Conformity Google Cloud Platform Data Source Setup

  1. For customers that do not already have Conformity, sign up for a free trial.
    1. Go to the sign up form. https://cloudone.trendmicro.com/trial
    2. Provide all the required information and complete the reCAPTCHA.
    3. Agree to the terms and conditions, privacy notice, and data collection notice.
    4. Click Sign Up.
    5. Click the Verify Email link in the confirmation email sent to your business email account.
    6. Sign in to activate your Trend Micro Cloud One console.

      Allow a few moments to provision your new console.

    7. Specify an Account Alias for your account.

      You can change your alias later using the console.

    8. Specify the Region in which Trend Micro Cloud One stores all of your data.
    9. Click Continue.
  2. Ensure that you go to Google Cloud and enable all APIs that Conformity requires.
    1. Sign in to Google Cloud.
    2. In the left menu, click APIs & Services.
    3. Verify that all of the following APIs display in the Enabled APIs & services table.
      • API Keys API

      • BigQuery API

      • Cloud Dataproc API

      • Cloud DNS API

      • Compute Engine API

      • Cloud Key Management Service (KMS) API

      • Cloud Logging API

      • Cloud Pub/Sub API

      • Cloud Resource Manager API

      • Cloud SQL Admin API

      • Cloud Storage API

      • Identity and Access Management (IAM) API

      • Kubernetes Engine API

    4. Enable all missing APIs by repeating the following steps.
      1. Click ENABLE APIS AND SERVICES.
      2. Search for the API name and click the correct result.

      3. Click Enable.

  3. Create the Google Cloud role for usage with the Conformity service account.
    1. In the left menu, go to IAM & Admin > Roles.
    2. Click CREATE ROLE.
    3. Specify the Title and ID for the new role.
    4. (Optional) Provide a description.
    5. Do not modify the default Role launch stage: Alpha.
    6. Click ADD PERMISSIONS.
    7. Next to the Filter, type the name of the permission.

      The role requires all of the 34 following permissions:

      • apikeys.keys.list

      • bigquery.datasets.get

      • bigquery.tables.get

      • cloudkms.cryptoKeys.getIamPolicy

      • cloudkms.cryptoKeys.list

      • cloudkms.keyRings.list

      • cloudkms.locations.list

      • cloudSql.instances.list

      • compute.backendServices.list

      • compute.firewalls.list

      • compute.globalForwardingRules.list

      • compute.images.getIamPolicy

      • compute.images.list

      • compute.instances.list

      • compute.networks.list

      • compute.projects.get

      • compute.sslPolicies.list

      • compute.subnetworks.list

      • compute.targetHttpsProxies.list

      • compute.targetSslProxies.list

      • compute.urlMaps.list

      • container.clusters.list

      • dataproc.clusters.list

      • dns.managedZones.list

      • dns.policies.list

      • iam.serviceAccounts.get

      • logging.logMetrics.list

      • logging.sinks.list

      • monitoring.alertPolicies.list

      • pubsub.topics.list

      • resourcemanager.projects.get

      • resourcemanager.projects.getIamPolicy

      • storage.buckets.getIamPolicy

      • storage.buckets.list

    8. Select the permission in the list and click Add.
    9. Repeat for all permissions.
    10. After adding all the required permissions, select the check box at the top of the list for each page until all 34 permissions have been assigned.
    11. Click CREATE.
  4. Create the service account in Google Cloud used for the Conformity integration.
    1. In Google Cloud, select the project that you want to protect with Conformity.
    2. In the left menu, go to IAM & Admin > Service Accounts.
    3. Click CREATE SERVICE ACCOUNT.
    4. Specify the Service account name, an optional Description, and click CREATE AND CONTINUE.
    5. Select the customer role you created in step 3 by clicking the Select a role field and locating the role.
    6. Click CONTINUE.
    7. Click DONE.
      Note:

      You do not need to grant users access to this service account.

    8. Create the key used by the service account.
      1. In the Action column for the service account you just created, click the button and Manage keys.

      2. Click ADD KEY and Create new key.

      3. Leave the default JSON key type and click CREATE.

      4. Save the generated JSON file in a secure location for use in the Conformity console.

    Important:

    Add the service account to all projects that you want to protect with Conformity.

  5. Create you GCP Project account in Conformity.
    1. Sign in to Trend Micro Cloud One.
    2. Click Conformity.
    3. Click GCP Project and click Next.
    4. Specify the display name of the service account used in the Conformity console.
      Note:

      The display name does not need to match the name of the service account in Google Cloud.

    5. Upload the JSON file containing the Google Cloud service account key generated in step 4 and click Next.
    6. Select all the Google Cloud projects that you would want to protect using Conformity and click Next.
      Note:

      You can only Google Cloud projects view that you assigned the service account to in the Google Cloud console.

    7. Review the settings and click Finish.
  6. Connect Conformity with Risk Insights using an API Key.
    1. Go to the home screen of the Trend Micro Cloud One console, and click User Management.
    2. In the left menu, click API Keys.
    3. Click New.
    4. Specify the API Key Alias.
    5. In Role, select Read Only.
    6. Click Next.
    7. Copy the API Key immediately.
      Important:

      You cannot access the API Key again after closing the dialog. Copy and store the API Key in a safe location.

    8. In the Trend Micro Vision One console, open the Trend Micro Cloud One - Conformity Data Source panel.
    9. Paste the API Key from Conformity in the API Key field.
    10. Acknowledge that your Conformity data may be transferred to another data center based on the Trend Micro Vision One data center.
    11. Click Save.