Kscope Configuration |
|---|---|
project_id | Gcp Project ID |
client_email | Client Email |
client_id | Client ID |
private_key_id | Private Key ID |
private_key | Private Key |
Manual Setup
Alternatively, you can create a service account manually by clicking here. Please ensure that you give the service account a descriptive name and assign the required IAM roles.
When creating the service account manually, you will need to:
- Create the service account
- Assign the required IAM roles (see table below)
- Generate and download a JSON key file
- Extract the Client ID, Client Email, Private Key ID, and Private Key from the JSON file
Required IAM Roles
| Role | Services Covered |
|---|---|
roles/viewer | Compute Engine, Cloud DNS, Cloud Storage, Pub/Sub, Cloud Logging, Cloud Monitoring, Cloud Audit Logs, VPC, NAT, Load Balancer, Endpoints |
roles/iam.securityReviewer | IAM policies, service accounts, Identity Platform |
roles/compute.securityAdmin | Cloud Armor security policies and rules |
roles/compute.viewer | Compute Engine instances, disks, networks, Cloud CDN backend services |
roles/container.viewer | GKE clusters, node pools, workloads |
roles/cloudsql.viewer | Cloud SQL instances, databases, users |
roles/cloudfunctions.viewer | Cloud Functions (Gen 1 and Gen 2) |
roles/run.viewer | Cloud Run services, jobs, revisions |
roles/redis.viewer | Memorystore for Redis instances |
roles/firebase.viewer | Firebase projects, databases, hosting, storage |
roles/artifactregistry.reader | Artifact Registry repositories and images |
roles/cloudkms.viewer | Cloud KMS key rings, crypto keys, key versions |
roles/secretmanager.viewer | Secret Manager secret metadata (does not expose secret values) |
roles/bigquery.dataViewer | BigQuery datasets and tables (read-only metadata and schema) |
roles/accesscontextmanager.policyReader | VPC Service Controls access policies, service perimeters, access levels |
roles/cloudbuild.builds.viewer | Cloud Build triggers, worker pools, builds |
roles/datastore.viewer | Firestore databases, indexes, collection groups |
roles/file.viewer | Cloud Filestore instances, snapshots, backups |
roles/apigateway.viewer | API Gateway APIs, gateways, configurations |
roles/aiplatform.viewer | Vertex AI models, endpoints, training pipelines |
roles/eventarc.viewer | Eventarc triggers, channels, channel connections |
roles/workflows.viewer | Cloud Workflows definitions and executions |
roles/dataproc.viewer | Dataproc clusters, jobs, workflow templates |
roles/composer.viewer | Cloud Composer environments and configurations |
roles/spanner.viewer | Cloud Spanner instances and databases |
roles/cloudtasks.viewer | Cloud Tasks queues and task metadata |
roles/deploymentmanager.viewer | Deployment Manager deployments and resources |
roles/config.viewer | Infrastructure Manager deployments, revisions, and resources |
roles/alloydb.viewer | AlloyDB clusters and instances |
roles/bigtable.viewer | Cloud Bigtable instances and clusters |
roles/dataflow.viewer | Dataflow jobs and job metadata |
roles/datacatalog.viewer | Data Catalog entry groups, entries, taxonomies, and policy tags |
All roles are read-only. No write or admin access is required. Roles are only bound for services that are enabled in your project.
SBOM Generation
The GCP blueprint includes SBOM (Software Bill of Materials) generation for Docker container images stored in Google Artifact Registry. This provides comprehensive vulnerability scanning and dependency analysis for containerized applications.
Artifact Registry repositories with DOCKER format are automatically scanned. The scanner authenticates using OAuth2 access tokens derived from the configured service account credentials.
