AI Runtime Security
GCP Cloud Account Onboarding Prerequisites
Table of Contents
Expand All
|
Collapse All
AI Runtime Security Docs
GCP Cloud Account Onboarding Prerequisites
Discovery onboarding prerequisites for GCP
This section outlines the prerequisites for onboarding a GCP cloud account in
Strata Cloud Manager (SCM).
On this page, you'll:
- Enable VPC Flow Logs
- Enable security data access audit logs for AI Models
- Create a Cloud Storage Bucket
- Set up a Log Router to direct log entries
- Create a sink and sink destinations
- Update required IAM permissions to the user
Where Can I Use This? | What Do I Need? |
---|---|
|
Enable the VPC Flow Logs
- Go to Google Cloud Console and select the project you want to onboard for discovery.
- Navigate to VPC Networks.
- Select the VPC with the workloads (VMs/Containers) to protect.SCM will discover only the running VM workloads and containers in the VPC.
- Click theSUBNETStab and select all the subnets where your workloads are present.
- Click on theFLOW LOGSdrop-down.
- SelectConfigure.
- InConfigure VPC Flow Logs, set theAggregation Intervalof 5 Sec, enable theMetadata annotations, and use aSample rateof 100%.
- SAVE.
- To view the logs, clickFLOW LOGSand selectView flow logs of selected subnets.
Enable Data Access Audit Logs
Before you create a Cloud Storage bucket and ensure
you enable the data access audit logs in IAM for the project where the AI models are
present, specifically for unprotected AI model traffic.
- Go to the Google Cloud Console and select your project.
- In the search bar at the top, typeAudit Logsand select it.
- Search for and clickVertex AI APIfrom the list of available audit logs.
- Enable theData Readlog underPERMISSION TYPE.
- SAVE.
Create a Cloud Storage Bucket
Create a cloud storage bucket to securely store the VPC flow logs and audit logs. The
bucket acts as a central repository for the data collected from your GCP environment
and is used for traffic analysis.
Prerequisite:
- Go to Cloud Storage and clickCREATE:
- Enter a globally unique name for the bucket and clickCONTINUE.
- ChooseMulti-regionfor high availability and clickCONTINUE.The Multi-region selection will incur higher costs than other options.
- Choose theStandardoption for the storage class and clickCONTINUE.
- For access control, select theUniformconfiguration and clickCONTINUE.Making this bucket publicly accessible is optional.
- Use default settings for data protection.
- ClickCREATE.
- In the Google Cloud Console search forLog Router:
- SelectCreate sink.
- Enter aSink nameand optionally enter aSink description. ClickNext.
- In theSink destination, chooseCloud Storage Bucketfor the sink service and specify theCloud Storage bucketname.
- In the next section, provide a filter that matches with all the:
- VPC flow logs generated by the workloads
- Audit logs for GCP Vertex-AI models API calls.
(logName =~ "logs/cloudaudit.googleapis.com%2Fdata_access" AND protoPayload.methodName:("google.cloud.aiplatform.")) OR ((logName="projects/<GCP_PROJECT_ID>/logs/compute.googleapis.com%2Fvpc_flows") AND (resource.labels.subnetwork_name="<SUBNET_1>" OR resource.labels.subnetwork_name="<SUBNET_2>"))- <GCP Project ID>: Replace it with your GCP project ID.
- <SUBNET_1>, <SUBNET_2>: Replace these with the values for your subnets.
ClickPreview logsand run the query to verify the filter settings and ensure the logs are correctly routed.ClickCreate sink.Logs may take up to one hour to appear in the bucket. Hence the cloud assets discovery may be delayed in the SCM.
(Optional) If the GCP AI models accessed by your workloads are in a different GCP project, forward those logs to your bucket from that other project.- In the other GCP project, repeat the log router setup using the same bucket and filter:(logName =~ "logs/cloudaudit.googleapis.com%2Fdata_access" AND protoPayload.methodName:("google.cloud.aiplatform."))Click the 3 dots `...` and selectView sink details.Copy thesink writer identity emailfrom the sink details.Navigate to the bucket you created and select thePERMISSIONStab.ClickGRANT ACCESS.InNew principalsenter theWriter identity emailID.Assign theStorage Object Creatorrole.ClickSave.
- Assign the following permissions to the user deploying Terraform in the cloud environment:cloudasset.assets.listResource cloudasset.assets.listAccessPolicy cloudasset.feeds.get cloudasset.feeds.list compute.machineTypes.list compute.networks.list compute.subnetworks.list container.clusters.list pubsub.subscriptions.consume pubsub.topics.attachSubscription storage.buckets.list aiplatform.models.list