Check Point CNAPP Onboard

# CNAPP Onboard 參考[Onboard admin guide](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Getting-Started/Onboarding.htm?TocPath=Getting%20Started%20with%20CloudGuard%20%7COnboarding%20Cloud%20Environments%20%7C_____0) ## 權限開啟 AWS所需權限:Read-Only SecurityAudit (managed by AWS). CloudGuard-readonly-policy created during the onboarding procedure is required for different CloudGuard features, such as Posture Management and Network Security. Manage AmazonInspectorReadOnlyAccess (managed by AWS). CloudGuard-write-policy created during the onboarding or update permissions procedure enables CloudGuard to manage your AWS account in the Full-Protection mode. It contains permissions for CloudGuard to manage Network Security. --- AZURE所需權限:Read-Only You must add this Access Control role to the Web App/API application, in your subscription: Reader. Manage You must add these Access Control roles to the Web App/API application, in your subscription: Reader Network Contributor --- GCP所需權限Viewer (in Project) Security Reviewer (in IAM) --- ## AWS ### AWS Onboard 1. 進入[infinity portal](https://portal.checkpoint.com/) 選擇CloudGuard產品線![image](https://hackmd.io/_uploads/Hk1sBxvByl.png) 2. Asset→Environment![image](https://hackmd.io/_uploads/Sy3jrlvrJl.png) 3. 選擇One Click並按下Next![image](https://hackmd.io/_uploads/r1PnHxvB1e.png) 4. 點選Lauch Stack會跳轉到AWS頁面進行AWS環境Onboard，登入後會出現cloudformation建立堆疊，記得勾選條件![image](https://hackmd.io/_uploads/r1_pHgwrke.png) 注意選擇的region 並勾選我確認 AWS CloudFormation 可能會使用自訂名稱建立 IAM 資源。後按下建立堆疊![image](https://hackmd.io/_uploads/BybxLgPHye.png) 5. 注意當CloudFormation Onboard完成後，會建立三個堆疊![image](https://hackmd.io/_uploads/HkpxIlDSJg.png) 回到infinity portal 出現綠色勾勾後按下next![image](https://hackmd.io/_uploads/BJIW8lvrkg.png) 6. 完成後按下Done![image](https://hackmd.io/_uploads/HkIMUePHyl.png) 7. 完成 AWS account出現在assets裡面→若沒看到登出登入一次![image](https://hackmd.io/_uploads/S1A7LgDBkg.png) 8. 啟用Intelligence，帳號內需要有S3 Bucket，也需要跟CloudTrail連動![image](https://hackmd.io/_uploads/SJ5VUePBkx.png) 9. 設定完成後，回到Infinity portal![image](https://hackmd.io/_uploads/B19HLlvrkg.png) ### AWS Account Active 1. 點選Account Active![image](https://hackmd.io/_uploads/BJJDUxvByx.png) 2. 檢視prerequisites，需要注意至少要有S3 bucket與CloudTrial的連動才可以建立![image](https://hackmd.io/_uploads/HklXvevH1g.png) 範例如下圖 CloudTrail可以看到有連動S3bucket![image](https://hackmd.io/_uploads/rysSvgDrJg.png) 3. 如上述條件設定正確，則可以進行作業，選擇要儲存vpc log的bucket![image](https://hackmd.io/_uploads/B1ruwxvBkg.png) 4. 點選項目一打開CloudFormation介面，點選項目二複製url資訊![image](https://hackmd.io/_uploads/r1gKwlvSkl.png) 並在CloudFormaion上面貼上剛剛複製的資訊![image](https://hackmd.io/_uploads/HJqFDlPBJx.png) 設定Stack名稱![image](https://hackmd.io/_uploads/SJxiDxvrJl.png) 設定保留成功佈建的資源後按下一步![image](https://hackmd.io/_uploads/B1pjweDS1l.png) 拉到最下面勾選我確認 AWS CloudFormation 可能會使用自訂名稱建立 IAM 資源。後按下提交![image](https://hackmd.io/_uploads/rJvhvxPBJg.png) 完成後會出現update_complete![image](https://hackmd.io/_uploads/HyXTPlPBJe.png) 5. 回到Infinity portal按下check now，出現status check ok 後按下next![image](https://hackmd.io/_uploads/SkMADlvrJe.png) 6. 完成![image](https://hackmd.io/_uploads/S1lyOeDB1x.png) ### 啟用AWP(Agentless Workload Posture) 1. 點選啟用AWP![image](https://hackmd.io/_uploads/S1vx_gPByl.png) 2. 點選in-account 另外複製網址貼上連結開啟新的console視窗![image](https://hackmd.io/_uploads/rkXmuewrke.png) 3. 完成後勾選”我確認 AWS CloudFormation 可能會使用自訂名稱建立 IAM 資源。”後按下建立堆疊![image](https://hackmd.io/_uploads/B1RXdgDBJg.png) 4. 出現完成畫面後![image](https://hackmd.io/_uploads/BJF4dlwS1g.png) 5. 回到Infinity portal按下Enable AWP即可Enable成功→需要注意帳戶要在AWS Organization裡面![image](https://hackmd.io/_uploads/S1HBdxvBke.png) ### 啟用Network Traffic 1. 選擇Network Traffic Enable![image](https://hackmd.io/_uploads/Byl5ugPrkl.png) 2. 畫面內確認prerequisite後按下next![image](https://hackmd.io/_uploads/B1C9OxPByx.png) 3. 對於VPC需要建立flow log並儲存到S3 Bucket，選擇要檢視的S3 bucket後按下next![image](https://hackmd.io/_uploads/B1TougvSJx.png) 4. 利用templete完成cloudformation![image](https://hackmd.io/_uploads/Sk62ulDHke.png) 將複製的資訊貼上S3 URL欄位後按下一步![image](https://hackmd.io/_uploads/rJ-AOgwSJx.png) 設定堆疊名稱後按下一步![image](https://hackmd.io/_uploads/BkiCdewSyg.png) 選擇保留成功佈建的資源後拉到最下面按下一步![image](https://hackmd.io/_uploads/SyBJteDryl.png) 勾選我確認 AWS CloudFormation 可能會使用自訂名稱建立 IAM 資源。按下提交 ![image](https://hackmd.io/_uploads/ryulFewS1x.png) 完成後出現CREATE_COMPLETE，回到Infinity portal按下check now後按下next ![image](https://hackmd.io/_uploads/r1Qbtgwr1x.png) ![image](https://hackmd.io/_uploads/ry1zYxwSkl.png) 5. 完成![image](https://hackmd.io/_uploads/BJcMYevSye.png) ### 啟用Cloudbots(未完成) cloudbot可以做到自動修正合規問題，[參考文件](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/PostureManagement/Remediation.htm) 1. 按下Enable![image](https://hackmd.io/_uploads/BkSwClwBye.png) 2. 選擇要設定的Region![image](https://hackmd.io/_uploads/r1Z_0evHJl.png) 3. 點選連結依照範本建立CloudFormation![image](https://hackmd.io/_uploads/ryxTd0gPBJx.png) 進入AWS連結後按下一步![image](https://hackmd.io/_uploads/Bye5RxPryx.png) 4. 再按下一步![image](https://hackmd.io/_uploads/BJzoClDHkg.png) 5. 選擇保留成功佈建的資源後按下一步![image](https://hackmd.io/_uploads/Bk6j0ePHJe.png) 6. 勾選下列三個項目後，按下提交![image](https://hackmd.io/_uploads/Byu3AlvHJe.png) 出現CREATE_COMPLETE後回到Infinity portal按下check now後按下Next![image](https://hackmd.io/_uploads/rk7TRevBkg.png) ![image](https://hackmd.io/_uploads/Bkd6AeDSye.png) ### AWS Offboard 1. 點選要刪除的環境![image](https://hackmd.io/_uploads/BJX1ybvBJx.png) 2. 點選右上角 → Remove ![image](https://hackmd.io/_uploads/H1Ry1bwS1x.png) 3. 此時彈出提示訊息 ![image](https://hackmd.io/_uploads/HkOe1WDSkl.png) 4. CloudFormatio相關stack刪除 ![image](https://hackmd.io/_uploads/BkXZy-wHkl.png) 5. 最後出現Remove Attached policy![image](https://hackmd.io/_uploads/HkCb1-vSyx.png) ## Azure ### Azure Onboard 1. 