Setting Up GCP Project One-Click Remediation

After you have completed the following onboarding steps, you can follow the steps in the guide Executing One-Click Remediation to start remediations in your GCP Project.

Remediation Onboarding

1. Go to Organization Settings
2. Go to Scan Configuration

For a new scan action:

Note: Login to the GCP Account you want to add for adding a scan for.

1. Click Create New Scan Group
2. Follow the instructions on Getting Started with Warden to add the Warden Scanner role.
3. Proceed to Adding the Warden Remediation Role.

For an existing scan action:

 

1. Click the Pencil icon beside the scan you want to edit.
2. Click on Set up / Update Remediate Role ARN.
3. Proceed to Adding the Warden Remediation Role and follow the instructions in that section.

Adding the Warden Remediation Role (GCP)

• Do not close the creation screen during the GCP installation.
• Login to your GCP Account in another browser window. 
• Make sure the GCP account you are logging in from has Administrator access

 

Setting up Warden in a GCP project can only be done the manual way at this time.

1. Log into your Google Cloud Console, navigate to IAM Admin > Service Accounts and select the project to onboard.

2.    Navigate to IAM Admin > Roles. Click “CREATE ROLE”.

3.    Under Title, enter Horangi Warden Remediation, then enter HorangiWardenRemediation as the ID.

4.    Click on "ADD PERMISSIONS". Under "Filter table", enter and select the following permissions (you will have to do this one by one for each permission):

1. compute.instances.deleteAccessConfig
2. compute.instances.setMetadata
3. compute.subnetworks.update
4. resourcemanager.projects.setIamPolicy
5. cloudkms.cryptoKeys.setIamPolicy
6. cloudkms.cryptoKeys.get
7. cloudsql.instances.update
8. cloudsql.instances.get
9. storage.buckets.update
10. iam.serviceAccounts.actAs
11. Storage.buckets.get

 

5.   Once all the permissions have been selected, click on "ADD". Then Click "Create" to finish creating the custom role.

6.   Navigate to IAM Admin > Service Accounts..

7.   Click on "Create Service Account".

8.  Under Service account details, enter Horangi Warden Remediation in the "Service account name", then enter Horangi API Access for Remediation in the "Service account description".

 

9.   Click on “Create”.

10. Under "Grant this service account access to the project (optional)", select the following roles to attach to the service account.
1.  IAM > Security Reviewer
2. Compute Engine > Compute Network Viewer
3. BigQuery > BigQuery Metadata Viewer
4. Binary Authorisation > Binary Authorisation Policy Viewer
5. Custom > Horangi Warden Remediation (This is the Role created earlier)

11.  Click on “Done”.

12. Note down the email address of the service account you just created (Horangi Warden      Remediation). Click on the menu icon (3 dots) under the action column for the service account that was just created and click on “Manage Keys”.

13.  Click on “Add Key” > “Create New Key”.

14.  Leave the default JSON selected and click "Create".

 

15.  Save the provided JSON file.

16. Go back to Storyfier and paste the contents of the JSON file into the “API Credentials” field.