Permissions and Resources

This document outlines the permissions required for installing and operating various Sysdig features on GCP, as well as the resources that will be created in your GCP environment.

Review GCP Roles and Permissions

Security Principals

There are two security principals in the onboarding process:

  • Installer: The primary security principal, either a User or a Service Account. This security principal will be used to perform the onboarding. Sysdig does not have access to this security principal.
  • Sysdig: A Service Account (robot user) created during onboarding with specific, less permissive roles. Sysdig will be given access to this service account.

GCP Roles

GCP IAM has a single control plane that applies to either at the organization or project level:

  • GCP Roles: Applied to the entire organization or project.

Base GCP Integration - Cloud Security Posture Management (CSPM)

Agentless Cloud Security Posture Management (CSPM) assesses and manages the security posture of your cloud resources without requiring agents.

Permissions Required to Install

The Installer must have at least the following roles assigned:

Single Project Install

If you are installing CSPM, the user/service account must have the following roles assigned on the Project you are onboarding:

  • roles/iam.serviceAccountAdmin
  • roles/iam.roleAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/serviceusage.serviceUsageAdmin

Organizational Install

Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

If you are installing CSPM, the user/service account must have the following roles assigned:

  • roles/iam.serviceAccountAdmin (On the project where shared resources will be created)
  • roles/iam.organizationRoleAdmin (At the Organization level)
  • roles/resourcemanager.organizationAdmin (At the Organization level)
  • roles/iam.serviceAccountKeyAdmin (On the project where shared resources will be created)
  • roles/serviceusage.serviceUsageAdmin (At the Organization level)

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:

For CSPM:

  • roles/iam.browser
  • roles/cloudasset.viewer
  • roles/iam.workloadIdentityUser
  • roles/logging.viewer
  • roles/cloudfunctions.viewer
  • roles/cloudbuild.builds.viewer
  • roles/orgpolicy.policyViewer

Resources Created

The following resources will be created in your GCP Environment:

ResourceDescription
google_service_accountService account used by Sysdig for secure posture management
google_iam_workload_identity_poolCreates a Workload Identity Pool Federation for Authentication
google_iam_workload_identity_pool_providerCreates a Workload Identity Pool Provider ID for config posture management
google_project_iam_memberCreates the custom role with permissions needed for config posture management
google_service_account_iam_memberAttaches WIF as a member to the service account for auth
google_organization_iam_memberAssigns the custom role to the Sysdig Service Account at the organization level

Cloud Detection and Response (CDR)

Agentless Cloud Detection and Response (CDR) performs threat detection using Falco rules and policies on platform logs.

Permissions Required to Install

Single Project Install

If you are installing CDR and CIEM, you must have the following additional roles assigned on the Project you are onboarding:

  • roles/pubsub.admin
  • roles/logging.configWriter
  • roles/iam.serviceAccountUser

Organizational Install

Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

If you are installing CDR & CIEM, you must have the following additional roles assigned:

  • roles/pubsub.admin (On the project where shared resources will be created)
  • roles/logging.configWriter (At the Organization level)
  • roles/iam.serviceAccountUser (On the project where shared resources will be created)

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:

For CDR & CIEM:

  • roles/iam.workloadIdentityUser
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • logging.sinks.get
  • logging.sinks.list

Resources Created

The following resources will be created in your GCP Environment:

ResourceDescription
google_project_iam_audit_configAudit Log Config enabled at the Project level
google_pubsub_topicIngestion Pub Sub topic created for CDR
google_logging_project_sinkSysdig sink to direct the Audit Logs to the PubSub topic used for data gathering
google_pubsub_topic_iam_memberAttaches roles & permissions needed for the pub sub topic
google_service_accountService account used by Sysdig for threat detection
google_service_account_iam_memberCreates the custom role with permissions needed for threat detection
google_pubsub_subscriptionCreates the pub sub subscription with topic name and custom role
google_iam_workload_identity_poolCreates a Workload Identity Pool Federation for Auth
google_iam_workload_identity_pool_providerCreates a Workload Identity Pool Provider ID for threat detection
google_project_iam_custom_roleCreates custom role with project-level permissions to access data ingestion resources
google_project_iam_memberAdds custom role with project-level permissions to the service account for auth
google_service_account_iam_memberAttaches WIF as a member to the service account for auth
google_organization_iam_audit_configEnables Audit Log Configuration at the Organizational level
google_logging_organization_sinkSysdig organizational sink to direct the AuditLogs to the PubSub topic used for data gathering
google_organization_iam_custom_roleCreates a custom role with organization-level permissions to access data ingestion resources
google_organization_iam_memberAdds a custom role with organization-level permissions to the service account for authentication

Vulnerability Management Agentless Host Scanning

Vulnerability Management Agentless Host Scanning performs vulnerability scanning using disk snapshots for accurate risk assessment and management.

Permissions Required to Install

Single Project Install

If you are installing Vulnerability Host Scanning, you must have the following roles assigned:

  • roles/iam.serviceAccountAdmin
  • roles/iam.roleAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/serviceusage.serviceUsageAdmin

Organizational Install

Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

If you are installing Vulnerability Host Scanning, you must have the following roles assigned:

  • roles/iam.serviceAccountAdmin (On the project where shared resources will be created)
  • roles/iam.organizationRoleAdmin (At the Organization level)
  • roles/resourcemanager.organizationAdmin (At the Organization level)
  • roles/iam.serviceAccountKeyAdmin (On the project where shared resources will be created)
  • roles/serviceusage.serviceUsageAdmin (At the Organization level)

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:

For Vulnerability Host Scanning:

  • roles/iam.workloadIdentityUser
  • compute.networks.list
  • compute.networks.get
  • compute.instances.list
  • compute.instances.get
  • compute.disks.list
  • compute.disks.get
  • iam.serviceAccounts.getAccessToken
  • compute.zoneOperations.get
  • compute.disks.get
  • compute.disks.useReadOnly

Resources Created

The following resources will be created in your GCP Environment:

ResourceDescription
google_service_accountService account used by Sysdig for vulnerability management
google_iam_workload_identity_poolCreates a Workload Identity Pool Federation for Auth
google_iam_workload_identity_pool_providerCreates a Workload Identity Pool Provider ID for vulnerability management
google_project_iam_memberCreates the custom role with permissions needed for vulnerability management
google_service_account_iam_memberAttaches WIF as a member to the service account for auth
google_organization_iam_memberAssigns the custom role to the Sysdig Service Account at the organization level