點選Asset→Environment 並點選add![image](https://hackmd.io/_uploads/ryaNyWDS1x.png) 2. 輸入Azure上的Subscription ID並選擇Read-Only![image](https://hackmd.io/_uploads/ByfDk-PBkx.png) ![image](https://hackmd.io/_uploads/BkPDJZPHJl.png) 3. 輸入Configuration 相關資訊![image](https://hackmd.io/_uploads/BJbd1WDSye.png) 4. 下一步進行相關資訊填寫作業，此時點選log into your Azure Cloud Shell 跳轉到Azure頁面，並將相關script 貼上至Azure cli![image](https://hackmd.io/_uploads/H1ctJZDBke.png) 將相關呈現的資訊填入，也可以透過尋找的方式找出這些資訊，填寫後按下Onboard Application(client) ID: **Secret Key**: Tenant ID: Subscription ID: ![image](https://hackmd.io/_uploads/rkWs1WDBkx.png) 如果Secret ID沒有出現，要到App registration重新做一個或是將此Value保留下來之後使用![image](https://hackmd.io/_uploads/rk9syZDHJx.png) 5. 完成Onbaord![image](https://hackmd.io/_uploads/Byd2k-vHyx.png) ### Azure Account Active 1. 點選Enable![image](https://hackmd.io/_uploads/H1ppkbPBke.png) 2. 選擇要Onboard的log→並且注意有按照相關指引操作，特別注意Storage account需按到需求 ![image](https://hackmd.io/_uploads/HJmXbWvH1g.png) Creating a Storage Account: 1. In the Azure portal, select Storage Accounts, and click the Create button in the upper menu. 2. Enter all required details. To reduce the subscription costs, make sure to select only necessary storage setting. 3. Make sure that your storage account kind is StorageV2 (general purpose v2). a. Navigate to Settings > Configuration and verify that the Account kind is StorageV2 (general purpose v2). b. If the Account kind is Storage (general purpose v1), click Upgrade. #### 設定四項log匯出 1. Azure Activity Logs 選擇Export Activity Logs![image](https://hackmd.io/_uploads/HJmsWZwr1l.png) 2. 選擇Add diagnostic setting![image](https://hackmd.io/_uploads/rkpnWbDrJx.png) 3. 選擇要執行的Log與要拋送的location後按下save![image](https://hackmd.io/_uploads/B1_pZWwHJe.png) 4. 設定Microsoft Entra ID- Sign-in-logs a. 到AAD 選取Sign-in logs export![image](https://hackmd.io/_uploads/SJGez-vB1e.png) b. 點選add diagnostic setting![image](https://hackmd.io/_uploads/BkyWfZPrJl.png) c. 勾選要儲存的項目，設定儲存位置後按下save![image](https://hackmd.io/_uploads/H1iZMWPBJx.png) 5. 設定storage account log 點選storage account 選取 Diagnostic (Classic)，注意logging version 到2.0 ![image](https://hackmd.io/_uploads/SkqNf-DH1g.png) 3. Onboard Storage Account![image](https://hackmd.io/_uploads/HyZhfbvBJe.png) Storage Account ID 相關資訊可以在Storage Account上面找到 Json檢視，需注意若轉換金鑰可能會無法存取 ![image](https://hackmd.io/_uploads/rk93zZDSyx.png) ![image](https://hackmd.io/_uploads/r116fZDr1x.png) 4. 完成後下方會出現剛剛設定的log type 設定並勾選auto onboard![image](https://hackmd.io/_uploads/HyKpfbDBkx.png) 5. 下一步建立arm template會建立三個範本，點選Customer templete建立完成後按下check now ![image](https://hackmd.io/_uploads/HkSAzZPSye.png) 於Azure上按下Review + create![image](https://hackmd.io/_uploads/BkSG7bPH1e.png) 按下Create![image](https://hackmd.io/_uploads/ryeQmWvBJg.png) 檢查部署狀態![image](https://hackmd.io/_uploads/Hyq7XbPr1l.png) 點選Check now![image](https://hackmd.io/_uploads/SyQEXWwryx.png) 6. 