# Google Cloud
Connecting Google Cloud gives SureCloud read access to your GCP organisation's resource configuration, Identity and Access Management policies, audit logs, network controls, and Security Command Center findings. SureCloud authenticates using a service account with domain-wide delegation, allowing it to collect data across all projects in your organisation without requiring individual project credentials.
## What SureCloud monitors
| Area | Coverage |
| ---------------------------------- | ----------------------------------------------------------------------------------- |
| **Identity and Access Management** | Organisation and project IAM bindings, service account keys, and policy analysis. |
| **Cloud Audit Logs** | Admin Activity, Data Access, and System Event audit logs across projects. |
| **Security Command Center** | Security findings, misconfigurations, and vulnerability detections from SCC. |
| **Cloud Storage** | Bucket IAM policies, public access prevention, versioning, and retention policies. |
| **Compute Engine** | VM instance configuration, OS Login settings, disk encryption, and firewall rules. |
| **Cloud SQL** | Instance configuration, SSL enforcement, authorised networks, and backup settings. |
| **Google Kubernetes Engine** | Cluster configuration, node pool settings, workload identity, and network policies. |
| **Cloud Key Management Service** | Key ring and key version inventory, rotation schedules, and key state. |
## Authentication and setup
SureCloud connects to Google Cloud using a GCP service account key. The service account is granted the Security Reviewer and Organisation Viewer roles at the organisation level to enable read access across all projects.
{% stepper %}
{% step %}
#### Create a dedicated service account
In the [Google Cloud Console](https://console.cloud.google.com/), navigate to **IAM & Admin → Service Accounts** within the project you use for centralised tooling (or any suitable project).
Click **Create Service Account** and provide:
* **Name**: `surecloud-ccm` (or a name that identifies the integration)
* **Description**: SureCloud Continuous Control Monitoring
Click **Create and Continue**.
{% endstep %}
{% step %}
#### Grant organisation-level roles
SureCloud requires read access across all projects in your organisation. Grant roles at the **organisation level**, not project level.
1. In the Google Cloud Console, navigate to **IAM & Admin → IAM** and switch scope to your **Organisation** using the project selector at the top.
2. Click **Grant Access** and enter the service account email (`surecloud-ccm@[project].iam.gserviceaccount.com`).
3. Add the following roles:
| Role | Purpose |
| ------------------------------------------ | -------------------------------------------------------------------------------- |
| `roles/iam.securityReviewer` | Read IAM policies, service accounts, and security configuration across the org |
| `roles/resourcemanager.organizationViewer` | List projects and read organisation-level resource configuration |
| `roles/securitycenter.findingsViewer` | Read Security Command Center findings (requires Security Command Center enabled) |
| `roles/logging.viewer` | Read Cloud Audit Logs across all projects |
Click **Save**.
{% endstep %}
{% step %}
#### Enable required APIs
In the Google Cloud Console, ensure the following APIs are enabled in the project where the service account was created. Navigate to **APIs & Services → Enabled APIs & Services** and search for each:
* Cloud Resource Manager API
* IAM API
* Cloud Logging API
* Security Command Center API
* Cloud Asset Inventory API
{% hint style="info" %}
APIs only need to be enabled in the service account's host project. SureCloud's organisation-level role assignments allow it to query resources across all projects once the APIs are active.
{% endhint %}
{% endstep %}
{% step %}
#### Generate and download the service account key
In **IAM & Admin → Service Accounts**, click the `surecloud-ccm` service account, go to the **Keys** tab, and click **Add Key → Create new key → JSON**. Download the key file.
{% hint style="warning" %}
Treat this JSON key file as a credential. Store it securely and delete the local copy after uploading it to SureCloud. Rotate the key every 90 days and update it in **SureCloud → Integrations → Google Cloud → Edit Connection**.
{% endhint %}
{% endstep %}
{% step %}
#### Enter credentials in SureCloud
In SureCloud, navigate to **Integrations → Google Cloud → Connect** and upload the service account key JSON file. Optionally provide:
* **Organisation ID** (numeric, found in the Google Cloud Console organisation selector)
* **Project filter** (leave blank to monitor all projects)
Click **Test Connection**. SureCloud will validate the service account permissions before saving.
