Aqua CSPM supports organization-level projects in Google Cloud Platform. An Organization Project is used to automatically enroll and scan all existing projects in a GCP organization as well as adding new projects to CSPM as they are created in GCP. 


We recommend as a best practice to add a new GCP project as your Organization Project, alternatively, you can edit an existing one and convert it.


TABLE OF CONTENTS


Creating a New Organization Project in GCP(Recommended Best Practice)

Adding an Organization Project preserves isolation, and follows the principles of least privilege and privilege separation. By leveraging the Organization Project, you are not only reducing obstruction to GCP API quotas for your existing workloads but also enabling isolated credentials with limited access to audit your project's security configuration.

  1. Login to your Google Cloud console and navigate to https://console.cloud.google.com/projectcreate.
  2. Create a New Project named "Aqua-CSPM" which will be isolated to connect your entire Organization to CSPM.
  3. Go to IAM Admin > Service Accounts.
  4. Click Create Service Account
  5. Enter "Aqua" in the Service account name, and enter "Aqua API Access" in the description.
  6. Click Continue.
  7. Select the role: Project > Viewer and click Continue
  8. Click Create Key.
  9. Leave the default JSON and click Create.
  10. Save the provided JSON file (Credentials).


Add Aqua's Service Account to your GCP Organization(Required)

You can make any project an Organization Project by following the steps below:

  1. Log into your Google Cloud console and navigate to Cloud Resource Manager.
  2. Select your organization.
  3. Click Add Member.
  4. Enter the aqua Service Account.
  5. Select the Viewer Role.
  6. Click Save.


Add the Organization Project to CSPM

To complete your setup connect your Organization Project as a new Cloud Account in CSPM and enable the organization project toggle.

  1. Log into your CSPM console and navigate to https://cloud.aquasec.com/wizard
  2. Select your Aqua Group.
  3. Select the Cloud Account Type Google Cloud Platform.
  4. Drag and Drop the saved JSON file (In STEP 1 above).
  5. For Organization setup, kindly enable the Org Project toggle.
  6. Click Connect Account.


If you receive this error- "Error processing the request" while enabling the ORG-wide setting, please make sure that you have enabled the Cloud Resource Manager API. You can find this API by logging into the Org Project and then visiting this link:  https://console.cloud.google.com/apis/api/cloudresourcemanager.googleapis.com/overview


New Google Cloud Platform Projects will be added automatically to CSPM

When the Organization Project has been connected, all the existing projects under that Organization will be automatically added to CSPM.  At once, a maximum of one hundred (100) projects get connected every ten(10) minutes and subsequently until all your projects are connected. 


When new projects are created in GCP, after all the existing projects get connected, the new projects will also get connected to CSPM automatically. Organizations are scanned for new projects every ten(10) minutes.


If a sub-project is deleted in GCP, scans will be disabled in CSPM but the project and scans history will remain until it is manually deleted by an administrator of the CSPM account.


Aqua CSPM will also scan the Organization Project for misconfigurations.


What happens when Deleting an Organization Project

If the Organization Project and the respective service account are deleted, CSPM will be disconnected from the Organization and all sub-projects will be disabled from scanning. Scan history will remain available until projects are manually deleted in CSPM. You can request a bulk project delete from our support team


GCP Security Audit Role

Create Custom Role and assign it to your connected service account while connecting your Google Projects to Aqua CSPM. See Create a Google Cloud Platform Security Audit Role for detailed instructions. 


Additional Reference

Refer Connecting a GCP Account to know how to connect a Google Cloud account to Aqua CSPM to scan for security issues.