π Note
Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.
When you create a Hypersync between Hyperproof and Google Cloud Platform (GCP), you can automatically collect the following proof types:
Google Cloud Platform proof types and fields
Service | Proof type | Fields | Testable |
Cloud Storage | Bucket Encryption | Bucket Name, Encryption Type, Encryption Key | Yes |
Cloud Storage | Bucket Lifecycle Rules | Bucket Name, Bucket, Action, Age, Created Before, Custom Time Before, Days Since Custom Time, Days Since Noncurrent Time, Is Live, Matches Prefix, Matches Storage Class, Matches Suffix, Noncurrent Time Before, Num Newer Versions | No |
Cloud Storage | Bucket Replication | Bucket Name, Location Type, Location | Yes |
Cloud Storage | Bucket Settings | Bucket Name, Location Type, Location, Versioning, Encryption Type, Encryption Key | Yes |
Cloud Storage | Bucket Versioning | Bucket Name, Versioning | Yes |
Cloud Storage | Retention Lock Settings | Bucket Name, Retention Period, Effective Time, Locked | No |
Compute Engine | Firewall Rules | Name, Network, Direction, Log Config, Disabled | Yes |
Compute Engine | List of Disk Encryption Settings | ID, Name, Zone, Disk Encryption Key, Source Snapshot Encryption Key | Yes |
Compute Engine | List of Images | Name, Source Image, Location, Disk Size, Family, Architecture, Creation Time, Labels | Yes |
Compute Engine | List of Instance Groups | Name, Instances, Template, Autoscaling, Zone, Creation Time | Yes |
Compute Engine | List of Instance Templates | Name, Machine type, Image, Disk type, Creation Time | Yes |
Compute Engine | List of Running Instances | Name, Instance template Network Interfaces: Internal IP, External IP | No |
Compute Engine | List of Snapshots | Name, Location, Snapshot Size, Creation Time, Source Disk, Disk Size | Yes |
Compute Engine | Minimum TLS Version | Name, Minimum TLS version, Profile, Creation Time | Yes |
IAM | Custom Project Roles | Title, Name, Description | Yes |
IAM | Project Members | Principal, Role | No |
Kubernetes Engine | List of Clusters | Zone, Project, Status, Name, Location, Mode, Number of nodes, Total vCPUs, Total memory, Labels Networking: Private cluster, network, Subnet, Pod address range, Service access range, Intranode visibility, NodeLocal DNSCache, HTTP Load Balancing, Subsetting for L4 Internal Load Balancers, Control plane authorized networks, Network policy, Dataplane V2 Security: Binary authorization, Shielded GKE nodes, Confidential GKE node, Workload identity, Workload identity namespace, Legacy authorization | No |
Kubernetes Engine | List of Pod Security Policies | Zone, Cluster, Run As User, Run As Group, Run As Non Root, FS Group, FS Group Change Policy, Name, Privileged, Allow Privilege Escalation, Readonly Root FS Run as User: Rule, Ranges Run as Group: Rule, Ranges FS Group: Rule, Ranges | Yes |
Kubernetes Engine | List of Workloads | Zone, Name, Status, Type, Pods, Namespace, Cluster | Yes |
SQL | Backup Configuration | Project, Instance Name, Backup Location, Backup Enabled, Start Time, Retained Backups, Point In Time Recovery, Transaction Log Retention Days | Yes |
SQL | Backup Runs | Project, Instance Name, Identifier, Kind, Type, Start Time, End Time, Location, Status | Yes |
VPC | List of Networks | ID, Name, Subnets, Mode, Global Dynamic Routing | No |
VPC | List of Subnets | Region, Name, ID, Network, State, IPv4 CIDR, IPv6 CIDR | No |
β
Google Cloud Platform notes on proof types
Compute Engine
List of Disk Encryption Settings
π Note
Requires the compute.disks.list permission.
Kubernetes Engine
List of Pod Security Policies
π Note
This proof type is compatible only with Kubernetes version 1.22 or higher. If you use a lower version of Kubernetes, the proof will not be generated.
Kubernetes has deprecated PodSecurityPolicies in version 1.21. See this Kubernetes article for information on migrating from PodSecurityPolicies to the built-in PodSecurity admission controller. Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.
VPC
List of Subnets
π Note
Requires the compute.subnetworks.list permission. Additionally, to view the linked webpage in the proof, compute.networks.list and compute.networks.get are also needed.
List of Networks
π Note
Requires the compute.networks.list permission.
This Hypersync supports importing a user list for an access review. See Importing a list of application users with a Hypersync for more information.
β Important
For the Hypersync to work, the following resources also have to be enabled in the GCP Project: Compute Engine API, Cloud Resource Manager API, and Identity and Access Management (IAM) API. These are project-level settings, and they can be found by searching in GCP. Itβs highly recommended that these settings be turned on prior to creating the Hypersync otherwise an unspecified error may occur.
Additional documentation
The Google Cloud Platform Hypersync can be used to collect data from a single project or all projects within an organization or resource folder.
π Note
You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need.
β
Additionally, you can create multiple Hypersyncs for a single control or label.
Connection configuration
Authentication type: Custom
β
Custom authentication parameters: Private JSON Key
During the connection process, you need to copy and paste your JSON private key file. If you donβt have a JSON private key file, follow the steps below. Note that creating a private key file requires Service Account Admin access (roles/iam.serviceAccountAdmin). If you donβt have access, contact your organizationβs GCP administrator.
Open GCP.
From the left navigation menu, hover over IAM & Admin and select Service Accounts.
Click Create Service Account.
Name the account.
Assign the account the roles of Security Reviewer and Cloud Asset Service Agent, then click Continue.
Optionally, add additional users to grant them permissions within the service account.
Click Done, and then click the service account you just created.
Select the Keys tab.
Click Add Key, and then select Create new key.
Select the JSON radio button, then click Create. The JSON file is automatically downloaded to your computer.
![Hyperproof.Io [Test] Help Center](https://downloads.intercomcdn.com/i/o/xgk1dxp2/757668/427b255f2659cc7e0853d6a00ec1/628914ae2617199b7d999ba797a5305a.png)