Profile Applicability:

Level 1

Description:

Google Cloud Asset Inventory (CAI) provides a historical view of Google Cloud resources and IAM policies through a time-series database. It captures metadata about resources, IAM policies, and runtime information within a project. While the Cloud Asset API is not required for basic operation of CAI, enabling it allows for searching and exporting data directly.

Rationale:

Cloud Asset Inventory facilitates:

  • Security analysis: Identifying misconfigurations and vulnerabilities.

  • Resource change tracking: Monitoring changes over time.

  • Compliance auditing: Ensuring adherence to organizational and regulatory requirements.
    Enabling CAI ensures an accurate inventory of assets and IAM policies, which is critical for governance and security.

Impact:

Enabling CAI does not impact regular operations but enables enhanced tracking.
Organizations might incur storage costs when exporting asset metadata to Cloud Storage or BigQuery.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to API & Services > Library by visiting:
    https://console.cloud.google.com/apis/library.

                     

  1. Search for Cloud Asset API and select the result.

                   

  1. Verify that API Enabled is displayed.

                 


Using Google Cloud CLI:

Run the following command to check if the Cloud Asset API is enabled:

gcloud services list --enabled --filter=name:cloudasset.googleapis.com

  1. If the API is enabled, it will be listed in the output. If the response is empty, the API is not enabled.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to API & Services > Library by visiting:
    https://console.cloud.google.com/apis/library.

               

  1. Search for Cloud Asset API and select it.

               

  1. Click the ENABLE button.

             

Using Google Cloud CLI:

Enable the Cloud Asset API by running the following command:

gcloud services enable cloudasset.googleapis.com

References:

  1. Cloud Asset Inventory Documentation

Additional Information:

  • CAI retains a five-week history of asset metadata by default. For longer retention, consider exporting data to Cloud Storage or BigQuery.

  • Users do not need to enable the API unless they plan to export or search CAI data directly.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

1.1 Establish and Maintain Asset Inventory

Maintain a detailed, up-to-date inventory of all enterprise assets, including hardware and software assets, network addresses, owners, and departments.

6.6 Authentication and Authorization Inventory

Maintain an accurate inventory of all authentication and authorization systems, reviewing and updating it at least annually.


1.4 Detailed Asset Inventory

Ensure a complete inventory of all technology assets, including hardware and software, connected or unconnected to the organization's network.

16.1 Authentication Systems Inventory

Maintain a record of all authentication systems used by the organization, whether onsite or hosted externally.