แก้ไข

แชร์ผ่าน

Connect your GCP project to Microsoft Defender for Cloud

Workloads commonly span multiple cloud platforms. Cloud security services must do the same. Microsoft Defender for Cloud helps protect workloads in Google Cloud Platform (GCP), but you need to set up the connection between them and Defender for Cloud.

This screenshot shows GCP accounts displayed in the Defender for Cloud overview dashboard.

Screenshot that shows GCP projects listed on the overview dashboard in Defender for Cloud.

GCP authorization design

The authentication process between Microsoft Defender for Cloud and GCP is a federated authentication process.

When you onboard to Defender for Cloud, the GCloud template is used to create the following resources as part of the authentication process:

  • Workload identity pool and providers

  • Service accounts and policy bindings

The authentication process works as follows:

A diagram of the Defender for Cloud GCP connector authentication process.

  1. Microsoft Defender for Cloud's CSPM service acquires a Microsoft Entra token. Microsoft Entra ID signs the token by using the RS256 algorithm. The token is valid for one hour.

  2. The Microsoft Entra token is exchanged for Google's STS token.

  3. Google STS validates the token by using the workload identity provider. The Microsoft Entra token is sent to Google's STS that validates the token by using the workload identity provider. Audience validation then occurs and the token is signed. A Google STS token is then returned to Defender for Cloud's CSPM service.

  4. Defender for Cloud's CSPM service uses the Google STS token to impersonate the service account. Defender for Cloud's CSPM receives service account credentials that it uses to scan the project.

Prerequisites

To complete the procedures in this article, you need:

  • A Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free one.

  • Microsoft Defender for Cloud set up on your Azure subscription.

  • Access to a GCP project.

  • Contributor level permission for the relevant Azure subscription.

  • If you enable CIEM as part of Defender for CSPM, the user onboarding the connector also needs Security Admin role and Application.ReadWrite.All permission for your tenant.

  • To ingest GCP Cloud Logging by using Pub/Sub topics, ensure you meet the prerequisites based on your deployment choice:

    • If you create new Cloud Logging and Pub/Sub resources:

      • Permissions to create and manage Cloud Logging sinks, Pub/Sub topics, and subscriptions in GCP.

      • IAM permissions to configure Pub/Sub and manage service accounts.

    • If you plan to use existing Cloud Logging and Pub/Sub resources:

      • Access to the existing Cloud Logging and Pub/Sub resources.

      • Understanding of your organization's existing log retention and Pub/Sub configurations.

You can learn more about Defender for Cloud pricing on the pricing page. You can also estimate costs with the Defender for Cloud cost calculator.

When you're connecting GCP projects to specific Azure subscriptions, consider the Google Cloud resource hierarchy and these guidelines:

  • You connect your GCP projects to Microsoft Defender for Cloud at the project level.
  • You can connect multiple projects to one Azure subscription.
  • You can connect multiple projects to multiple Azure subscriptions.

Connect your GCP project

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. Go to Environment settings > Add environment > Google Cloud Platform.

    Screenshot that shows where the GCP connector option is located.

  4. Enter the following information

    • Connector name.
    • Select either Organization or Single project.
    • Subscription.
    • Resource group.
    • Location.
    • Scan interval: 4, 6, 12, or 24.
    • (Organization only) Organization ID.
    • (Optional - Organization only) Exclude project numbers.
    • (Optional - Organization only) Exclude folder IDs.
    • (Single project only) GCP project number.
    • (Single project only) GCP project ID.

    Note

    Some data collectors run with fixed scan intervals and aren't affected by custom interval configurations. The following table shows the fixed scan intervals for each excluded data collector:

    Data collector name Scan interval
    ComputeInstance
    ArtifactRegistryRepositoryPolicy
    ArtifactRegistryImage
    ContainerCluster
    ComputeInstanceGroup
    ComputeZonalInstanceGroupInstance
    ComputeRegionalInstanceGroupManager
    ComputeZonalInstanceGroupManager
    ComputeGlobalInstanceTemplate    		 1 hour

  5. Select Next: Select plans.

    Note

    As the Log Analytics agent (also known as MMA) retired in August 2024, all Defender for Servers features and security capabilities that currently depend on it, including those described on this page, will be available through either Microsoft Defender for Endpoint integration or agentless scanning, before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see this announcement.

  6. Toggle plans to On or Off depending on your needs.

    Screenshot that shows toggles turned on for all plans.

  7. Select Next: Configure access.

  8. Select permission type, Default access or Least privilege access.

  9. Follow the on screen instructions to configure access between Defender for Cloud and your GCP project.

    Screenshot that shows deployment options and instructions for configuring access.

    The script creates all of the required resources on your GCP environment so that Defender for Cloud can operate and provide the following security values:

    • Workload identity pool
    • Workload identity provider (per plan)
    • Service accounts
    • Project level policy bindings (service account has access only to the specific project)

    Note

    The following APIs must be enabled on the project where you run the onboarding script to discover your GCP resources and allow the authentication process to occur:

    • iam.googleapis.com
    • sts.googleapis.com
    • cloudresourcemanager.googleapis.com
    • iamcredentials.googleapis.com
    • compute.googleapis.com

    When you onboard at the organization level, enable these APIs on the management project, even though you use them to access resources across all projects within your organization.

    If you don't enable these APIs, you can enable them during the onboarding process by running the GCP Cloud Shell script.

  10. Select Next: Review and generate.

  11. Review the information for accuracy.

  12. Select Create.

After you create the connector, a scan starts on your GCP environment. New recommendations appear in Defender for Cloud after up to six hours. If you enabled autoprovisioning, Azure Arc and any enabled extensions are installed automatically for each newly detected resource.

View your current coverage

Defender for Cloud provides access to workbooks through Azure workbooks. Workbooks are customizable reports that provide insights into your security posture.

The coverage workbook helps you understand your current coverage by showing which plans are enabled on your subscriptions and resources.

Next steps

Connecting your GCP project is part of the multicloud experience available in Microsoft Defender for Cloud:

  • Last updated on