For information about supported languages and package managers for SBOM generation, see: SBOM
Schema Model
| Resources | Source Entity | Normalized Entity | Description |
|---|---|---|---|
| Attached Disk | gcp.compute.AttachedDisk | Storage | A disk attached to a GCP compute instance. |
| Compute Attributes | gcp.compute.ComputeAttributes | Attributes | Attributes of a GCP compute resource. |
| Disk | gcp.compute.Disk | Storage | A persistent disk in GCP compute. |
| Firewall | gcp.compute.Firewall | Firewall | A firewall for controlling network traffic. |
| Firewall Rule | gcp.compute.FirewallRule | Rule | A rule defining firewall behavior. |
| IP Range | gcp.compute.IPRange | IPRange | A range of IPs defined for a network. |
| Instance | gcp.compute.Instance | Instance | A virtual machine instance in GCP. |
| Network | gcp.compute.Network | Network | A virtual network in GCP. |
| Network Interface | gcp.compute.NetworkInterface | Interface | A network interface for compute resources. |
| Subnetwork | gcp.compute.Subnetwork | Subnetwork | A subnetwork within a GCP virtual network. |
| DNS Attributes | gcp.dns.DNSAttributes | Attributes | Attributes of a DNS resource in GCP. |
| DNS Key Spec | gcp.dns.DnsKeySpec | KeySpec | Specification of a DNS key in GCP. |
| Managed Zone | gcp.dns.ManagedZone | Zone | A managed DNS zone in GCP. |
| Managed Zone Cloud Logging Config | gcp.dns.ManagedZoneCloudLoggingConfig | LoggingConfig | Logging configuration for a DNS zone. |
| Managed Zone DNS Sec Config | gcp.dns.ManagedZoneDnsSecConfig | DNSConfig | DNS security configuration for a zone. |
| Managed Zone Forwarding Config | gcp.dns.ManagedZoneForwardingConfig | ForwardingConfig | Forwarding configuration for a DNS zone. |
| Managed Zone Forwarding Config NameServer | gcp.dns.ManagedZoneForwardingConfigNameServerTarget | NameServerTarget | A target name server for forwarding config. |
| Managed Zone Peering Config | gcp.dns.ManagedZonePeeringConfig | PeeringConfig | Peering configuration for a DNS zone. |
| Managed Zone Peering Config Target Network | gcp.dns.ManagedZonePeeringConfigTargetNetwork | TargetNetwork | A target network for peering config. |
| Managed Zone Private Visibility Config | gcp.dns.ManagedZonePrivateVisibilityConfig | VisibilityConfig | Configuration for private visibility. |
| Managed Zone Private Visibility Config GKE | gcp.dns.ManagedZonePrivateVisibilityConfigGKECluster | GKEVisibility | GKE cluster configuration for visibility. |
| Managed Zone Private Visibility Config Network | gcp.dns.ManagedZonePrivateVisibilityConfigNetwork | NetworkVisibility | Network visibility configuration. |
| Managed Zone Reverse Lookup Config | gcp.dns.ManagedZoneReverseLookupConfig | ReverseLookup | Configuration for reverse DNS lookup. |
| Managed Zone Service Directory Config | gcp.dns.ManagedZoneServiceDirectoryConfig | ServiceDirectory | Service directory configuration for a zone. |
| Resource Record Set | gcp.dns.ResourceRecordSet | RecordSet | A set of DNS resource records. |
| GKE Attributes | gcp.gke.GKEAttributes | Attributes | Attributes of a GKE resource. |
| GKE Cluster | gcp.gke.GKECluster | Cluster | A Kubernetes cluster in GCP. |
| GKE Node Config | gcp.gke.GKENodeConfig | NodeConfig | Configuration for a GKE node. |
| GKE Node Pool | gcp.gke.GKENodePool | NodePool | A node pool in a GKE cluster. |
| ACL Rule | gcp.storage.ACLRule | Rule | Access control list rule for storage. |
| Autoclass | gcp.storage.Autoclass | Class | Autoclass configuration for storage. |
| Bucket | gcp.storage.Bucket | Storage | A storage bucket in GCP. |
| Bucket Encryption | gcp.storage.BucketEncryption | Encryption | Encryption settings for a bucket. |
| Bucket Logging | gcp.storage.BucketLogging | Logging | Logging settings for a bucket. |
| Bucket Policy Only | gcp.storage.BucketPolicyOnly | Policy | Policy configuration for a bucket. |
| CORS | gcp.storage.CORS | CORS | Cross-origin resource sharing configuration. |
| Custom Placement Config | gcp.storage.CustomPlacementConfig | PlacementConfig | Custom placement configuration. |
| Lifecycle | gcp.storage.Lifecycle | Lifecycle | Lifecycle rules for storage. |
