Required Roles for GCP Configuration and Audit Log Integrations

Overview

When integrating Google Cloud with Lacework, you must create and configure the necessary roles and resources. To do this, the GCP account you use to create the integration must have certain privileges within the project or organization being integrated.

This topic describes those privileges and why they are required.

Organization Level Integration Roles

The following table lists required GCP account roles for organization level integrations.

Role Name	Role ID	Integration Type	Usage
Organization Administrator	`roles/resourcemanager.organizationAdmin`	Audit Log Configuration	Grant IAM privileges: `roles/browser` on organization to Lacework service account `roles/iam.securityReviewer` on organization to Lacework service account `roles/cloudasset.viewer` on organization to Lacework service account `roles/resourcemanager.organizationViewer` on organization to Lacework service account (for Pub/Sub-based audit log integration only) `roles/lwOrgComplianceRole` Lacework custom IAM role with the following permissions on organization to Lacework service account (for Configuration integration only): bigquery.datasets.get compute.projects.get compute.sslPolicies.get pubsub.topics.get storage.buckets.get
Organization Role Administrator	`roles/iam.organizationRoleAdmin`	Configuration	Create Lacework custom IAM role for organization
Logs Configuration Writer	`roles/logging.configWriter`	Audit Log	Create aggregated log sink at organization level
Billing Account User	`roles/billing.user`	Audit Log Configuration	Required only if creating a new project to host the Lacework integration resources

Additionally, the user performing the integration requires the project level integration roles on the project that will contain the Lacework integration resources.

Project Level Integration Roles

When configuring access for the project that the Lacework integration resources will reside in, you can define the appropriate roles required to create the integration using either project owner access or least privilege access.

Project Owner Access

Role Name	Role ID	Integration Type	Usage
Project Owner	`roles/owner`	Audit Log Configuration	Create Lacework service account Create service account key for Lacework service account Create log sink Create cloud storage bucket (for Storage-based audit log integration only) Create Pub/Sub topic Create Pub/Sub subscription Create Lacework custom IAM role (for Configuration integration only) Grant IAM privileges: `roles/browser` on project to Lacework service account `roles/cloudasset.viewer` on project to Lacework service account `roles/iam.securityReviewer` on project to Lacework service account `roles/monitoring.viewer` on project to Lacework service account `roles/pubsub.publisher` on Pub/Sub topic to Lacework service account for Pub/Sub-based audit log integration or on Pub/Sub topic to project storage account for Storage-based audit log integration `roles/pubsub.subscriber` to Pub/Sub subscription to Lacework service account `roles/storage.objectCreator` on storage bucket to project logging account (for Storage-based audit log integration only) `roles/storage.objectViewer` on storage bucket to Lacework service account (for Storage-based audit log integration only) `roles/lwComplianceRole` Lacework custom IAM role with the following permissions on project to Lacework service account (for Configuration integration only): bigquery.datasets.get compute.projects.get compute.sslPolicies.get pubsub.topics.get storage.buckets.get

Least Privilege Access

Role Name	Role ID	Integration Type	Usage
Logs Configuration Writer	`roles/logging.configWriter`	Audit Log	Create log sink
Project IAM Admin	`roles/resourcemanager.projectIamAdmin`	Configuration	Grant IAM privileges: `roles/browser` on project to Lacework service account `roles/cloudasset.viewer` on project to Lacework service account `roles/iam.securityReviewer` on project to Lacework service account
Pub/Sub Admin	`roles/pubsub.admin`	Audit Log	Create Pub/Sub topic and subscription Grant IAM privileges: `roles/pubsub.publisher` on Pub/Sub topic to Lacework service account for Pub/Sub-based audit log integration or on Pub/Sub topic to project storage account for Storage-based audit log integration `roles/pubsub.subscriber` on Pub/Sub subscription to Lacework service account
Role Administrator	`roles/iam.roleAdmin`	Configuration	Create `roles/lwComplianceRole` Lacework custom IAM role with the following permissions for the project: bigquery.datasets.get compute.projects.get compute.sslPolicies.get pubsub.topics.get storage.buckets.get
Service Account Admin	`roles/iam.serviceAccountAdmin`	Audit Log Configuration	Create Lacework service account
Service Account Key Admin	`roles/iam.serviceAccountKeyAdmin`	Audit Log Configuration	Create service account key for Lacework service account
Service Usage Admin	`roles/serviceusage.serviceUsageAdmin`	Audit Log Configuration	Enable the required GCP service APIs
Storage Admin	`roles/storage.admin`	Audit Log (for Storage-based audit log integration only)	Create cloud storage bucket Grant IAM privileges: `roles/storage.objectCreator` on storage bucket to project logging account `roles/storage.objectViewer` on storage bucket to Lacework service account

Overview​

Organization Level Integration Roles​

Project Level Integration Roles​

Project Owner Access​

Least Privilege Access​

Overview

Organization Level Integration Roles

Project Level Integration Roles

Project Owner Access

Least Privilege Access