Google Cloud
Connecting Google Cloud gives SureCloud read access to your GCP organisation's resource configuration, Identity and Access Management policies, audit logs, network controls, and Security Command Center findings. SureCloud authenticates using a service account with domain-wide delegation, allowing it to collect data across all projects in your organisation without requiring individual project credentials.
What SureCloud monitors
Identity and Access Management
Organisation and project IAM bindings, service account keys, and policy analysis.
Cloud Audit Logs
Admin Activity, Data Access, and System Event audit logs across projects.
Security Command Center
Security findings, misconfigurations, and vulnerability detections from SCC.
Cloud Storage
Bucket IAM policies, public access prevention, versioning, and retention policies.
Compute Engine
VM instance configuration, OS Login settings, disk encryption, and firewall rules.
Cloud SQL
Instance configuration, SSL enforcement, authorised networks, and backup settings.
Google Kubernetes Engine
Cluster configuration, node pool settings, workload identity, and network policies.
Cloud Key Management Service
Key ring and key version inventory, rotation schedules, and key state.
Authentication and setup
SureCloud connects to Google Cloud using a GCP service account key. The service account is granted the Security Reviewer and Organisation Viewer roles at the organisation level to enable read access across all projects.
Create a dedicated service account
In the Google Cloud Console, navigate to IAM & Admin → Service Accounts within the project you use for centralised tooling (or any suitable project).
Click Create Service Account and provide:
Name:
surecloud-ccm(or a name that identifies the integration)Description: SureCloud Continuous Control Monitoring
Click Create and Continue.
Grant organisation-level roles
SureCloud requires read access across all projects in your organisation. Grant roles at the organisation level, not project level.
In the Google Cloud Console, navigate to IAM & Admin → IAM and switch scope to your Organisation using the project selector at the top.
Click Grant Access and enter the service account email (
surecloud-ccm@[project].iam.gserviceaccount.com).Add the following roles:
roles/iam.securityReviewer
Read IAM policies, service accounts, and security configuration across the org
roles/resourcemanager.organizationViewer
List projects and read organisation-level resource configuration
roles/securitycenter.findingsViewer
Read Security Command Center findings (requires Security Command Center enabled)
roles/logging.viewer
Read Cloud Audit Logs across all projects
Click Save.
Enable required APIs
In the Google Cloud Console, ensure the following APIs are enabled in the project where the service account was created. Navigate to APIs & Services → Enabled APIs & Services and search for each:
Cloud Resource Manager API
IAM API
Cloud Logging API
Security Command Center API
Cloud Asset Inventory API
APIs only need to be enabled in the service account's host project. SureCloud's organisation-level role assignments allow it to query resources across all projects once the APIs are active.
Generate and download the service account key
In IAM & Admin → Service Accounts, click the surecloud-ccm service account, go to the Keys tab, and click Add Key → Create new key → JSON. Download the key file.
Treat this JSON key file as a credential. Store it securely and delete the local copy after uploading it to SureCloud. Rotate the key every 90 days and update it in SureCloud → Integrations → Google Cloud → Edit Connection.
Enter credentials in SureCloud
In SureCloud, navigate to Integrations → Google Cloud → Connect and upload the service account key JSON file. Optionally provide:
Organisation ID (numeric, found in the Google Cloud Console organisation selector)
Project filter (leave blank to monitor all projects)
Click Test Connection. SureCloud will validate the service account permissions before saving.
Multi-organisation setup
Assign the SureCloud service account roles at the organisation root. All child projects inherit the role bindings, and SureCloud will automatically discover and monitor new projects as they are created.
Create a separate service account in each GCP organisation and add each as a separate connection in SureCloud (Integrations → Google Cloud → Add Connection). Each connection operates independently and can be filtered to specific projects if needed.
Polling frequency
IAM bindings and service account keys
24 hours
Cloud Audit Logs
1 hour
Security Command Center findings
24 hours
Cloud Storage bucket configuration
24 hours
Compute Engine instance configuration
24 hours
Cloud SQL instance configuration
24 hours
Cloud KMS key inventory
24 hours
Troubleshooting
Test Connection fails with "Permission denied"
The service account does not have the required roles at the organisation level, or the required APIs are not enabled.
In IAM & Admin → IAM at the organisation scope, confirm the service account email is listed with all four required roles (
securityReviewer,organizationViewer,findingsViewer,logging.viewer).Confirm role assignments are at the Organisation scope, not project scope.
In the service account's host project, confirm all required APIs are enabled under APIs & Services → Enabled APIs & Services.
Security Command Center findings are missing
Security Command Center must be activated at the organisation level before findings are available. The free tier (Standard) and paid tier (Premium) both surface findings but with different coverage.
In Security Command Center → Settings, confirm SCC is activated. The securitycenter.findingsViewer role must also be granted at the organisation level.
Only some projects are appearing in SureCloud
If the service account roles were assigned at a project level rather than the organisation level, SureCloud will only see that project. Re-assign the roles at the organisation scope.
If certain projects are intentionally excluded, use the project filter in SureCloud → Integrations → Google Cloud → Edit Connection to specify the exact project IDs to include.
Service account key upload fails in SureCloud
The uploaded file must be the raw JSON key file downloaded from Google Cloud, with no modifications. Ensure the file has not been reformatted, truncated, or re-encoded.
If the file was lost before uploading, delete the key in IAM & Admin → Service Accounts → Keys and generate a new one.
Audit log data is sparse or missing for some projects
Audit log availability depends on the audit log configuration in each project. Admin Activity logs are always enabled. Data Access logs must be explicitly enabled per project.
In IAM & Admin → Audit Logs, enable Data Access logs for the relevant services (e.g. Cloud Storage, BigQuery) in each project. SureCloud will collect Data Access logs on the next polling cycle after they are enabled.
Service pages
Identity and Access Management
Cloud Audit Logs
Security Command Center
Cloud Storage
Compute Engine
Cloud SQL
Google Kubernetes Engine
Cloud Key Management Service