Control: 2.13 Ensure Cloud Asset Inventory Is Enabled
Description
GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.
Cloud Asset Inventory Service (CAIS) API enablement is not required for operation of the service, but rather enables the mechanism for searching/exporting CAIS asset data directly.
The GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing.
It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.
Remediation
From Console
Enable the Cloud Asset API:
- Go to
API & Services/Libraryby visiting https://console.cloud.google.com/apis/library. - Search for
Cloud Asset APIand select the result for Cloud Asset API. - Click the
ENABLEbutton.
From Command Line
Enable the Cloud Asset API:
- Enable the Cloud Asset API through the services interface:
gcloud services enable cloudasset.googleapis.com
Default Value
The Cloud Asset Inventory API is disabled by default in each project.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v300_2_13Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v300_2_13 --shareSQL
This control uses a named query:
select name as resource, case when state = 'ENABLED' then 'ok' else 'alarm' end as status, case when state = 'ENABLED' then name || ' Cloud Asset API is enabled.' else name || ' Cloud Asset API is disabled.' end as reason , location as location, project as projectfrom gcp_project_servicewhere name = 'cloudasset.googleapis.com';