Identity & Security
Cloud Asset Inventory: Easier inventory management, security analysis and config monitoring
Cloud security, fleet management and operations tasks like troubleshooting, monitoring and auditing all require clarity and visibility into your Google Cloud Platform (GCP) resources, such as firewall rules, buckets, and VMs, and policies like IAM policies and org policies. But without a great inventory service, identifying resources and policies across hundreds or even thousands of projects is no trivial task. Last October, we announced Cloud Asset Inventory export service in beta to meet your inventory management and asset administration needs, and the Cloud Asset Inventory export service is now generally available.
With the Cloud Asset Inventory export service, you can either export all your inventory at a given point of time, or export the full event change history of particular resources within a specific timeframe. You can then use that exported data to run analysis and answer common security, monitoring and troubleshooting questions like:
“How has the IAM policy on my production project changed during the last 30 days?”
“How many VMs in type n1-standard-64 are there in my org?”
“Which GCS buckets are labelled ''internal” and “confidential” across my org?”
“What did my firewalls look like three days ago under the folder ‘Development’?”
Broad Institute has been using the
exportAsset API to gain a comprehensive view of their GCP inventory. Here is what Lukas Karlsson, Cloud Architect and Developer Advocate from Broad Institute, has to say:
"As an organization with a large number of cloud resources to track and manage, Cloud Asset Inventory has made it much easier to catalog our Google Cloud Platform resources. Instead of querying dozens of APIs to obtain a full picture of our environment, we can easily discover all the assets in a Project, Folder or an entire Organization with Cloud Asset Inventory" - Lukas Karlsson, Cloud Architect and Developer Advocate, Broad Institute
New features in Cloud Asset Inventory
Since we launched the Cloud Asset Inventory beta, we’ve added several features based on your feedback.
1. Increased resource coverage
Cloud Asset Inventory now supports resources from 15 GCP services and IAM policies. Some new resources onboarded including resources from CloudSQL, BigQuery, BigTable. Especially, we would like to call out that we now support Kubernetes resources within Google Kubernetes Engine (GKE) and Anthos. You can find the full list of supported GCP services and resource types here.
2. Folder level export
With GA, not only can you export a snapshot of your inventory from an org or a project, but also from a folder, helping you better understand your resources according to your org structure and resource hierarchy.
3. Finer grained permission control
We’ve added finer-grained IAM permission controls based on content type (resources vs IAM policies), allowing admins to better customize IAM roles when granting permissions.
Providing asset data for other tools
Cloud Asset Inventory is the source of assets for several Google Cloud and third-party tools. Cloud Security Command Center surfaces the resources and IAM policies from Cloud Asset Inventory to provide you the unified assets and security findings portal, while Forseti Security imports assets from Cloud Asset Inventory to keep track and monitor your environment.
Using Cloud Asset Inventory
You can interact with Cloud Asset Inventory export service from APIs or the gcloud command line. For example, here’s how to use gcloud to find out what the Compute Engine VM instances under your production project looked like three days ago using gcloud:
$ gcloud asset export --output-path=[gs://my_GCS_bucket/export_output_file_name] --asset-types="compute.googleapis.com/Instance" --content-type=resource --project=[my-production-prject] --snapshot-time=2019-02-14
Then, if you want to audit how a firewall rule changed in the last seven days, you can use the
batchGetAssetHistory API, or use the gcloud command example below:
$ gcloud asset get-history --project=[my-project] --asset-names=[my_firewall_rule] --content-type=resource --start-time=[T1] --end-time=[T2]
Export to BigQuery for more powerful analysis
You can also export data from Cloud Asset Inventory to BigQuery using this open source tool.
Once in BigQuery, you can use complex SQL expressions to answer interesting questions like:
- Are all resources that contain a user in their IAM policy?
- What are all the external IP addresses currently assigned to me?
- How many Cloud SQL and Compute Engine instances are currently running?
Or you can import the asset inventory data to your own favorite BI tool for any analysis you need.
Spotify’s inventory graph exploration
We are super excited to see all the cool stuff you will do with this asset data. For example, Spotify downloads the assets needed for their whole org, and then builds graphs to visualize the relationship between resources and the impact of IAM policies. Check out their blog for more details.
Visibility and clarity into all your resources and policies
With Cloud Asset Inventory, our goal is to make it easy for you to see the status of your Google Cloud resources, across various services and projects. We encourage you to try the new Cloud Asset Inventory export APIs. To get started, visit the documentation.