![Hyperproof.Io [Test] Help Center](https://downloads.intercomcdn.com/i/o/xgk1dxp2/757668/427b255f2659cc7e0853d6a00ec1/628914ae2617199b7d999ba797a5305a.png)
Note: Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.
When you create a Hypersync between Hyperproof and Google Cloud Platform (GCP), you can automatically collect the following proof types:
Google Cloud Platform proof types and fields
Service | Proof type | Fields | Testable |
Cloud Storage | Bucket Encryption | Bucket Name, Encryption Type, Encryption Key | Yes |
Cloud Storage | Bucket Lifecycle Rules | Bucket Name, Bucket, Action, Age, Created Before, Custom Time Before, Days Since Custom Time, Days Since Noncurrent Time, Is Live, Matches Prefix, Matches Storage Class, Matches Suffix, Noncurrent Time Before, Num Newer Versions | No |
Cloud Storage | Bucket Replication | Bucket Name, Location Type, Location | Yes |
Cloud Storage | Bucket Retention Settings | Bucket Name, Retention Period, Effective Time, Locked | No |
Cloud Storage | Bucket Settings | Bucket Name, Location Type, Location, Versioning, Encryption Type, Encryption Key | Yes |
Cloud Storage | Bucket Versioning | Bucket Name, Versioning | Yes |
Compute Engine | Firewall Rules | Name, Network, Direction, Log Config, Disabled | Yes |
Compute Engine | List of Disk Encryption Settings | ID, Name, Zone, Disk Encryption Key, Source Snapshot Encryption Key | Yes |
Compute Engine | List of Images | Name, Source Image, Location, Disk Size, Family, Architecture, Creation Time, Labels | Yes |
Compute Engine | List of Instance Groups | Name, Instances, Template, Autoscaling, Zone, Creation Time | Yes |
Compute Engine | List of Instance Templates | Name, Machine type, Image, Disk type, Creation Time | Yes |
Compute Engine | List of Running Instances | Name, Instance template Network Interfaces: Internal IP, External IP | No |
Compute Engine | List of Snapshots | Name, Location, Snapshot Size, Creation Time, Source Disk, Disk Size | Yes |
Compute Engine | Minimum TLS Version | Name, Minimum TLS version, Profile, Creation Time | Yes |
IAM | Custom Project Roles | Title, Name, Description | Yes |
IAM | Project Members | Principal, Role | No |
Kubernetes Engine | List of Clusters | Zone, Project, Status, Name, Location, Mode, Number of nodes, Total vCPUs, Total memory, Labels Networking: Private cluster, network, Subnet, Pod address range, Service access range, Intranode visibility, NodeLocal DNSCache, HTTP Load Balancing, Subsetting for L4 Internal Load Balancers, Control plane authorized networks, Network policy, Dataplane V2 Security: Binary authorization, Shielded GKE nodes, Confidential GKE node, Workload identity, Workload identity namespace, Legacy authorization | No |
Kubernetes Engine | List of Pod Security Policies | Zone, Cluster, Run As User, Run As Group, Run As Non Root, FS Group, FS Group Change Policy, Name, Privileged, Allow Privilege Escalation, Readonly Root FS Run as User: Rule, Ranges Run as Group: Rule, Ranges FS Group: Rule, Ranges | Yes |
Kubernetes Engine | List of Workloads | Zone, Name, Status, Type, Pods, Namespace, Cluster | Yes |
SQL | Backup Configuration | Project, Instance Name, Backup Location, Backup Enabled, Start Time, Retained Backups, Point In Time Recovery, Transaction Log Retention Days | Yes |
SQL | Backup Runs | Project, Instance Name, Identifier, Kind, Type, Start Time, End Time, Location, Status | Yes |
VPC | List of Networks | ID, Name, Subnets, MTU, Mode, Global Dynamic Routing | No |
VPC | List of Subnets | Region, Name, ID, Network, State, IPv4 CIDR, IPv6 CIDR | No |
Google Cloud Platform notes on proof types
Compute Engine
List of Disk Encryption Settings
Note: Requires the compute.disks.list permission.
Kubernetes Engine
List of Pod Security Policies
Note: This proof type is compatible only with Kubernetes version 1.22 or higher. If you use a lower version of Kubernetes, the proof will not be generated.
Kubernetes has deprecated PodSecurityPolicies in version 1.21. See this Kubernetes article for information on migrating from PodSecurityPolicies to the built-in PodSecurity admission controller. Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.
VPC
List of Subnets
Note: Requires the compute.subnetworks.list permission. Additionally, to view the linked webpage in the proof, compute.networks.list and compute.networks.get are also needed.
List of Networks
Note: Requires the compute.networks.list permission.
This Hypersync supports importing a user list for an access review. See Importing a list of application users with a Hypersync for more information.
Important: For the Hypersync to work, the following resources must also be enabled in the GCP Project: Compute Engine API, Cloud Resource Manager API, and Identity and Access Management (IAM) API. These are project-level settings, and they can be found by searching in GCP. It’s highly recommended that these settings be turned on prior to creating the Hypersync; otherwise, an unspecified error may occur.
Additional documentation
The Google Cloud Platform Hypersync can be used to collect data from a single project or all projects within an organization or resource folder.
Note: You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need.
Additionally, you can create multiple Hypersyncs for a single control or label.
Connection configuration
Authentication type: Custom
Custom authentication parameters: Private JSON Key
During the connection process, you need to copy and paste your JSON private key file. If you don’t have a JSON private key file, follow the steps below. Note that creating a private key file requires Service Account Admin access (roles/iam.serviceAccountAdmin). If you don’t have access, contact your organization’s GCP administrator.
Open GCP.
From the left navigation menu, hover over IAM & Admin and select Service Accounts.
Click Create Service Account.
Name the account.
Assign the account the roles of Security Reviewer and Cloud Asset Service Agent, then click Continue.
Optionally, add additional users to grant them permissions within the service account.
Click Done, and then click the service account you just created.
Select the Keys tab.
Click Add Key, and then select Create new key.
Select the JSON radio button, then click Create. The JSON file is automatically downloaded to your computer.