在Azure Portal上面設定允許網路存取，相關IP會出現在此portal上面，完成後按下Check Access![image](https://hackmd.io/_uploads/SkWSX-PBkl.png) 在Storage Account裡面設定開放的防火牆IP![image](https://hackmd.io/_uploads/r1eU7-PH1l.png) 7. 設定Subscription![image](https://hackmd.io/_uploads/B1xvmbvBkl.png) 8. 完成Onboard![image](https://hackmd.io/_uploads/H19DQWDSJx.png) ### 啟用AWP(Agentless Workload Posture) AWP啟用後可以允許建立snapshot對於workload去做掃描，細節可以[參考此文件](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Workload-Protection/AWP/Agentless.htm) 1. 點選AWP按下enable![image](https://hackmd.io/_uploads/rkdr4ZPB1g.png) 2. 複製相關指令碼![image](https://hackmd.io/_uploads/HkWUE-vBJl.png) 3. 於Azure Cli貼上完成後看到Successfully![image](https://hackmd.io/_uploads/SyCIEWvBkl.png) 4. 見到此資訊後回到infinity portal按下Enable AWP #### Disable AWP 1. 進入Asset 點選AWP 按下disable![image](https://hackmd.io/_uploads/S1EpEWvHke.png) 2. 複製出現的指令並在Azure cli 輸入![image](https://hackmd.io/_uploads/rkhTV-DBkl.png) 3. 出現cleaning 後確認刪除![image](https://hackmd.io/_uploads/B1LRNbDHye.png) ### Azure Network Traffic Onboard (NSG) 1. 需注意先按照[prerequesties](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Intelligence/Azure/Intelligence-Onboard-Azure.htm?Highlight=azure)設定NSG等相關參數![image](https://hackmd.io/_uploads/r1l2HbPSJg.png) #### Pre-request 1. Create一個新的Storage![image](https://hackmd.io/_uploads/r1iBBbwH1e.png) 確保Storage版本為V2![image](https://hackmd.io/_uploads/SkzUrbvrke.png) 2. 建立Network Security Group![image](https://hackmd.io/_uploads/H15LrbDrJx.png) 設定NSG 指定resource group 後按下create![image](https://hackmd.io/_uploads/HJ7wSbwryg.png) 設定NSG flow log 沒有的話create一個![image](https://hackmd.io/_uploads/BysKBWwBJe.png) 設定flow log 並選擇storage account![image](https://hackmd.io/_uploads/B189SbvSke.png) 注意第二頁Analytics 的version![image](https://hackmd.io/_uploads/rJRcrWvHJx.png) 2. 設定要用的NSG後按下Next![image](https://hackmd.io/_uploads/HyvaSZDHke.png) 3. 建立arm template 這次會建立四個範本完成後按下check access![image](https://hackmd.io/_uploads/rkzRrZPrkl.png) 於Azure上點選review + create後會完成四個deployment![image](https://hackmd.io/_uploads/Hkb1UZwHkx.png) 4. 設定Storage account的網路存取，開放IP通過![image](https://hackmd.io/_uploads/r1K18-Pryg.png) ![image](https://hackmd.io/_uploads/ry61UbwByg.png) 5. 完成![image](https://hackmd.io/_uploads/BkHlIbvr1l.png) ### 啟用Cloudbot(未完成) Cloudbot可以做到自動修正合規問題，[參考文件](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/PostureManagement/Remediation.htm) 1.開始進入設定畫面![image](https://hackmd.io/_uploads/BJvzLZwH1e.png) ### Azure Offboard 1. 點選Asset → Remove![image](https://hackmd.io/_uploads/r1ZI8ZDS1e.png) 2. 複製刪除用指令碼![image](https://hackmd.io/_uploads/SJnLLbvSJl.png) 3. 轉到Azure Cli 貼上待其完成後回到infinity portal 點選刪除![image](https://hackmd.io/_uploads/H1rPUbDryl.png) ## GCP ### Onboard for Single Project 1. 點選進入environment Add GCP Project![image](https://hackmd.io/_uploads/Skr_PZPSkl.png) 2. 會出現GCP上需執行步驟![image](https://hackmd.io/_uploads/HkC_wbDSJg.png) 3. 進入專案畫面![image](https://hackmd.io/_uploads/BkIFDbPHye.png) 4. API和服務→已啟用的API和服務![image](https://hackmd.io/_uploads/HJTYvZvS1g.png) 5. 搜尋ComputerEngine 並確保啟用![image](https://hackmd.io/_uploads/r1N9v-DSJe.png) ![image](https://hackmd.io/_uploads/H1FqPZDryl.png) 6. 尋找 Cloud Resource Manager API 並啟用 ![image](https://hackmd.io/_uploads/ryGivZwrJg.png) 7. 搜尋以下每一項並確保啟用 Computer Engine API Cloud Resource Manager API Kubernetes API![image](https://hackmd.io/_uploads/SJchwbPB1x.png) KMS API![image](https://hackmd.io/_uploads/BybpDZvS1x.png) IAM API![image](https://hackmd.io/_uploads/BJu6D-DSyl.png) App Engine Admin API BigQuery API Admin SDK API Cloud Functions API Cloud SQL Admin API Cloud BigTable Admin API Cloud Pub/Sub API Google Cloud Memorystore for Redis API ![image](https://hackmd.io/_uploads/SkdCvbDrJx.png) Service Usage API Cloud Filestore API API Keys API Cloud Logging API Cloud DNS API Cloud Asset API Essential Contacts API Access Approval API 若是嫌麻煩可以輸入cli 注意project id 必須修改，另外GCP限制一次20行，故相關command拆成兩次 ``` # 第一批 API（20個,注意替換project名稱） gcloud services enable \ --project=centralized-project-445604 \ compute.googleapis.com \ cloudresourcemanager.googleapis.com \ container.googleapis.com \ cloudkms.googleapis.com \ iam.googleapis.com \ appengine.googleapis.com \ bigquery.googleapis.com \ admin.googleapis.com \ cloudfunctions.googleapis.com \ sqladmin.googleapis.com \ bigtableadmin.googleapis.com \ pubsub.googleapis.com \ redis.googleapis.com \ serviceusage.googleapis.com \ file.googleapis.com \ apikeys.googleapis.com \ logging.googleapis.com \ dns.googleapis.com \ cloudasset.googleapis.com \ essentialcontacts.googleapis.com # 第二批 API（剩下的，注意替換project名稱） gcloud services enable \ --project=centralized-project-445604 \ accessapproval.googleapis.com ``` 8. 全部開放完成後按Next![image](https://hackmd.io/_uploads/H1OEOWvBke.png) 9. 出現新的畫面並按照指示完成![image](https://hackmd.io/_uploads/r1erdbwB1e.png) 10. 點選憑證→建立憑證→服務帳戶![image](https://hackmd.io/_uploads/Bk5rObPrJe.png) 11. Enter CloudGuard-Connect for the Service account name, and click CREATE AND CONTINUE![image](https://hackmd.io/_uploads/HkU8dZPS1l.png) 12. Select this role: Project -> Viewer![image](https://hackmd.io/_uploads/SJ-v_bDSke.png) 13. Click ADD ANOTHER ROLE:![image](https://hackmd.io/_uploads/BJsDd-PByx.png) 14. Select this role: IAM -> Security Reviewer![image](https://hackmd.io/_uploads/rk2Ou-wrkg.png) 15. 再新增其他角色![image](https://hackmd.io/_uploads/HyQK_Wwr1e.png) 16. Select this role: Cloud Asset -> Cloud Asset Viewer![image](https://hackmd.io/_uploads/rkjKO-DS1x.png) 17. 點選完成![image](https://hackmd.io/_uploads/ByM9_bwB1x.png) 18. 完成後點擊service account![image](https://hackmd.io/_uploads/Sy99_ZwHJl.png) 19. 