Connect your GCP accounts to Azure Security Center

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.

Azure Security Center protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

Onboarding your GCP accounts into Security Center, integrates GCP Security Command and Azure Security Center. Security Center thus provides visibility and protection across both of these cloud environments to provide:

  • Detection of security misconfigurations
  • A single view showing Security Center recommendations and GCP Security Command Center findings
  • Incorporation of your GCP resources into Security Center's secure score calculations
  • Integration of GCP Security Command Center recommendations based on the CIS standard into the Security Center's regulatory compliance dashboard

In the screenshot below you can see GCP projects displayed in Security Center's overview dashboard.

3 GCP projects listed on Security Center's overview dashboard

Availability

Aspect Details
Release state: General Availability (GA)
Pricing: Requires Azure Defender for servers
Required roles and permissions: Owner or Contributor on the relevant Azure Subscription
Clouds: Yes Commercial clouds
No National/Sovereign (US Gov, China Gov, Other Gov)

Connect your GCP account

Create a connector for every organization you want to monitor from Security Center.

When connecting your GCP accounts to specific Azure subscriptions, consider the Google Cloud resource hierarchy and these guidelines:

  • You can connect your GCP accounts to ASC in the organization level
  • You can connect multiple organizations to one Azure subscription
  • You can connect multiple organizations to multiple Azure subscriptions
  • When you connect an organization, all projects within that organization are added to Security Center

Follow the steps below to create your GCP cloud connector.

Step 1. Set up GCP Security Command Center with Security Health Analytics

For all the GCP projects in your organization, you must also:

  1. Set up GCP Security Command Center using these instructions from the GCP documentation.
  2. Enable Security Health Analytics using these instructions from the GCP documentation.
  3. Verify that there is data flowing to the Security Command Center.

The instructions for connecting your GCP environment for security configuration follow Google's recommendations for consuming security configuration recommendations. The integration leverages Google Security Command Center and will consume additional resources that might impact your billing.

When you first enable Security Health Analytics, it might take several hours for data to be available.

Step 2. Enable GCP Security Command Center API

  1. From Google's Cloud Console API Library, select each project in the organization you want to connect to Azure Security Center.
  2. In the API Library, find and select Security Command Center API.
  3. On the API's page, select ENABLE.

Learn more about the Security Command Center API.

Step 3. Create a dedicated service account for the security configuration integration

  1. In the GCP Console, select a project from the organization in which you're creating the required service account.

    Note

    When this service account is added at the organization level, it'll be used to access the data gathered by Security Command Center from all of the other enabled projects in the organization.

  2. In the Navigation menu, Under IAM & admin options, select Service accounts.

  3. Select CREATE SERVICE ACCOUNT.

  4. Enter an account name, and select Create.

  5. Specify the Role as Security Center Admin Viewer, and select Continue.

  6. The Grant users access to this service account section is optional. Select Done.

  7. Copy the Email value of the created service account, and save it for later use.

  8. In the Navigation menu, Under IAM & admin options, select IAM

    1. Switch to organization level.
    2. Select ADD.
    3. In the New members field, paste the Email value you copied earlier.
    4. Specify the role as Security Center Admin Viewer and then select Save. Setting the relevant GCP permissions.

Step 4. Create a private key for the dedicated service account

  1. Switch to project level.
  2. In the Navigation menu, Under IAM & admin options, select Service accounts.
  3. Open the dedicated service account and select Edit.
  4. In the Keys section, select ADD KEY and then Create new key.
  5. In the Create private key screen, select JSON, and then select CREATE.
  6. Save this JSON file for later use.

Step 5. Connect GCP to Security Center

  1. From Security Center's menu, select Cloud connectors.
  2. Select add GCP account.
  3. In the onboarding page, do the following and then select Next.
    1. Validate the chosen subscription.
    2. In the Display name field, enter a display name for the connector.
    3. In the Organization ID field, enter your organization's ID. If you don't know it, see Creating and managing organizations.
    4. In the Private key file box, browse to the JSON file you downloaded in Step 4. Create a private key for the dedicated service account.

Step 6. Confirmation

When the connector is successfully created and GCP Security Command Center has been configured properly:

  • The GCP CIS standard will be shown in the Security Center's regulatory compliance dashboard.
  • Security recommendations for your GCP resources will appear in the Security Center portal and the regulatory compliance dashboard 5-10 minutes after onboard completes: GCP resources and recommendations in Security Center's recommendations page

Monitoring your GCP resources

As shown above, Azure Security Center's security recommendations page displays your GCP resources together with your Azure and AWS resources for a true multi-cloud view.

To view all the active recommendations for your resources by resource type, use Security Center's asset inventory page and filter to the GCP resource type in which you're interested:

Asset inventory page's resource type filter showing the GCP options

FAQ - Connecting GCP accounts to Azure Security Center

Can I connect multiple GCP organizations to Security Center?

Yes. Security Center's GCP connector connects your Google Cloud resources at the organization level.

Create a connector for every GCP organization you want to monitor from Security Center. When you connect an organization, all projects within that organization are added to Security Center.

Learn about the Google Cloud resource hierarchy in Google's online docs.

Is there an API for connecting my GCP resources to Security Center?

Yes. To create, edit, or delete Security Center cloud connectors with a REST API, see the details of the Connectors API.

Next steps

Connecting your GCP account is part of the multi-cloud experience available in Azure Security Center. For related information, see the following page: