Announcing Snowflake on Google Cloud Platform
June 4, 2019
Competing with supercomputers: HPC in the cloud becomes reality
June 5, 2019
Cloud security, fleet management and operations tasks like troubleshooting, monitoring and auditing all require clarity and visibility into your Google Cloud Platform (GCP) resources, such as firewall rules, buckets, and VMs, and policies like IAM policies and org policies. But without a great inventory service, identifying resources and policies across hundreds or even thousands of projects is no trivial task. Last October, we announced Cloud Asset Inventory export service in beta to meet your inventory management and asset administration needs, and the Cloud Asset Inventory export service is now generally available.
With the Cloud Asset Inventory export service, you can either export all your inventory at a given point of time, or export the full event change history of particular resources within a specific timeframe. You can then use that exported data to run analysis and answer common security, monitoring and troubleshooting questions like:
“How has the IAM policy on my production project changed during the last 30 days?”
“How many VMs in type n1-standard-64 are there in my org?”
“Which GCS buckets are labelled ”internal” and “confidential” across my org?”
“What did my firewalls look like three days ago under the folder ‘Development’?”
Broad Institute has been using the exportAsset API to gain a comprehensive view of their GCP inventory. Here is what Lukas Karlsson, Cloud Architect and Developer Advocate from Broad Institute, has to say:
“As an organization with a large number of cloud resources to track and manage, Cloud Asset Inventory has made it much easier to catalog our Google Cloud Platform resources. Instead of querying dozens of APIs to obtain a full picture of our environment, we can easily discover all the assets in a Project, Folder or an entire Organization with Cloud Asset Inventory” – Lukas Karlsson, Cloud Architect and Developer Advocate, Broad Institute
New features in Cloud Asset Inventory
Since we launched the Cloud Asset Inventory beta, we’ve added several features based on your feedback.
1. Increased resource coverage
Cloud Asset Inventory now supports resources from 15 GCP services and IAM policies. Some new resources onboarded including resources from CloudSQL, BigQuery, BigTable. Especially, we would like to call out that we now support Kubernetes resources within Google Kubernetes Engine (GKE) and Anthos. You can find the full list of supported GCP services and resource types here.
2. Folder level export
With GA, not only can you export a snapshot of your inventory from an org or a project, but also from a folder, helping you better understand your resources according to your org structure and resource hierarchy.
3. Finer grained permission control
We’ve added finer-grained IAM permission controls based on content type (resources vs IAM policies), allowing admins to better customize IAM roles when granting permissions.
Providing asset data for other tools
Cloud Asset Inventory is the source of assets for several Google Cloud and third-party tools. Cloud Security Command Center surfaces the resources and IAM policies from Cloud Asset Inventory to provide you the unified assets and security findings portal, while Forseti Security imports assets from Cloud Asset Inventory to keep track and monitor your environment.
Using Cloud Asset Inventory
You can interact with Cloud Asset Inventory export service from APIs or the gcloud command line. For example, here’s how to use gcloud to find out what the Compute Engine VM instances under your production project looked like three days ago using gcloud:
