Configuring Google Cloud for Compliance


Configuring Google Cloud for Compliance

You can create Cloud Custodian compliance checks for your Google Cloud projects to find resources that don't meet your compliance standards. We have added common checks for Google Cloud to our reference library for easy compliance out of the box, and you can also create your own custom checks.

Before running compliance checks, you must grant your service account read permissions for your Google Cloud projects. If you are interested in running checks on environments using SQL or Kubernetes, you also need to enable the necessary APIs.

A Google Cloud service role was created during your Kion deployment. For information about your Google Cloud service account, see Google Cloud Billing Sources


The roles added in the following steps only have read access to your Google Cloud projects. If you want to create custom compliance checks with remediation actions, you also need to add a role with write access, such as the Editor role.

To add permissions to your Google Cloud service account:

  1. Log in to the Google Cloud Platform.
  2. Select the project that your service account is in.
  3. Select IAM in the left navigation menu.
  4. Locate your service account in the accounts list, and click Edit principal.
  5. Add the Viewer role.
  6. Add the Service Usage Consumer role.
  7. If you are using GKE clusters, add the Kubernetes Engine Cluster Viewer role.

API Access

A few Cloud Custodian services, such as SQL and Kubernetes, require additional APIs to enable compliance scans.

If you are unsure if you need to enable an API, try running your desired compliance scans on your projects. If a scan fails because it requires a specific API, Kion will alert you and let you know exactly which API you need to enable for that scan.

To enable an API on a Google Cloud project:

  1. Log in to the Google Cloud Platform.
  2. Select the project that you want to scan.
  3. Search for the API you want to add.
  4. Click Enable.
  5. Repeat these steps for each project you want to scan.

The APIs that Kion compliance most commonly uses are:

  • Cloud SQL Admin API. Enables scans on Cloud SQL databases.
  • Kubernetes Engine API. Enables scans on Kubernetes clusters.

What Next?

  • For more information about compliance in Kion, see Compliance Overview.
  • For information about downloading the pre-made compliance checks that are included in our reference library, see Compliance Jumpstarts.
  • For information about adding compliance checks, see Add a Compliance Check. We currently support Cloud Custodian compliance checks for Google Cloud projects.