Connect your GCP accounts
Onboarding your workloads in Google Cloud Platform (GCP) account into Microsoft Defender for Cloud, integrates GCP Security Command and Defender for Cloud. Defender for Cloud thus provides visibility and protection across both of these cloud environments to provide:
Detection of security misconfigurations
A single view showing Defender for Cloud recommendations and GCP Security Command Center findings
Incorporation of your GCP resources into Defender for Cloud's secure score calculations
Integration of GCP Security Command Center recommendations based on the CIS standard into the Defender for Cloud's regulatory compliance dashboard
In the screenshot below, you can see GCP projects displayed in Defender for Cloud's overview dashboard.
Prerequisites
A Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free one.
Microsoft Defender for Cloud set up on your Azure subscription.
Access to a GCP project.
Contributor level permission for the relevant Azure subscription.
If CIEM is enabled as part of Defender for CSPM the user enabling the connector will also need Security Admin role and Application.ReadWrite.All permission for your tenant.
You can learn more about Defender for Cloud pricing on the pricing page.
When you're connecting GCP projects to specific Azure subscriptions, consider the Google Cloud resource hierarchy and these guidelines:
- You can connect your GCP projects to Microsoft Defender for Cloud at the project level.
- You can connect multiple projects to one Azure subscription.
- You can connect multiple projects to multiple Azure subscriptions.
Follow the steps below to connect your GCP project
There are four parts to the onboarding process that take place when you create the security connection between your GCP project and Microsoft Defender for Cloud.
Project details
In the first section, you need to add the basic properties of the connection between your GCP project and Defender for Cloud.
Here you name your connector, select a subscription and resource group, which is used to create an ARM template resource that is called security connector. The security connector represents a configuration resource that holds the projects settings.
You also select a location and add the organization ID for your project.
You can also set an interval to scan the GCP environment every 4, 6, 12, or 24 hours.
When you onboard an organization, you can also choose to exclude project numbers and folder IDs.
Select plans for your project
After entering your organization's details, you'll then be able to select which plans to enable.
From here, you can decide which resources you want to protect based on the security value you want to receive.
Configure access for your project
Once you selected the plans, you want to enable and the resources you want to protect you have to configure access between Defender for Cloud and your GCP project.
In this step, you can find the GCloud script that needs to be run on the GCP project that is going to onboarded. The GCloud script is generated based on the plans you selected to onboard.
The GCloud script creates all of the required resources on your GCP environment so that Defender for Cloud can operate and provide the following security values:
- Workload identity pool
- Workload identity provider (per plan)
- Service accounts
- Project level policy bindings (service account has access only to the specific project)
Review and generate the connector for your project
The final step for onboarding is to review all of your selections and to create the connector.
Note
The following APIs must be enabled in order to discover your GCP resources and allow the authentication process to occur:
iam.googleapis.com
sts.googleapis.com
cloudresourcemanager.googleapis.com
iamcredentials.googleapis.com
compute.googleapis.com
If you don't enable these APIs at this time, you can enable them during the onboarding process by running the GCloud script.
After you create the connector, a scan starts on your GCP environment. New recommendations appear in Defender for Cloud after up to 6 hours. If you enabled autoprovisioning, Azure Arc and any enabled extensions are installed automatically for each newly detected resource.
Connect your GCP organization
Similar to onboarding a single project, When onboarding a GCP organization, Defender for Cloud creates a security connector for each project under the organization (unless specific projects were excluded). For more information about connecting your GCP organization, see the GCP organization onboarding documentation.
Optional: Configure selected plans
By default, all plans are On. You can turn off plans that you don't need.