Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Cloud Asset Inventory

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CloudAPI-004

Ensure that Cloud Asset Inventory is enabled for all your GCP projects in order to efficiently manage the history and the inventory of your cloud resources. Google Cloud Asset Inventory is a fully managed metadata inventory service that allows you to view, monitor, analyze, and gain insights for your Google Cloud and Anthos assets. Cloud Asset Inventory is disabled by default in each GCP project.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Gaining insight into Google Cloud resources and policies is vital for tasks such as DevOps, security analytics, multi-cluster and fleet management, auditing, and governance. With Cloud Asset Inventory you can discover, monitor, and analyze all GCP assets in one place, achieving a better understanding of all your cloud assets across projects and services.

Audit

To determine if Google Cloud Asset Inventory is enabled for your GCP projects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to the API Library page at https://console.cloud.google.com/apis/library.

04 Use the Search for API & Services search box and search for Cloud Asset API.

05 Click on Cloud Asset API to open the Cloud Asset API overview page.

06 On the API overview page, search for the MANAGE button to determine the current status of the API. If the MANAGE button is not available, instead the ENABLE button is displayed, the Cloud Asset API is currently disabled, therefore the Google Cloud Asset Inventory is not enabled for the selected GCP project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of all the GCP projects available within your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers: 

PROJECT_ID
cc-web-project-112233
cc-mobile-project-123123

03 Run services list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to determine if the Google Cloud Asset API is enabled for the selected project: 

gcloud services list
  --project cc-web-project-112233
  --enabled
  --filter=name:cloudasset.googleapis.com

04 The command output should return the name and the title of the requested API: 

Listed 0 items.

If the services list command output returns Listed 0 items, as shown in the output example above, the Cloud Asset API is currently disabled, therefore the Google Cloud Asset Inventory is not enabled for the selected GCP project.

05 Repeat steps no. 3 and 4 for each project created within your Google Cloud account.

Remediation / Resolution

To enable Google Cloud Asset Inventory for all your GCP projects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to API Library page at https://console.cloud.google.com/apis/library.

04 Use the Search for API & Services search box and search for Cloud Asset API.

05 Click on Cloud Asset API entry to access the Cloud Asset API overview page.

06 On the API overview page, choose ENABLE to enable the Google Cloud Asset API for the selected GCP project.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run services enable command (Windows/macOS/Linux) using the ID of the GCP project that you want to access as the identifier parameter, to enable the Google Cloud Asset API for the selected project: 

gcloud services enable cloudasset.googleapis.com
  --project cc-web-project-112233

02 If successful, the command output should return the ID of the performed operation: 

Operation "operations/acat.p0-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234" finished successfully.

03 Repeat steps no. 1 and 2 for each GCP project created within your Google Cloud account.

References

Publication date Jul 28, 2022

Related CloudAPI rules