Connect your GCP accounts to Azure Security Center

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.

Azure Security Center protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

Onboarding your GCP account into Security Center, integrates GCP Security Command and Azure Security Center. Security Center thus provides visibility and protection across both of these cloud environments to provide:

  • Detection of security misconfigurations
  • A single view showing Security Center recommendations and GCP Security Command Center findings
  • Incorporation of your GCP resources into Security Center's secure score calculations
  • Integration of GCP Security Command Center recommendations based on the CIS standard into the Security Center's regulatory compliance dashboard

In the screenshot below you can see GCP projects displayed in Security Center's overview dashboard.

3 GCP projects listed on Security Center's overview dashboard

Availability

Aspect Details
Release state: Preview
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing: Requires Azure Defender for servers
Required roles and permissions: Owner or Contributor on the relevant Azure Subscription
Clouds: Yes Commercial clouds
No National/Sovereign (US Gov, China Gov, Other Gov)

Connect your GCP account

Follow the steps below to create your GCP cloud connector.

Step 1. Set up GCP Security Command Center with Security Health Analytics

For all the GCP projects in your organization, you must also:

  1. Set up GCP Security Command Center using these instructions from the GCP documentation.
  2. Enable Security Health Analytics using these instructions from the GCP documentation.
  3. Verify that there is data flowing to the Security Command Center.

The instructions for connecting your GCP environment for security configuration follow Google's recommendations for consuming security configuration recommendations. The integration leverages Google Security Command Center and will consume additional resources that might impact your billing.

When you first enable Security Health Analytics, it might take several hours for data to be available.

Step 2. Enable GCP Security Command Center API

  1. From Google's Cloud Console API Library, select the project you want to connect to Azure Security Center.
  2. In the API Library, find and select Security Command Center API.
  3. On the API's page, select ENABLE.

Learn more about the Security Command Center API.

Step 3. Create a dedicated service account for the security configuration integration

  1. In the GCP Console, select the project you want to connect to Security Center.
  2. In the Navigation menu, Under IAM & admin options, select Service accounts.
  3. Select CREATE SERVICE ACCOUNT.
  4. Enter an account name, and select Create.
  5. Specify the Role as Security Center Admin Viewer, and select Continue.
  6. The Grant users access to this service account section is optional. Select Done.
  7. Copy the Email value of the created service account, and save it for later use.
  8. In the Navigation menu, Under IAM & admin options, select IAM
    1. Switch to organization level.
    2. Select ADD.
    3. In the New members field, paste the Email value you copied earlier.
    4. Specify the Role as Security Center Admin Viewer and then select Save. Setting the relevant GCP permissions

Step 4. Create a private key for the dedicated service account

  1. Switch to project level.
  2. In the Navigation menu, Under IAM & admin options, select Service accounts.
  3. Open the dedicated service account and select Edit.
  4. In the Keys section, select ADD KEY and then Create new key.
  5. In the Create private key screen, select JSON, and then select CREATE.
  6. Save this JSON file for later use.

Step 5. Connect GCP to Security Center

  1. From Security Center's menu, select Cloud connectors.
  2. Select add GCP account.
  3. In the onboarding page, do the following and then select Next.
    1. Validate the chosen subscription.
    2. In the Display name field, enter a display name for the connector.
    3. In the Organization ID field, enter your organization's ID. If you don't know it, see Creating and managing organizations.
    4. In the Private key file box, browse to the JSON file you downloaded in Step 4. Create a private key for the dedicated service account.

Step 6. Confirmation

When the connector is successfully created and GCP Security Command Center has been configured properly:

  • The GCP CIS standard will be shown in the Security Center's regulatory compliance dashboard.
  • Security recommendations for your GCP resources will appear in the Security Center portal and the regulatory compliance dashboard 5-10 minutes after onboard completes: GCP resources and recommendations in Security Center's recommendations page

Monitoring your GCP resources

As shown above, Azure Security Center's security recommendations page displays your GCP resources together with your Azure and AWS resources for a true multi-cloud view.

To view all the active recommendations for your resources by resource type, use Security Center's asset inventory page and filter to the GCP resource type in which you're interested:

Asset inventory page's resource type filter showing the GCP options

Next steps

Connecting your GCP account is part of the multi-cloud experience available in Azure Security Center. For related information, see the following page: