Connect your GCP accounts to Microsoft Defender for Cloud

Note

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Learn more about the recent renaming of Microsoft security services.

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.

Microsoft Defender for Cloud protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

Adding a GCP account to an Azure subscription connects Defender for Cloud with GCP Security Command. Defender for Cloud can then protect your resources across both of these cloud environments and provide:

  • Detection of security misconfigurations
  • A single view showing Defender for Cloud recommendations and GCP Security Command Center findings
  • Incorporation of your GCP resources into Defender for Cloud's secure score calculations
  • Integration of GCP Security Command Center recommendations based on the CIS standard into the Defender for Cloud's regulatory compliance dashboard

Important

At Ignite Fall 2021, we announced an updated way of connecting your accounts from other cloud providers. This uses the new Environment settings page. GCP accounts aren't supported from that page. To connect a GCP account to your Azure subscription, you'll need to use the classic cloud connectors experience as described below.

Screenshot of GCP projects shown in Microsoft Defender for Cloud's overview dashboard.

Availability

Aspect Details
Release state: General availability (GA)
Pricing: Requires Microsoft Defender for servers
Required roles and permissions: Owner or Contributor on the relevant Azure Subscription
Clouds: Commercial clouds
National (Azure Government, Azure China 21Vianet)

Connect your GCP account

Create a connector for every organization you want to monitor from Defender for Cloud.

When connecting your GCP accounts to specific Azure subscriptions, consider the Google Cloud resource hierarchy and these guidelines:

  • You can connect your GCP accounts to Defender for Cloud in the organization level
  • You can connect multiple organizations to one Azure subscription
  • You can connect multiple organizations to multiple Azure subscriptions
  • When you connect an organization, all projects within that organization are added to Defender for Cloud

Follow the steps below to create your GCP cloud connector.

Step 1. Set up GCP Security Command Center with Security Health Analytics

For all the GCP projects in your organization, you must also:

  1. Set up GCP Security Command Center using these instructions from the GCP documentation.
  2. Enable Security Health Analytics using these instructions from the GCP documentation.
  3. Verify that there is data flowing to the Security Command Center.

The instructions for connecting your GCP environment for security configuration follow Google's recommendations for consuming security configuration recommendations. The integration leverages Google Security Command Center and will consume additional resources that might impact your billing.

When you first enable Security Health Analytics, it might take several hours for data to be available.

Step 2. Enable GCP Security Command Center API

  1. From Google's Cloud Console API Library, select each project in the organization you want to connect to Microsoft Defender for Cloud.
  2. In the API Library, find and select Security Command Center API.
  3. On the API's page, select ENABLE.

Learn more about the Security Command Center API.

Step 3. Create a dedicated service account for the security configuration integration

  1. In the GCP Console, select a project from the organization in which you're creating the required service account.

    Note

    When this service account is added at the organization level, it'll be used to access the data gathered by Security Command Center from all of the other enabled projects in the organization.

  2. In the Navigation menu, Under IAM & admin options, select Service accounts.

  3. Select CREATE SERVICE ACCOUNT.

  4. Enter an account name, and select Create.

  5. Specify the Role as Defender for Cloud Admin Viewer, and select Continue.

  6. The Grant users access to this service account section is optional. Select Done.

  7. Copy the Email value of the created service account, and save it for later use.

  8. In the Navigation menu, Under IAM & admin options, select IAM

    1. Switch to organization level.
    2. Select ADD.
    3. In the New members field, paste the Email value you copied earlier.
    4. Specify the role as Defender for Cloud Admin Viewer and then select Save. Setting the relevant GCP permissions.

Step 4. Create a private key for the dedicated service account

  1. Switch to project level.
  2. In the Navigation menu, Under IAM & admin options, select Service accounts.
  3. Open the dedicated service account and select Edit.
  4. In the Keys section, select ADD KEY and then Create new key.
  5. In the Create private key screen, select JSON, and then select CREATE.
  6. Save this JSON file for later use.

Step 5. Connect GCP to Defender for Cloud

  1. From Defender for Cloud's menu, open Environment settings and select the option to switch back to the classic connectors experience.

    Switching back to the classic cloud connectors experience in Defender for Cloud.

  2. Select add GCP account.

  3. In the onboarding page, do the following and then select Next.

    1. Validate the chosen subscription.
    2. In the Display name field, enter a display name for the connector.
    3. In the Organization ID field, enter your organization's ID. If you don't know it, see Creating and managing organizations.
    4. In the Private key file box, browse to the JSON file you downloaded in Step 4. Create a private key for the dedicated service account.

Step 6. Confirmation

When the connector is successfully created and GCP Security Command Center has been configured properly:

  • The GCP CIS standard will be shown in the Defender for Cloud's regulatory compliance dashboard.
  • Security recommendations for your GCP resources will appear in the Defender for Cloud portal and the regulatory compliance dashboard 5-10 minutes after onboard completes: GCP resources and recommendations in Defender for Cloud's recommendations page

Monitoring your GCP resources

As shown above, Microsoft Defender for Cloud's security recommendations page displays your GCP resources together with your Azure and AWS resources for a true multi-cloud view.

To view all the active recommendations for your resources by resource type, use Defender for Cloud's asset inventory page and filter to the GCP resource type in which you're interested:

Asset inventory page's resource type filter showing the GCP options

FAQ - Connecting GCP accounts to Microsoft Defender for Cloud

Can I connect multiple GCP organizations to Defender for Cloud?

Yes. Defender for Cloud's GCP connector connects your Google Cloud resources at the organization level.

Create a connector for every GCP organization you want to monitor from Defender for Cloud. When you connect an organization, all projects within that organization are added to Defender for Cloud.

Learn about the Google Cloud resource hierarchy in Google's online docs.

Is there an API for connecting my GCP resources to Defender for Cloud?

Yes. To create, edit, or delete Defender for Cloud cloud connectors with a REST API, see the details of the Connectors API.

Next steps

Connecting your GCP account is part of the multi-cloud experience available in Microsoft Defender for Cloud. For related information, see the following page: