2.13 Ensure Cloud Asset Inventory Is Enabled

Information

GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.

Rationale:

The GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing.

Impact:

It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.

Solution

From Console:
Enable the Cloud Asset API:

Go to API & Services/Library by visiting https://console.cloud.google.com/apis/library

Search for Cloud Asset API and select the result for Cloud Asset API

Click the ENABLE button.

From Command Line:
Enable the Cloud Asset API:

Enable the Cloud Asset API through the services interface:

gcloud services enable cloudasset.googleapis.com

Default Value:

The Cloud Asset Inventory API is disabled by default in each project.

See Also

https://workbench.cisecurity.org/files/3817

Item Details

Category: CONFIGURATION MANAGEMENT, PROGRAM MANAGEMENT

References: 800-53|CM-8, 800-53|CM-8(1), 800-53|PM-5, CSCv7|1.4, CSCv7|11.2, CSCv7|16.1

Plugin: GCP

Control ID: e4d0162bfd87c4efa2d23c4045c8014c738184ca9b90634025c49014c0440c64