檢視次數:

檢視部署資源所需的必要的權限,以及將 Google 雲端專案和組織連接到 Trend Vision One 時授予的權限。

趨勢科技 建議使用具有「擁有者」角色的登入來存取專案。如果您正在新增 Google Cloud 組織,登入必須也具有「Organization Administrator」角色。確保您的帳戶和角色符合以下要求,以便能夠成功部署Trend Vision One Cloud Security 資源到您的專案。
  • 相關的 Google 帳戶必須是有效的計費帳戶。
  • 使用者角色必須能夠存取以下 Google 雲端服務及功能:
    • 雲端 Shell
    • 雲端儲存
    • 服務帳戶
    • 工作負載身分識別集區
    • 工作負載身份池提供者
    • IAM
    • 標籤鍵
    • 標籤值
    • 啟用 GCP API
Terraform 程式會指派某些權限給自身,以建立與 Cloud Accounts 和 Trend Vision One 雲端安全服務的連接。這些權限包括啟用 Cloud Accounts 應用程式和安全服務以獲取臨時憑證並在您的 Google Cloud 環境中完成任務。所需的權限列於下表中:

Google 雲端必要的權限

功能
所需權限
核心功能
  • compute.regions.list
  • iam.roles.create
  • iam.roles.delete
  • iam.roles.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy
  • iam.workloadIdentityPoolProviderKeys.delete
  • iam.workloadIdentityPoolProviders.create
  • iam.workloadIdentityPoolProviders.delete
  • iam.workloadIdentityPoolProviders.get
  • iam.workloadIdentityPools.create
  • iam.workloadIdentityPools.delete
  • iam.workloadIdentityPools.get
  • iam.workloadIdentityPools.update
  • iam.workloadIdentityPools.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
  • resourcemanager.tagKeys.create
  • resourcemanager.tagKeys.delete
  • resourcemanager.tagKeys.get
  • resourcemanager.tagKeys.list
  • resourcemanager.tagValues.create
  • resourcemanager.tagValues.delete
  • resourcemanager.tagValues.get
  • resourcemanager.tagValues.list
  • serviceusage.services.enable
  • serviceusage.services.list
  • serviceusage.services.use
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.objects.update
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy
  • storage.buckets.list
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.setIamPolicy
Cloud Security Posture
操作:
  • accessapproval.settings.get
  • alloydb.clusters.list
  • alloydb.instances.list
  • apigateway.locations.get
  • apigateway.gateways.list
  • apigateway.gateways.getIamPolicy
  • apigateway.apis.list
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apiconfigs.getIamPolicy
  • apigee.apiproducts.list
  • apigee.deployments.list
  • apigee.envgroupattachments.list
  • apigee.envgroups.list
  • apigee.environments.getStats
  • apigee.instanceattachments.list
  • apigee.instances.list
  • apigee.proxies.list
  • apigee.proxyrevisions.get
  • apikeys.keys.list
  • artifactregistry.repositories.list
  • bigtable.instances.list
  • bigtable.clusters.list
  • bigtable.instances.getIamPolicy
  • bigquery.datasets.get
  • bigquery.tables.get
  • bigquery.tables.list
  • bigquery.tables.getIamPolicy
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.keyRings.list
  • cloudkms.locations.list
  • cloudsql.instances.list
  • cloudsql.instances.listServerCas
  • cloudsql.instances.listServerCas
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionSslPolicies.list
  • compute.firewalls.list
  • compute.globalForwardingRules.list
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instances.list
  • compute.instances.getIamPolicy
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.networks.list
  • compute.subnetworks.list
  • compute.subnetworks.getIamPolicy
  • compute.projects.get
  • compute.targetHttpsProxies.list
  • compute.targetSslProxies.list
  • compute.sslPolicies.list
  • compute.urlMaps.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.instanceGroups.list
  • compute.zones.list
  • container.clusters.list
  • container.clusters.get
  • dataproc.clusters.list
  • dataproc.clusters.getIamPolicy
  • datastore.databases.list
  • dns.policies.list
  • dns.managedZones.list
  • file.instances.list
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccountKeys.list
  • iam.roles.list
  • logging.logEntries.list
  • logging.logMetrics.list
  • logging.sinks.list
  • memcache.instances.list
  • monitoring.alertPolicies.list
  • orgpolicy.policy.get
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsub.subscriptions.get
  • pubsublite.topics.list
  • pubsublite.topics.listSubscriptions
  • redis.clusters.list
  • redis.instances.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • servicemanagement.services.get
  • serviceusage.services.list
  • spanner.instances.getIamPolicy
  • spanner.instances.list
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • certificatemanager.certs.list
  • compute.routers.list
  • cloudfunctions.functions.list
  • cloudfunctions.functions.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.listSpokes
  • networkconnectivity.hubs.getIamPolicy
  • notebooks.instances.list
  • notebooks.instances.getIamPolicy
  • artifactregistry.dockerimages.list
無代理弱點與安全威脅偵測
Control Plane Service Account
Purpose: 管理控制平面操作
客戶專案權限:
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • 雲端功能檢視器 (roles/cloudfunctions.viewer)
  • 服務帳戶使用者 (roles/iam.serviceAccountUser)
  • 具有compute.disks.createSnapshot權限的自訂角色
Sidecar 專案權限:
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • 雲端功能檢視器 (roles/cloudfunctions.viewer)
  • 服務帳戶使用者 (roles/iam.serviceAccountUser)
  • 計算檢視器 (roles/compute.viewer)
  • 工作流程檢視器 (roles/workflows.viewer)
  • 日誌寫入器 (roles/logging.logWriter)
  • 具有快照和磁碟管理權限的自訂角色
Customer Role Service Account
Purpose: 處理客戶特定操作
客戶專案權限:
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • 計算檢視器 (roles/compute.viewer)
  • 服務帳戶使用者 (roles/iam.serviceAccountUser)
  • 服務帳戶令牌創建者 (roles/iam.serviceAccountTokenCreator)
Sidecar 專案權限:
  • 雲端執行調用者 (roles/run.invoker)
Data Plane Service Account
Purpose: 執行數據平面操作
Sidecar 專案權限:
  • 儲存物件檢視器 (roles/storage.objectViewer)
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • 雲端功能檢視器 (roles/cloudfunctions.viewer)
  • 服務帳戶使用者 (roles/iam.serviceAccountUser)
  • 日誌寫入器 (roles/logging.logWriter)
  • 工作流程調用器 (roles/workflows.invoker) 和查看器
  • Eventarc 事件接收器 (roles/eventarc.eventReceiver)
  • 服務帳戶令牌創建者 (roles/iam.serviceAccountTokenCreator)
  • 具有虛擬機和磁碟管理權限的自訂角色
客戶專案權限:
  • 計算檢視器 (roles/compute.viewer)
即時姿勢監控
不需要必要的權限。