| Lifecycle Action | gcp.storage.LifecycleAction | Action | An action defined in a lifecycle rule. |
| Lifecycle Condition | gcp.storage.LifecycleCondition | Condition | A condition defined in a lifecycle rule. |
| Lifecycle Rule | gcp.storage.LifecycleRule | Rule | A rule in a storage lifecycle policy. |
| Object | gcp.storage.Object | Object | An object stored in a GCP bucket. |
| Project Team | gcp.storage.ProjectTeam | Team | A project team configuration. |
| Retention Policy | gcp.storage.RetentionPolicy | RetentionPolicy | Retention policy for a storage bucket. |
| Soft Delete Policy | gcp.storage.SoftDeletePolicy | SoftDeletePolicy | Soft delete policy for storage. |
| Storage Attributes | gcp.storage.StorageAttributes | Attributes | Attributes of a storage resource. |
| Firebase Attributes | gcp.firebase.FirebaseAttributes | Attributes | Attributes of a Firebase project. |
| Firebase Storage Bucket | gcp.firebase.StorageBucket | Storage | A Firebase storage bucket. |
| Firebase Database Instance | gcp.firebase.DatabaseInstance | Database | A Firebase Realtime Database instance. |
| Firebase Hosting Site | gcp.firebase.HostingSite | HostingSite | A Firebase Hosting site. |
| Firebase Auth Config | gcp.firebase.AuthConfig | AuthConfig | Authentication configuration for Firebase. |
| Firebase Auth Settings | gcp.firebase.AuthSettings | AuthSettings | Authentication settings for Firebase. |
| Firebase Functions Config | gcp.firebase.FunctionsConfig | FunctionsConfig | Cloud Functions configuration for Firebase. |
| Firebase Lifecycle | gcp.firebase.Lifecycle | Lifecycle | Lifecycle rules for Firebase storage. |
| Firebase Lifecycle Rule | gcp.firebase.LifecycleRule | Rule | A rule in a Firebase storage lifecycle. |
| Firebase Lifecycle Action | gcp.firebase.LifecycleAction | Action | An action in a Firebase lifecycle rule. |
| Firebase Lifecycle Condition | gcp.firebase.LifecycleCondition | Condition | A condition in a Firebase lifecycle rule. |
| Firebase CORS | gcp.firebase.CORS | CORS | CORS configuration for Firebase storage. |
| Firebase Uniform Bucket Level Access | gcp.firebase.UniformBucketLevelAccess | BucketAccess | Uniform bucket-level access for Firebase. |
| Identity Attributes | gcp.identity.IdentityAttributes | Attributes | Attributes of an Identity Platform resource. |
| Identity Tenant Config | gcp.identity.TenantConfig | TenantConfig | Identity Platform tenant configuration. |
| Identity Email Config | gcp.identity.EmailConfig | EmailConfig | Identity Platform email configuration. |
| Identity Active User | gcp.identity.ActiveUser | User | An active user in Identity Platform. |
| Identity User Activity Stats | gcp.identity.UserActivityStats | UserStats | User activity statistics. |
| IAM Service Account | gcp.iam.ServiceAccount | ServiceAccount | A GCP IAM service account. |
| IAM Policy | gcp.iam.IAMPolicy | Policy | An IAM policy. |
| IAM Policy Binding | gcp.iam.IAMPolicyBinding | PolicyBinding | An IAM policy binding associating members with roles. |
| IAM Attributes | gcp.iam.IAMAttributes | Attributes | Attributes of IAM resources. |
| Cloud Functions Attributes | gcp.cloudfunctions.CloudFunctionsAttributes | Attributes | Attributes of Cloud Functions resources. |
| Cloud Function | gcp.cloudfunctions.Function | Function | A Cloud Function (Gen 1 or Gen 2). |
| Cloud Function Build Config | gcp.cloudfunctions.BuildConfig | BuildConfig | Build configuration for a Cloud Function. |
| Cloud Function Service Config | gcp.cloudfunctions.ServiceConfig | ServiceConfig | Service configuration for a Cloud Function. |
| Cloud Run Attributes | gcp.cloudrun.CloudRunAttributes | Attributes | Attributes of Cloud Run resources. |
| Cloud Run Service | gcp.cloudrun.CloudRunServiceResource | Service | A Cloud Run service. |
| Cloud Run Revision Template | gcp.cloudrun.RevisionTemplate | RevisionTemplate | A revision template for a Cloud Run service. |
| Cloud Run Traffic Target | gcp.cloudrun.TrafficTarget | TrafficTarget | A traffic routing target for Cloud Run. |
| Cloud Run Container | gcp.cloudrun.Container | Container | A container in a Cloud Run service. |
| Pub/Sub Attributes | gcp.pubsub.PubSubAttributes | Attributes | Attributes of Pub/Sub resources. |
| Pub/Sub Topic | gcp.pubsub.Topic | Topic | A Pub/Sub topic. |
| Pub/Sub Subscription | gcp.pubsub.Subscription | Subscription | A Pub/Sub subscription. |
| KMS Attributes | gcp.kms.KMSAttributes | Attributes | Attributes of Cloud KMS resources. |
| KMS Key Ring | gcp.kms.KeyRing | KeyRing | A Cloud KMS key ring. |
| KMS Crypto Key | gcp.kms.CryptoKey | CryptoKey | A cryptographic key in Cloud KMS. |
| KMS Crypto Key Version | gcp.kms.CryptoKeyVersion | KeyVersion | A version of a Cloud KMS crypto key. |
| Secret Manager Attributes | gcp.secretmanager.SecretManagerAttributes | Attributes | Attributes of Secret Manager resources. |
| Secret | gcp.secretmanager.Secret | Secret | A secret in Secret Manager. |
| Secret Version | gcp.secretmanager.SecretVersion | SecretVersion | A version of a secret in Secret Manager. |
| Logging Attributes | gcp.logging.LoggingAttributes | Attributes | Attributes of Cloud Logging resources. |
| Log Sink | gcp.logging.LogSink | LogSink | A Cloud Logging log sink. |
| Log Metric | gcp.logging.LogMetric | LogMetric | A Cloud Logging log-based metric. |
| Monitoring Attributes | gcp.monitoring.MonitoringAttributes | Attributes | Attributes of Cloud Monitoring resources. |
| Alert Policy | gcp.monitoring.AlertPolicy | AlertPolicy | A Cloud Monitoring alert policy. |
| Alert Condition | gcp.monitoring.AlertCondition | AlertCondition | A condition within an alert policy. |
| Notification Channel | gcp.monitoring.NotificationChannel | NotificationChannel | A Cloud Monitoring notification channel. |
| Uptime Check Config | gcp.monitoring.UptimeCheckConfig | UptimeCheck | An uptime check configuration. |
| Artifact Registry Attributes | gcp.artifactregistry.ArtifactRegistryAttributes | Attributes | Attributes of Artifact Registry resources. |
| Artifact Registry Repository | gcp.artifactregistry.Repository | Repository | An Artifact Registry repository. |
| Artifact Registry Docker Image | gcp.artifactregistry.DockerImage | DockerImage | A Docker image in Artifact Registry. |
| Artifact Registry Package | gcp.artifactregistry.Package | Package | A package in Artifact Registry. |
| Audit Logs Attributes | gcp.auditlogs.AuditLogsAttributes | Attributes | Attributes of Cloud Audit Logs resources. |
| Audit Config | gcp.auditlogs.AuditConfig | AuditConfig | An audit configuration for a GCP service. |
| Audit Log Config | gcp.auditlogs.AuditLogConfig | AuditLogConfig | An audit log type configuration. |
| Memorystore Attributes | gcp.memorystore.MemorystoreAttributes | Attributes | Attributes of Memorystore resources. |
| Memorystore Redis Instance | gcp.memorystore.RedisInstance | RedisInstance | A Memorystore for Redis instance. |
| Memorystore Persistence Config | gcp.memorystore.PersistenceConfig | PersistenceConfig | Persistence configuration for Redis. |
| Memorystore Maintenance Policy | gcp.memorystore.MaintenancePolicy | MaintenancePolicy | Maintenance policy for a Redis instance. |
| Cloud SQL Instance | gcp.cloudsql.Instance | Instance | A Cloud SQL database instance. |
| Cloud SQL Database | gcp.cloudsql.Database | Database | A database within a Cloud SQL instance. |
| Cloud SQL User | gcp.cloudsql.User | User | A user account for a Cloud SQL instance. |
| Cloud SQL Settings | gcp.cloudsql.Settings | Settings | Configuration settings for a Cloud SQL instance. |
| Cloud SQL Backup Configuration | gcp.cloudsql.BackupConfiguration | BackupConfig | Backup configuration for a Cloud SQL instance. |
| Cloud SQL IP Configuration | gcp.cloudsql.IPConfiguration | IPConfig | IP and SSL configuration for Cloud SQL. |
| Cloud SQL IP Address | gcp.cloudsql.IPAddress | IPAddress | An IP address assigned to a Cloud SQL instance. |
| Cloud SQL Maintenance Window | gcp.cloudsql.MaintenanceWindow | MaintenanceWindow | Maintenance window for a Cloud SQL instance. |
| Cloud SQL Authorized Network | gcp.cloudsql.AuthorizedNetwork | AuthorizedNetwork | An authorized network for Cloud SQL access. |
| Cloud SQL Location Preference | gcp.cloudsql.LocationPreference | LocationPreference | Preferred zone for a Cloud SQL instance. |
| Cloud SQL Attributes | gcp.cloudsql.CloudSQLAttributes | Attributes | Attributes of Cloud SQL resources. |
| VPC Subnetwork | gcp.vpc.Subnetwork | Subnetwork | A VPC subnetwork. |
| VPC Route | gcp.vpc.Route | Route | A VPC network route. |
| VPC Network | gcp.vpc.Network | Network | A VPC network. |
| VPC Firewall Rule | gcp.vpc.FirewallRule | FirewallRule | A VPC firewall rule. |
| VPC Firewall Allowed | gcp.vpc.FirewallAllowed | FirewallAllowed | Allowed protocols/ports in a firewall rule. |
| VPC Firewall Denied | gcp.vpc.FirewallDenied | FirewallDenied | Denied protocols/ports in a firewall rule. |
| VPC Firewall Log Config | gcp.vpc.FirewallLogConfig | LogConfig | Logging configuration for a firewall rule. |
| VPC Subnetwork Secondary Range | gcp.vpc.SubnetworkSecondaryRange | SecondaryRange | A secondary IP range for a VPC subnetwork. |
| VPC Network Routing Config | gcp.vpc.NetworkRoutingConfig | RoutingConfig | Routing configuration for a VPC network. |
| VPC Attributes | gcp.vpc.VPCAttributes | Attributes | Attributes of VPC resources. |
| Cloud Run Container Port | gcp.cloudrun.ContainerPort | ContainerPort | A port exposed by a Cloud Run container. |
| Cloud Run Scaling | gcp.cloudrun.Scaling | Scaling | Scaling configuration for a Cloud Run service. |
| KMS Key Version Template | gcp.kms.KeyVersionTemplate | KeyVersionTemplate | Template for Cloud KMS key version settings. |
| Pub/Sub Expiration Policy | gcp.pubsub.ExpirationPolicy | ExpirationPolicy | Expiration policy for a Pub/Sub subscription. |
| Secret Manager Replication | gcp.secretmanager.Replication | Replication | Replication configuration for a secret. |
| NAT Attributes | gcp.nat.NATAttributes | Attributes | Attributes of Cloud NAT resources. |
| Endpoints Attributes | gcp.endpoint.EndpointsAttributes | Attributes | Attributes of Cloud Endpoints resources. |
| BigQuery Attributes | gcp.bigquery.BigQueryAttributes | Attributes | Attributes of BigQuery resources. |
| BigQuery Dataset | gcp.bigquery.Dataset | Dataset | A BigQuery dataset. |
| BigQuery Table | gcp.bigquery.Table | Table | A BigQuery table. |
| BigQuery Encryption Configuration | gcp.bigquery.EncryptionConfiguration | EncryptionConfig | Default encryption configuration for a dataset. |
| Cloud Armor Attributes | gcp.cloudarmor.CloudArmorAttributes | Attributes | Attributes of Cloud Armor resources. |
| Cloud Armor Security Policy | gcp.cloudarmor.SecurityPolicy | SecurityPolicy | A Cloud Armor security policy. |
| Cloud Armor Security Policy Rule | gcp.cloudarmor.SecurityPolicyRule | PolicyRule | A rule within a Cloud Armor security policy. |
| Cloud Build Attributes | gcp.cloudbuild.CloudBuildAttributes | Attributes | Attributes of Cloud Build resources. |
| Cloud Build Trigger | gcp.cloudbuild.BuildTrigger | BuildTrigger | A Cloud Build trigger. |
| Cloud Build Worker Pool | gcp.cloudbuild.WorkerPool | WorkerPool | A Cloud Build private worker pool. |
| Firestore Attributes | gcp.firestore.FirestoreAttributes | Attributes | Attributes of Firestore resources. |
| Firestore Database | gcp.firestore.FirestoreDatabase | Database | A Firestore database instance. |
| Cloud Filestore Attributes | gcp.filestore.FilestoreAttributes | Attributes | Attributes of Cloud Filestore resources. |
| Cloud Filestore Instance | gcp.filestore.FilestoreInstance | Instance | A Cloud Filestore managed file share. |
| API Gateway Attributes | gcp.apigateway.APIGatewayAttributes | Attributes | Attributes of API Gateway resources. |
| API Gateway API | gcp.apigateway.APIGatewayAPI | API | An API Gateway API definition. |
| API Gateway Gateway | gcp.apigateway.APIGatewayGateway | Gateway | An API Gateway deployment. |
| Vertex AI Attributes | gcp.vertexai.VertexAIAttributes | Attributes | Attributes of Vertex AI resources. |
| Vertex AI Model | gcp.vertexai.VertexAIModel | Model | A Vertex AI model. |
| Vertex AI Endpoint | gcp.vertexai.VertexAIEndpoint | Endpoint | A Vertex AI model serving endpoint. |
| Eventarc Attributes | gcp.eventarc.EventarcAttributes | Attributes | Attributes of Eventarc resources. |
| Eventarc Trigger | gcp.eventarc.EventarcTrigger | Trigger | An Eventarc event trigger. |
| Eventarc Channel | gcp.eventarc.EventarcChannel | Channel | An Eventarc event channel. |