{% endstep %}
{% endstepper %}
## Multi-organisation setup
{% tabs %}
{% tab title="Single organisation" %}
Assign the SureCloud service account roles at the organisation root. All child projects inherit the role bindings, and SureCloud will automatically discover and monitor new projects as they are created.
{% endtab %}
{% tab title="Multiple organisations" %}
Create a separate service account in each GCP organisation and add each as a separate connection in SureCloud (**Integrations → Google Cloud → Add Connection**). Each connection operates independently and can be filtered to specific projects if needed.
{% endtab %}
{% endtabs %}
## Polling frequency
| Data type | Collection interval |
| ------------------------------------- | ------------------- |
| IAM bindings and service account keys | 24 hours |
| Cloud Audit Logs | 1 hour |
| Security Command Center findings | 24 hours |
| Cloud Storage bucket configuration | 24 hours |
| Compute Engine instance configuration | 24 hours |
| Cloud SQL instance configuration | 24 hours |
| Cloud KMS key inventory | 24 hours |
## Troubleshooting
Test Connection fails with "Permission denied"
The service account does not have the required roles at the organisation level, or the required APIs are not enabled.
1. In **IAM & Admin → IAM** at the **organisation** scope, confirm the service account email is listed with all four required roles (`securityReviewer`, `organizationViewer`, `findingsViewer`, `logging.viewer`).
2. Confirm role assignments are at the **Organisation** scope, not project scope.
3. In the service account's host project, confirm all required APIs are enabled under **APIs & Services → Enabled APIs & Services**.
Security Command Center findings are missing
Security Command Center must be activated at the organisation level before findings are available. The free tier (Standard) and paid tier (Premium) both surface findings but with different coverage.
In **Security Command Center → Settings**, confirm SCC is activated. The `securitycenter.findingsViewer` role must also be granted at the organisation level.
Only some projects are appearing in SureCloud
If the service account roles were assigned at a project level rather than the organisation level, SureCloud will only see that project. Re-assign the roles at the organisation scope.
If certain projects are intentionally excluded, use the project filter in **SureCloud → Integrations → Google Cloud → Edit Connection** to specify the exact project IDs to include.
Service account key upload fails in SureCloud
The uploaded file must be the raw JSON key file downloaded from Google Cloud, with no modifications. Ensure the file has not been reformatted, truncated, or re-encoded.
If the file was lost before uploading, delete the key in **IAM & Admin → Service Accounts → Keys** and generate a new one.
Audit log data is sparse or missing for some projects
Audit log availability depends on the audit log configuration in each project. Admin Activity logs are always enabled. Data Access logs must be explicitly enabled per project.
In **IAM & Admin → Audit Logs**, enable Data Access logs for the relevant services (e.g. Cloud Storage, BigQuery) in each project. SureCloud will collect Data Access logs on the next polling cycle after they are enabled.
## Service pages
* [Identity and Access Management](broken://pages/897b690d3e9b0cdcb217e0ac41b069b5c0088969)
* [Cloud Audit Logs](broken://pages/3355c8a0d638450302019a4e696084149bae7073)
* [Security Command Center](broken://pages/fd3db2fe491a976fd70c03a12fa27a1f34768e04)
* [Cloud Storage](broken://pages/500f8baa162770e4a6368b8a71cf4648b2d187f2)
* [Compute Engine](broken://pages/7656b7f989cf36026f2fa54100f7ae4a07d6d1f2)
* [Cloud SQL](broken://pages/41cb3ece28d1932360ede8be2c26aed00dd031ce)
* [Google Kubernetes Engine](broken://pages/855770be9972968d83bae4a3e4110b5ff463c40b)
* [Cloud Key Management Service](broken://pages/89b4f649d2d0665b1aa2050cf64e5c5cf610b4ca)
GCP service account docs GCP organisation setup docs
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.