Overview

LowerPlane connects to Google Cloud Platform using a service account with read-only IAM roles. This provides visibility into your GCP security posture without any write access.

Services Monitored

GCP ServiceWhat LowerPlane Collects
Security Command CenterSecurity findings and vulnerability reports
Cloud Asset InventoryComplete resource inventory across all projects
IAMService accounts, roles, and policy bindings
Cloud LoggingAudit log configuration and export settings
Cloud StorageBucket IAM and encryption settings
Compute EngineFirewall rules and instance configurations
GKEKubernetes cluster security settings

Step 1: Open Google Cloud Console

Go to https://console.cloud.google.com/ and select your project from the top dropdown.

Step 2: Create Service Account

  1. Navigate to IAM & Admin
  2. Select Service Accounts
  3. Click Create Service Account
Configuration:
  • Name: lowerplane-readonly
  • Description: Read-only service account for LowerPlane compliance monitoring
Click Create and Continue.

Step 3: Assign Read-Only Roles

Add the following roles to the service account:
RolePurpose
Viewer (roles/viewer)Read-only access to all resources in the project
Security Reviewer (roles/iam.securityReviewer)Read IAM policies and service account details
Security Center Findings Viewer (roles/securitycenter.findingsViewer)Read Security Command Center findings (if enabled)
Click Continue, then Done.

Step 4: Create Service Account Key

  1. Open the service account you created
  2. Go to the Keys tab
  3. Click Add Key
  4. Select Create new key
Configuration:
  • Key type: JSON
Click Create. A JSON key file will download automatically to your computer. Important: Store this JSON key file securely. It provides access to your GCP project.

Step 5: Enable Required APIs

Navigate to APIs & Services then Library and enable the following APIs:
APIPurpose
Cloud Resource Manager APIList projects and organizations
Cloud Asset APIInventory all resources
Security Command Center APISecurity findings (if available on your plan)
IAM APIService account and policy details
Cloud Logging APIAudit log configuration

Step 6: Connect in LowerPlane

  1. Go to Integrations in LowerPlane
  2. Find Google Cloud and click Connect
  3. Upload the JSON key file or paste its contents
  4. Click Connect
LowerPlane will validate the service account and begin syncing.

Multi-Project Setup

For organizations with multiple GCP projects:
  • Single project: Create the service account in that project with the roles above
  • Multiple projects: Create the service account in one project, then grant the Viewer role in each additional project
  • Organization-level: Create the service account and grant the Viewer role at the organization level for visibility across all projects
Prioritize connecting production projects first.

Automated Tests

When GCP is connected, LowerPlane automatically creates and runs tests including:
  • Organization policy constraints are enforced
  • VPC firewall rules do not allow unrestricted access
  • Cloud Storage buckets are not publicly accessible
  • Cloud Storage bucket encryption is enabled
  • Service account keys are rotated within 90 days
  • Audit logging is configured for all services
  • Binary authorization is enabled for GKE clusters