Google Cloud Platform (GCP) is a cloud hosting platform that offers cloud computing and infrastructure services. 

Secureframe scans various GCP resources and configurations to ensure compliance and automatically gather evidence.

Connecting the Integration

To integrate GCP with Secureframe, navigate to Integrations and search for “Google” on the “Available Integrations” page. Click “Connect” and follow the steps in the connection form.

Secureframe now integrates with both Organization & Projects. To connect a project, an Organization must also be connected. 

Connecting at different levels of the hierarchy (Organization & Projects)

Google Cloud allows users to manage connections at various levels in the hierarchy e.g. Organization and Projects. Secureframe allows you to integrate with the Organization level as well as the project connection in order to:

• Make it easier to pull in and set up multiple account connections under an organization at once, allowing you to save time
• Provide a cleaner experience in organizing and managing the different levels of the hierarchy enabled in your GCP account
• Make it easier to identify accounts by automatically discovering accounts associated to your organization
• Make it easier to exclude the accounts that you do not want to sync with Secureframe

Manage connections/sync

You can now easily manage your project (child) connections directly from the Integrations page. 

• To sync all accounts under a connection click the sync button
• In order to sync or manage only specific accounts under a connection, click the # of connections
  • You can now view and manage the settings, rename the connection, reconnect and archive a project (child) account directly from this screen
• You can also view and change included regions and accounts if you click into the GCP integration settings (cogwheel icon).

Migrating existing connection to Parent/Child connections

1. Archive any individual existing project connections you have that you are expecting to be pulled in by the organization connection. Note: if you have any project connections that you’re not expecting to be brought in by the organization connection, you do not need to archive those project accounts in Secureframe.  
   1.  
      1. Click the kebab menu on individual project accounts
      2. Click archive

1. Once your connections have been archived, click on available connections, search for “Google” and click “add connection” or “connect” under Google Cloud.
2. Follow the steps outlined in the connection form under “GCP Organization”. 
3.  In step 7 of the connection form, you will be able to view a list of member projects/child connections and select those you wish to integrate with Secureframe.
4. Click Finish. When completed, you will now be able to see the number of child connections under an organization account (and their details) directly in the main integrations page.
5. When you click on the number of child (project) connections, you will be able to see details of the project connections and be able to: 
   1. Filter through child connections
   2. Sync individual child connections or sync all project accounts under the organization
   3. Rename the connection (organization or project connection)
   4. Exclude any individual project connections you don’t want integrated with Secureframe

Permissions, Fields Pulled, Controls and Automated Tests

1. Click the provided link or navigate to the “Integration” page.
2. Select the “Available” tab.
3. Search for the integration.
4. Click “View Details”.

Reducing Log Volume and Costs in GCP

In some cases you may find Secureframe log sink in GCP is driving up logging cost. You can reduce logging cost without impacting compliance.

If that happens, here are a few effective steps you can take:

1. Identify noisy logs
   Use GCP Logging → Usage or run a CLI command to find the top log sources by volume (e.g., VPC Flow Logs, HTTP Load Balancer logs, Cloud Audit DataAccess logs, or stdout from containers). These usually account for 80–90% of the log volume.

2. Reduce high-volume logs
   Based on your usage, VPC Flow Logs are likely the main contributor. Try:

   • Dropping the sampling rate from 1.0 to 0.1 or 0.2, which can cut volume by 5–10x.

   • Setting log levels (e.g., to WARNING for HTTP LB logs, or reducing container stdout noise) can help reduce other high-volume logs by 2–6x.

3. Review storage retention
   While storage is not the main cost driver (egress is), reducing log retention can still help manage bucket size and long-term cost. A 90-day retention period is generally acceptable unless your compliance policies require more.

Frequently Asked Questions (FAQ)

I have a few GCP tests showing permissions issues?

• A common scenario for the error below is that the Cloud Resource Manager API is not enabled properly, or the key is simply typed incorrectly. This requirement is outlined in step 3 of the connection form.
  
• Failed to fetch details for this resource - rpc error: code = PermissionDenied desc = Permission 'resourcemanager.projects.get' denied on resource '//cloudresourcemanager.googleapis.com/projects/windows-image-test' (or it may not exist). error details: name = ErrorInfo reason = IAM_PERMISSION_DENIED domain = cloudresourcemanager.googleapis.com metadata = map[permission:resourcemanager.projects.get resource:projects/windows-image-test