到金鑰分頁 Click ADD KEY and select Create new key![image](https://hackmd.io/_uploads/rkNo_WPHyl.png) 20.建立金鑰選擇JSOM並建立，此時會下載到個人電腦![image](https://hackmd.io/_uploads/rkVnOWPHkl.png)![image](https://hackmd.io/_uploads/HyOndbDSyg.png) 21. 建立cloud account name並上傳金鑰後按下Next![image](https://hackmd.io/_uploads/H1eCdZwH1e.png) 22. Google Work Space可以先跳過![image](https://hackmd.io/_uploads/HyulYZvSkg.png) 23. 選擇Organizational Unit 後按下Finshed![image](https://hackmd.io/_uploads/H1g-tbvByl.png) 24. 檢視資產確認出現新Onboard的環境(通常要登入登出一次)![image](https://hackmd.io/_uploads/BytZFbwBJl.png) ### GCP Account Active 1. 點選Enable將功能啟用![image](https://hackmd.io/_uploads/HkCftbPryx.png) 2. 執行Script![image](https://hackmd.io/_uploads/S1rmY-wSkg.png) 3. 信任存放區 ![image](https://hackmd.io/_uploads/BJamt-PHJl.png) ![image](https://hackmd.io/_uploads/S1xNF-vBJx.png) 4. 進入shell登入畫面![image](https://hackmd.io/_uploads/S1P4tZwSkx.png) 5. copy 相關指令於視窗底層後![image](https://hackmd.io/_uploads/rkJrYZDBJe.png) 6. 確認出現Project Successfully Onboarded ![image](https://hackmd.io/_uploads/rkwBK-vr1x.png) 7. 回到Infinity執行確認檢查步驟![image](https://hackmd.io/_uploads/SkZLtbPB1l.png) 8. 出現綠燈完成Onboard作業→點選Onboard![image](https://hackmd.io/_uploads/B1OIYZPHkg.png) 9. 回到Environment 確認Onboard完成![image](https://hackmd.io/_uploads/H1gPF-DBJx.png) ### GCP Offboard 1. 點選Environment → 進入要刪除的環境![image](https://hackmd.io/_uploads/rJkut-Dr1l.png) 2. 右上點選Remove![image](https://hackmd.io/_uploads/SkS_FbDrJg.png) 3. 出現警告點選Remove![image](https://hackmd.io/_uploads/ryp_F-wr1x.png) 4. 完成出現成功訊息![image](https://hackmd.io/_uploads/SyEtK-vBJl.png) 5. 回到GCP環境刪除建立的物件![image](https://hackmd.io/_uploads/SynFFWPHke.png) ![image](https://hackmd.io/_uploads/B1foKbPSJg.png) ![image](https://hackmd.io/_uploads/BJBoY-PHkx.png) ### Onboard for Centralized Project 在GCP中與其他雲端不同的是具有project的概念，對於個專案可以裡用project進行管理，故多了一個集中 project的Onboard過程已達到可視性的目的 1. 回到Asset畫面進行新增 GCP Project![image](https://hackmd.io/_uploads/rkuatbvrJe.png) 2. 於GCP介面中開啟相關api權限，未來會再開放一次性完成Onboard multiple project![image](https://hackmd.io/_uploads/ByJ0Ybvrkx.png) 3. 此處先開啟Project1 的權限![image](https://hackmd.io/_uploads/SktCKZwSke.png) 4. 回到GCP介面並啟用API服務 APIs & Services → Enabled APIs & Services 點選Enable APIs or API library![image](https://hackmd.io/_uploads/S1gy9ZwSJg.png) 開啟以下API權限並確認啟用後按下Next Compute Engine API Cloud Resource Manager API Kubernetes API KMS API IAM API App Engine Admin API BigQuery API Admin SDK API Cloud Functions API Cloud SQL Admin API Cloud BigTable Admin API Cloud Pub/Sub API Cloud Memorystore Redis Service Usage API Cloud Filestore API API Keys API Cloud Logging API Cloud DNS API Cloud Asset API Essential Contacts API Access Approval API 若是嫌麻煩可以輸入cli 注意project id 必須修改，另外GCP限制一次20行，故相關command拆成兩次 ``` # 第一批 API（20个） gcloud services enable \ --project=my-project-2-437808 \ compute.googleapis.com \ cloudresourcemanager.googleapis.com \ container.googleapis.com \ cloudkms.googleapis.com \ iam.googleapis.com \ appengine.googleapis.com \ bigquery.googleapis.com \ admin.googleapis.com \ cloudfunctions.googleapis.com \ sqladmin.googleapis.com \ bigtableadmin.googleapis.com \ pubsub.googleapis.com \ redis.googleapis.com \ serviceusage.googleapis.com \ file.googleapis.com \ apikeys.googleapis.com \ logging.googleapis.com \ dns.googleapis.com \ cloudasset.googleapis.com \ essentialcontacts.googleapis.com # 第二批 API（剩余的） gcloud services enable \ --project=my-project-2-437808 \ accessapproval.googleapis.com ``` 6. 接下來要建立服務帳戶與金鑰回到APIs & Services 按下Credentials![image](https://hackmd.io/_uploads/HyBf9Wwr1e.png) 點選Create Credentials 選擇建立Service account ![image](https://hackmd.io/_uploads/rJRG9WvSJl.png) 設定名稱為CloudGuard-Connect並按下Create and Continue![image](https://hackmd.io/_uploads/ryvX5WDSkx.png) 在Select a role欄位中選擇Project → Viewer![image](https://hackmd.io/_uploads/Bk145ZDrJl.png) 按下ADD ANOTHER ROLE 選擇IAM → Security Reviewer![image](https://hackmd.io/_uploads/S19Nc-DByx.png) 按下ADD ANOTHER ROLE 選擇Cloud Asset → Cloud Asset Viewer![image](https://hackmd.io/_uploads/H1IHc-DSke.png) 完成後檢視權限正確按下Done![image](https://hackmd.io/_uploads/rJbU5ZvHkg.png) 此時會在Service Account裡面看到 CloudGuard-Connect已經建立完成，點擊進入![image](https://hackmd.io/_uploads/Sk98c-PHJx.png) 7. 點選Keys → Add Key → Create new Key![image](https://hackmd.io/_uploads/ByiP9Wvr1x.png) 選擇JSON格式 → Create![image](https://hackmd.io/_uploads/Hyb_c-wBJl.png) 此時會自動下載key![image](https://hackmd.io/_uploads/HJK_5ZPHJg.png) 8. Google WorkSpace的整合這部分是optional 這邊先跳過直接按下Next![image](https://hackmd.io/_uploads/SkbYqZvHyg.png) 9. 接著選擇在Infinity的關聯，若無特別需求就按下FINISH![image](https://hackmd.io/_uploads/BJOK5ZvH1l.png) 10. 完成 → 點選MANAGE YOUR ACCOUNT 就可以確認project onboard成功 →這裡建議登出再登入一次，才會看到新Onboard好的Project![image](https://hackmd.io/_uploads/HymcqZPSyg.png) 正常會看到新的Project已經Onboard成功![image](https://hackmd.io/_uploads/ry595-Prkx.png) 11. 這邊先進行第二個Project的啟用步驟，與第一個都相同，都完成以後可以看到兩個，或者更多project在上面![image](https://hackmd.io/_uploads/BkrjqbDryx.png) Onboard的時候要對每一個Project產Service Account 並下載Key ### Add Centralized Account Active 1. 對要進行Centralized的Account點選Account Activity![image](https://hackmd.io/_uploads/SJYn0AsH1g.png) 2. 點選Centralized account 並注意Account相關權限後按下Next![image](https://hackmd.io/_uploads/r1I5t1nH1g.png) 3. 到GCP Centralized專案點選IAM，並選取Service Account點選編輯![image](https://hackmd.io/_uploads/r1pAP13rJg.png) 4. 新增權限Editor, Pub/Sub Admin and Logging Admin Roles後按下SAVE![image](https://hackmd.io/_uploads/HJt6uJnBJl.png) 5. 切換到其他Project 新增 Logging Admin role![image](https://hackmd.io/_uploads/B1kwtJhB1l.png) 完成設定後檢視![image](https://hackmd.io/_uploads/Hya_wqJI1l.png) 6. 點選New 設定新的Pub/Sub後按下Next![image](https://hackmd.io/_uploads/rkfTKkhSJl.png) 7. 