Ensure Cloud Asset Inventory Is Enabled

GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.The GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing.

Risk Level: Low
Cloud Entity: GCP Project
CloudGuard Rule ID: D9.GCP.OPE.04
Covered by Spectral: No
Category: Security, Identity, & Compliance


Project should have enabledServices contain [ title like 'Cloud Asset API' ]


From Portal

  1. Go to API & Services/Library by visiting https://console.cloud.google.com/apis/library
  2. Search for Cloud Asset API and select the result for Cloud Asset API
  3. Click the ENABLE button.

From Command Line

  1. Enable the Cloud Asset API through the services interface:
gcloud services enable cloudasset.googleapis.com

From TF

  1. In your template use resource: google_project_service, and use argument service = cloudasset.googleapis.com
resource "google_project_service" "project" {
	project = "your-project-id"
	service = "cloudasset.googleapis.com"


  1. https://workbench.cisecurity.org/sections/811636/recommendations/1547137
  2. https://cloud.google.com/asset-inventory/docs
  3. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_service

GCP Project

A project organizes all your Google Cloud Platform resources. A project consists of a set of users; a set of APIs; and billing, authentication, and monitoring settings for those APIs. So, for example, all of your Cloud Storage buckets and objects, along with user permissions for accessing them, reside in a project. You can have one project, or you can create multiple projects and use them to organize your Google Cloud Platform resources, including your Cloud Storage data, into logical groups

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5