Setting Up GCP Project One-Click Remediation

After you have completed the following onboarding steps, you can follow the steps in the guide Executing One-Click Remediation to start remediations in your GCP Project.

Remediation Onboarding

Remediation onboarding

  1. Go to Organization Settings
  2. Go to Scan Configuration

For a new scan action:

Note: Login to the GCP Account you want to add for adding a scan for.

Step2

  1. Click Create New Scan Group
  2. Follow the instructions on Getting Started with Warden to add the Warden Scanner role.
  3. Proceed to Adding the Warden Remediation Role.

For an existing scan action:

step 3

 

  1. Click the Pencil icon beside the scan you want to edit.
  2. Click on Set up / Update Remediate Role ARN.
  3. Proceed to Adding the Warden Remediation Role and follow the instructions in that section.

step 4

Adding the Warden Remediation Role (GCP)

  • Do not close the creation screen during the GCP installation.
  • Login to your GCP Account in another browser window. 
  • Make sure the GCP account you are logging in from has Administrator access

 

Setting up Warden in a GCP project can only be done the manual way at this time.

  1. Log into your Google Cloud Console, navigate to IAM Admin > Service Accounts and select the project to onboard.

Service Account

2.    Navigate to IAM Admin > Roles. Click “CREATE ROLE”.

3.    Under Title, enter Horangi Warden Remediation, then enter HorangiWardenRemediation as the ID.

4.    Click on "ADD PERMISSIONS". Under "Filter table", enter and select the following permissions (you will have to do this one by one for each permission):

  1. compute.instances.deleteAccessConfig
  2. compute.instances.setMetadata
  3. compute.subnetworks.update
  4. resourcemanager.projects.setIamPolicy
  5. cloudkms.cryptoKeys.setIamPolicy
  6. cloudkms.cryptoKeys.get
  7. cloudsql.instances.update
  8. cloudsql.instances.get
  9. storage.buckets.update
  10. iam.serviceAccounts.actAs
  11. Storage.buckets.get

 

step 6

step 7

5.   Once all the permissions have been selected, click on "ADD". Then Click "Create" to finish creating the custom role.

6.   Navigate to IAM Admin > Service Accounts..

7.   Click on "Create Service Account".

Service Account-1

8.  Under Service account details, enter Horangi Warden Remediation in the "Service account name", then enter Horangi API Access for Remediation in the "Service account description".

 

step9original

9.   Click on “Create”.

10. Under "Grant this service account access to the project (optional)", select the following roles to attach to the service account.
1.  IAM > Security Reviewer
2. Compute Engine > Compute Network Viewer
3. BigQuery > BigQuery Metadata Viewer
4. Binary Authorisation > Binary Authorisation Policy Viewer
5. Custom > Horangi Warden Remediation (This is the Role created earlier)

step10

11.  Click on “Done”.

12. Note down the email address of the service account you just created (Horangi Warden      Remediation). Click on the menu icon (3 dots) under the action column for the service account that was just created and click on “Manage Keys”.

step11

13.  Click on “Add Key” > “Create New Key”.

step12

14.  Leave the default JSON selected and click "Create".

 

step13

15.  Save the provided JSON file.

step 14

16. Go back to Storyfier and paste the contents of the JSON file into the “API Credentials” field.

API Credentials Remediation