| Cloud Workflows Attributes | gcp.workflows.WorkflowsAttributes | Attributes | Attributes of Cloud Workflows resources. |
| Cloud Workflow | gcp.workflows.WorkflowResource | Workflow | A Cloud Workflows workflow definition. |
| Dataproc Attributes | gcp.dataproc.DataprocAttributes | Attributes | Attributes of Dataproc resources. |
| Dataproc Cluster | gcp.dataproc.DataprocCluster | Cluster | A Dataproc cluster. |
| Dataproc Job | gcp.dataproc.DataprocJob | Job | A Dataproc job. |
| Cloud Composer Attributes | gcp.composer.ComposerAttributes | Attributes | Attributes of Cloud Composer resources. |
| Cloud Composer Environment | gcp.composer.Environment | Environment | A Cloud Composer (Airflow) environment. |
| Cloud Spanner Attributes | gcp.spanner.SpannerAttributes | Attributes | Attributes of Cloud Spanner resources. |
| Cloud Spanner Instance | gcp.spanner.Instance | Instance | A Cloud Spanner instance. |
| Cloud Spanner Database | gcp.spanner.Database | Database | A database within a Cloud Spanner instance. |
| Cloud Tasks Attributes | gcp.cloudtasks.CloudTasksAttributes | Attributes | Attributes of Cloud Tasks resources. |
| Cloud Tasks Queue | gcp.cloudtasks.Queue | Queue | A Cloud Tasks queue. |
| Cloud CDN Attributes | gcp.cloudcdn.CloudCDNAttributes | Attributes | Attributes of Cloud CDN resources. |
| Cloud CDN Backend Service | gcp.cloudcdn.CDNBackendService | BackendService | A CDN-enabled backend service. |
| Cloud CDN Policy | gcp.cloudcdn.CDNPolicy | CDNPolicy | A CDN caching policy configuration. |
| Deployment Manager Attributes | gcp.deploymentmanager.DeploymentManagerAttributes | Attributes | Attributes of Deployment Manager resources. |
| Deployment Manager Deployment | gcp.deploymentmanager.Deployment | Deployment | A Deployment Manager deployment. |
| Deployment Manager Resource | gcp.deploymentmanager.Resource | Resource | A resource within a Deployment Manager deployment. |
| Infrastructure Manager Attributes | gcp.infrastructuremanager.InfrastructureManagerAttributes | Attributes | Attributes of Infrastructure Manager resources. |
| Infrastructure Manager Deployment | gcp.infrastructuremanager.Deployment | Deployment | A Terraform-based Infrastructure Manager deployment. |
| Infrastructure Manager Resource | gcp.infrastructuremanager.Resource | Resource | A Terraform resource managed by Infrastructure Manager. |
| AlloyDB Attributes | gcp.alloydb.AlloyDBAttributes | Attributes | Attributes of AlloyDB resources. |
| AlloyDB Cluster | gcp.alloydb.Cluster | Cluster | An AlloyDB cluster. |
| AlloyDB Instance | gcp.alloydb.Instance | Instance | An instance within an AlloyDB cluster. |
| Cloud Bigtable Attributes | gcp.bigtable.BigtableAttributes | Attributes | Attributes of Cloud Bigtable resources. |
| Cloud Bigtable Instance | gcp.bigtable.Instance | Instance | A Cloud Bigtable instance. |
| Cloud Bigtable Cluster | gcp.bigtable.Cluster | Cluster | A cluster within a Cloud Bigtable instance. |
| Dataflow Attributes | gcp.dataflow.DataflowAttributes | Attributes | Attributes of Dataflow resources. |
| Dataflow Job | gcp.dataflow.Job | Job | A Cloud Dataflow job. |
| Data Catalog Attributes | gcp.datacatalog.DataCatalogAttributes | Attributes | Attributes of Data Catalog resources. |
| Data Catalog Entry Group | gcp.datacatalog.EntryGroup | EntryGroup | A Data Catalog entry group. |
| Data Catalog Entry | gcp.datacatalog.Entry | Entry | An entry within a Data Catalog entry group. |
| Data Catalog Policy Taxonomy | gcp.datacatalog.PolicyTaxonomy | PolicyTaxonomy | A Data Catalog policy taxonomy for data governance. |
| Data Catalog Policy Tag | gcp.datacatalog.PolicyTag | PolicyTag | A policy tag within a Data Catalog taxonomy. |
IaC Resource Relationships
The blueprint automatically correlates Infrastructure as Code (IaC) resources with the actual cloud resources they manage:
iac.DeployedAs— Links Terraform source code resources (scanned from repositories) to their deployed Infrastructure Manager resources, matching by resource type.iac.ManagesResource— Links Infrastructure Manager resources to the actual GCP cloud resources they provision (Compute instances, Cloud SQL databases, GKE clusters, etc.), matching byTerraformID.
Security Insights (CSPM)
The GCP blueprint includes Cloud Security Posture Management (CSPM) insights that automatically detect misconfigurations across your GCP environment.
| Insight | Severity | Description |
|---|---|---|
| GCS Buckets Without Versioning | Medium | Detects Cloud Storage buckets with object versioning disabled, risking permanent data loss from accidental overwrites or deletions. |
| GCS Buckets Without Public Access Prevention | High | Detects Cloud Storage buckets that do not enforce public access prevention, relying on individual ACLs which may allow unintended public access. |
| VPC Firewall Rules Allowing All Ingress | High | Detects VPC firewall rules that allow ingress traffic from any source (0.0.0.0/0), exposing services to the internet. |
| VPC Subnets Without Flow Logs | Medium | Detects VPC subnets with VPC Flow Logs disabled, limiting network traffic visibility and forensic capabilities. |
| Cloud DNS Zones Without Logging | Medium | Detects Cloud DNS managed zones with DNS query logging disabled, reducing visibility into DNS resolution activity. |
| Cloud Run Services With Public Ingress | Medium | Detects Cloud Run services configured to allow ingress from all traffic sources, exposing them to the public internet. |
| Cloud Functions With Public Ingress | Medium | Detects Cloud Functions configured to allow ingress from all traffic sources, exposing them to the public internet. |
| Cloud SQL Instances Without SSL Enforcement | High | Detects Cloud SQL instances that do not require SSL/TLS for connections, allowing unencrypted database traffic. |
| Cloud SQL Instances Without Automated Backups | High | Detects Cloud SQL instances with automated backups disabled, risking permanent data loss. |
| Cloud Logging Sinks Disabled | Medium | Detects Cloud Logging sinks that are disabled, potentially breaking log routing and compliance-required log retention. |
| Cloud KMS Keys Without Automatic Rotation | Medium | Detects Cloud KMS cryptographic keys without automatic rotation configured, using the same key material indefinitely. |
| VPC Firewall Rules Allowing SSH from Internet | High | Detects VPC firewall rules that allow SSH (port 22) ingress from 0.0.0.0/0, exposing instances to brute-force attacks. |
| VPC Firewall Rules Allowing RDP from Internet | High | Detects VPC firewall rules that allow RDP (port 3389) ingress from 0.0.0.0/0, exposing instances to remote desktop attacks. |
| Default VPC Network In Use | Medium | Detects projects using the default VPC network, which has overly permissive pre-configured firewall rules. |
| VPC Subnets Without Private Google Access | Medium | Detects VPC subnets with Private Google Access disabled, requiring external IPs to reach Google APIs and services. |
| Cloud SQL Instances Publicly Accessible | High | Detects Cloud SQL instances with authorized networks allowing access from 0.0.0.0/0, exposing databases to the internet. |
| GCS Buckets Without Retention Policy | Medium | Detects Cloud Storage buckets without a retention policy, risking data loss from accidental or malicious deletion. |
| VPC Firewall Rules Without Logging | Medium | Detects VPC firewall rules with logging disabled, creating blind spots in network traffic auditing and incident investigation. |
| Cloud SQL Instances With Public IP | High | Detects Cloud SQL instances with IPv4 public IP enabled, exposing databases directly to the internet. |
| GKE Node Configurations Using Default Service Account | High | Detects GKE node configurations using the default Compute Engine service account, which grants overly broad Editor-level permissions. |
| GKE Clusters Without Master Authorized Networks | High | Detects GKE clusters without master authorized networks enabled, leaving the Kubernetes API server accessible from any IP address. |
| GCS Buckets Without Uniform Bucket-Level Access | Medium | Detects Cloud Storage buckets without uniform bucket-level access, relying on fine-grained ACLs that are harder to audit and error-prone. |
| GCS Buckets Without Access Logging | Medium | Detects Cloud Storage buckets without access logging enabled, leaving no audit trail for data access monitoring. |
| GCS Buckets Without Customer-Managed Encryption Keys | Medium | Detects Cloud Storage buckets not encrypted with CMEK, relying entirely on Google-managed keys without independent key lifecycle control. |
| GCS Buckets With Public ACL Rules | Critical | Detects Cloud Storage bucket ACL rules granting access to allUsers or allAuthenticatedUsers, making data publicly accessible. |
| GKE Clusters Not Configured as Private | High | Detects GKE clusters without private cluster configuration, exposing nodes with public IPs and API server to the internet. |
| Cloud Run Services Using Default Service Account | Medium | Detects Cloud Run services using the default Compute Engine service account with broad Editor-level permissions. |
| Cloud Functions Using Default Service Account | Medium | Detects Cloud Functions using the default Compute Engine service account with broad Editor-level permissions. |
| Service Accounts With Admin Privileges | High | Detects IAM policy bindings granting Editor or Owner roles to service accounts, violating least privilege. |
| Audit Logging Not Configured for All Services | High | Detects projects without Cloud Audit Logging configured for all services, creating visibility gaps. |
| Secrets Without Rotation Configured | Medium | Detects Secret Manager secrets without automatic rotation, leaving compromised secrets valid indefinitely. |
| Memorystore Redis Without AUTH | High | Detects Memorystore Redis instances without AUTH enabled, allowing unauthenticated client connections. |
| Memorystore Redis Without Transit Encryption | High | Detects Memorystore Redis instances without transit encryption, transmitting data in plaintext. |
| BigQuery Datasets Without CMEK | Medium | Detects BigQuery datasets without customer-managed encryption keys, relying on Google-managed encryption without independent key lifecycle control. |
| Cloud Armor Policies Without Adaptive Protection | Medium | Detects Cloud Armor security policies without adaptive DDoS defense enabled, leaving applications vulnerable to L7 DDoS attacks. |
| Cloud Armor Rules in Preview Mode | Low | Detects Cloud Armor security policy rules in preview mode that log but do not enforce actions, creating gaps between perceived and actual protection. |
| Firestore Databases Without Point-in-Time Recovery | Medium | Detects Firestore databases without PITR enabled, limiting recovery options after data corruption or accidental deletions. |
| Firestore Databases Without Delete Protection | Medium | Detects Firestore databases without delete protection, allowing accidental or unauthorized database deletion. |
| Cloud Spanner Databases Without Version Retention | Medium | Detects Cloud Spanner databases without version retention configured, limiting point-in-time recovery capabilities. |
| Cloud Build Disabled Triggers | Low | Detects disabled Cloud Build triggers that may indicate abandoned CI/CD pipelines with potentially stale configurations. |
| Vertex AI Endpoints Without VPC Network | Medium | Detects Vertex AI endpoints without VPC network isolation, exposing prediction traffic to the public internet. |
| Cloud Composer Environments Not Private | Medium | Detects Cloud Composer environments without private configuration, exposing the Airflow web server and GKE nodes to the internet. |
| Deployment Manager Deployments With Failed Status | Medium | Detects GCP Deployment Manager deployments with a FAILED status, indicating infrastructure provisioning issues that may leave resources in an inconsistent state. |
| Infrastructure Manager Deployments With Failed Status | Medium | Detects GCP Infrastructure Manager (Terraform) deployments with a FAILED status, indicating Terraform-based infrastructure provisioning issues that may leave resources in an inconsistent state. |
| AlloyDB Clusters Without CMEK | Medium | Detects AlloyDB clusters not encrypted with customer-managed encryption keys (CMEK), relying on Google-managed keys without independent key lifecycle control. |
| AlloyDB Clusters Without Continuous Backup | High | Detects AlloyDB clusters without continuous backup enabled, limiting point-in-time recovery capabilities and increasing potential data loss during incidents. |
| AlloyDB Clusters With Low Backup Retention | Medium | Detects AlloyDB clusters with continuous backup retention configured for fewer than 7 days, limiting the recovery window for data corruption or security incidents. |
| Cloud Bigtable Clusters Without CMEK | Medium | Detects Cloud Bigtable clusters not encrypted with customer-managed encryption keys (CMEK), relying on Google-managed keys without independent key lifecycle control. |
| Dataflow Jobs Using Default Service Account | Medium | Detects Dataflow jobs using the default Compute Engine service account with broad Editor-level permissions instead of a dedicated, least-privilege service account. |
| Dataflow Jobs Using Public IPs | Medium | Detects Dataflow jobs configured to use public IP addresses on worker VMs, increasing the attack surface by exposing workers to the internet. |
| Data Catalog Taxonomies Without Policy Tags | Medium | Detects Data Catalog taxonomies with no policy tags configured, limiting data governance and fine-grained access control capabilities on BigQuery columns and other data assets. |
Events
| Event | Description |
|---|---|
| k8s_container | Monitors and manages Kubernetes containers running in GKE clusters. |
| k8s_cluster | Represents a Google Kubernetes Engine (GKE) cluster. |
| cloud_composer_environment | Refers to an instance of Cloud Composer, used for workflow orchestration. |
| k8s_node | Represents a node in a Kubernetes cluster. |
| dns_managed_zone | Refers to a DNS managed zone in Google Cloud DNS. |
| k8s_pod | Tracks and manages individual pods in a Kubernetes cluster. |
| cloudsql_database | Represents a Cloud SQL database instance. |
| apigateway.googleapis.com/Gateway | Represents an API Gateway deployment in Google Cloud. |
| cloud_run_revision | Represents a specific revision of a Cloud Run service. |
| gce_instance | Refers to a Compute Engine virtual machine instance. |
| gce_instance_group_manager | Manages instance groups in Compute Engine. |
| gke_nodepool | Refers to a group of nodes within a GKE cluster. |
| gce_instance_template | Defines a template for Compute Engine instances. |
| gce_instance_group | Represents a managed or unmanaged instance group in Compute Engine. |
| networking.googleapis.com/Location | Provides networking details based on geographic location. |
| audited_resource | Tracks resources audited in Google Cloud's Audit Logs. |