Review the permissions required to deploy resources and the permissions granted when connecting Google Cloud projects and organizations to Trend Vision One.
Trend Micro recommends accessing the project using a sign in that has the Owner role. If you are adding a Google Cloud organization, the sign in must also have the
Organization Administrator role. Ensure your account and role meet the following requirements to be able to
successfully deploy Trend Vision One cloud security resources to your project.
-
The associated Google account must be a valid billing account.
-
The user role must have access to the following Google Cloud services and features:
-
Cloud Shell
-
Cloud Storage
-
Service Account
-
Workload Identity Pool
-
Workload Identity Pool Provider
-
IAM
-
Tag Key
-
Tag Value
-
Enable GCP API
-
The Terraform process assigns certain permissions to itself to establish the connection
with Cloud Accounts and Trend Vision One cloud security services. These permissions include enabling the Cloud Accounts app
and security services to obtain temporary credentials and complete tasks within your
Google Cloud environment. The required permissions are listed in the following table:
Google Cloud required permissions
Feature
|
Required permissions
|
Core Features
|
|
Cloud Security Posture
|
actions:
|
Agentless Vulnerability & Threat Detection
|
Control Plane Service Account
Purpose: Manages control plane operations
Customer project permissions:
Sidecar project permissions:
|
Customer Role Service Account
Purpose: Handles customer-specific operations
Customer project permissions:
Sidecar project permissions:
|
|
Data Plane Service Account
Purpose: Executes data plane operations
Sidecar project permissions:
Customer project permissions:
|
|
Real-Time Posture Monitoring
|
No permissions required.
|