勾選其他希望連結的subproject，可能是一個或多個後按下Next![image](https://hackmd.io/_uploads/ByiyqyhSkl.png) 8. 點選Script並且複製指令碼![image](https://hackmd.io/_uploads/SkRw912Byl.png) 9. 彈出新的視窗後勾選信任存放區按下確認![image](https://hackmd.io/_uploads/BkeS5J2Byg.png) 10. 貼上指令碼後按下y 執行![image](https://hackmd.io/_uploads/Hyeh9y3rJl.png) 11. 點選授權cloudshell![image](https://hackmd.io/_uploads/rkG651hB1l.png) 12. 完成後出現Successfully![image](https://hackmd.io/_uploads/rJJGjkhrkg.png) 13. 回到Infinity portal後按下Check now 完成後按下Onboard![image](https://hackmd.io/_uploads/rkDVi1hSke.png) 14. 完成Onboard![image](https://hackmd.io/_uploads/rkESs12SJe.png) ### Add Centralized Traffic Activity 1. 接下來設定Traffic Activity 點選主要的project → Traffic Activity Enable![image](https://hackmd.io/_uploads/H1EacZDr1x.png) 需注意pre-request a. 點選VPC flow logs![image](https://hackmd.io/_uploads/SJ6gLgnBye.png) b. 點選Subnet 勾選要設定的並選取Manage flow logs->Configure![image](https://hackmd.io/_uploads/HJiuUe2Syx.png) c. 點選Aggregation interval 到15分鐘，勾選Metadata annotations 選擇Secondary sampling rate至100後按下Save![image](https://hackmd.io/_uploads/ByQA8enH1x.png) 2. 點選Centralized 並確認project是否有相關權限，上一步驟應該已經設定並確認完畢，若還沒有請參考上一段，這邊就按下按下Next![image](https://hackmd.io/_uploads/B1Cac-wBJl.png) 接下來會需要設定Pub/Sub 這邊選擇New 後按下Next![image](https://hackmd.io/_uploads/BJjCq-PSke.png) 勾選你希望連結的project後按下Next，這裡有可能一次多個Project![image](https://hackmd.io/_uploads/SyHkjWvSyx.png) 點選Script後會跳轉至GCP的cli，複製下方的script![image](https://hackmd.io/_uploads/S13ksZvHyg.png) 於跳轉出的介面按下信任存放區並按下確認![image](https://hackmd.io/_uploads/SkQeoZvrke.png) 將複製好的script貼上至下方的cli視窗後按下Enter後按下y ![image](https://hackmd.io/_uploads/S1jeobDHJl.png) 如有跳出授權介面按下授權 ![image](https://hackmd.io/_uploads/H1bZjZDSkg.png) 待script完成後會看到綠色的Onboarding Complete Successfully，另外多確認一下service account有無相關權限 ![image](https://hackmd.io/_uploads/HyUe6FwHJg.png) 回到Infinity portal按下check now 如果出現綠色框框的話按下Onboard![image](https://hackmd.io/_uploads/Bybf6YwHkx.png) 完成後按下Finish![image](https://hackmd.io/_uploads/S16GatDr1l.png) 回到Environment確認啟用成功![image](https://hackmd.io/_uploads/SJSmTYDr1e.png) ### Account Intelligence Offboard 1. 點選要Offboard的環境![image](https://hackmd.io/_uploads/SkAEpYwSkl.png) 2. 點選Remove Intelligence![image](https://hackmd.io/_uploads/SyFHpYvBke.png) 3. 點選Delete Resource → 點選script並複製commnad![image](https://hackmd.io/_uploads/BJ6U6YPH1l.png) 4. 彈出GCP Cli的視窗點選信任存放區![image](https://hackmd.io/_uploads/ryMd6KDBye.png) ![image](https://hackmd.io/_uploads/H1UO6YDB1g.png) 5. 將複製的command貼到下方![image](https://hackmd.io/_uploads/BkHKTKDSJe.png) 6. 此時彈出授權cloud shell按下授權![image](https://hackmd.io/_uploads/HyCtptvr1e.png) 7. 指令執行完成後出現off board successfully![image](https://hackmd.io/_uploads/rJMn6YwHke.png) 8. 回到Infinity Portal按下Offboard![image](https://hackmd.io/_uploads/Hka36Fwr1x.png) 9. 按下Finish![image](https://hackmd.io/_uploads/B1STptDBJg.png)