概述

AuditClaw GCP

Companion skill for auditclaw-grc. Collects compliance evidence from Google Cloud Platform projects using read-only API calls.

12 checks | Viewer + Security Reviewer roles only | Evidence stored in shared GRC database

Security Model

Read-only access: Requires 6 read-only IAM roles (Viewer, Security Reviewer, Cloud SQL Viewer, Logging Viewer, DNS Reader, Cloud KMS Viewer). No write/modify permissions.
Credentials: Uses standard GCP credential chain (GOOGLE_APPLICATION_CREDENTIALS or gcloud auth). No credentials stored by this skill.
Dependencies: Google Cloud SDK packages (all pinned in requirements.txt)
Data flow: Check results stored as evidence in ~/.openclaw/grc/compliance.sqlite via auditclaw-grc

Prerequisites

GCP credentials configured (gcloud auth application-default login or service account JSON)
GCP_PROJECT_ID environment variable set
pip install -r scripts/requirements.txt
auditclaw-grc skill installed and initialized

Commands

"Run GCP evidence sweep": Run all checks, store results in GRC database
"Check GCP storage compliance": Run Cloud Storage checks
"Check GCP firewall rules": Run firewall ingress checks
"Check GCP IAM compliance": Run IAM service account checks
"Check GCP logging status": Verify audit logging configuration
"Check GCP KMS keys": Review KMS key rotation
"Show GCP integration health": Last sync, errors, evidence count

Usage

All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite

via the auditclaw-grc skill's db_query.py script.

To run a full evidence sweep:

python3 scripts/gcp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all

To run specific checks:

python3 scripts/gcp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks storage,firewall,iam

Check Categories (9 files, 12 findings)

Check	What It Verifies
-------	-----------------
storage	Uniform bucket-level access, public access prevention
firewall	No unrestricted ingress (0.0.0.0/0) to SSH/RDP/all
iam	Service account key rotation (90 days), SA admin privilege restriction
logging	Audit logging enabled (all services), log export sink exists
kms	KMS key rotation period <= 90 days
dns	DNSSEC enabled on public zones
bigquery	No public dataset access (allUsers/allAuthenticatedUsers)
compute	No default service account with cloud-platform scope
cloudsql	SSL enforcement, no public IP with 0.0.0.0/0

Evidence Storage

Each check produces evidence items stored with:

source: "gcp"
type: "automated"
control_id: Mapped to relevant SOC2/ISO/HIPAA controls
description: Human-readable finding summary
file_content: JSON details of the check result

Required IAM Roles

roles/viewer
roles/iam.securityReviewer
roles/cloudsql.viewer
roles/logging.viewer
roles/dns.reader
roles/cloudkms.viewer

All checks use read-only access only.

Setup Guide

When a user asks to set up GCP integration, guide them through these steps:

Step 1: Create Service Account

gcloud iam service-accounts create auditclaw-scanner --display-name="AuditClaw Scanner"

Step 2: Grant IAM Roles

Grant these 6 read-only roles:

for role in roles/viewer roles/iam.securityReviewer roles/cloudsql.viewer roles/logging.viewer roles/dns.reader roles/cloudkms.viewer; do
  gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:auditclaw-scanner@PROJECT_ID.iam.gserviceaccount.com \
    --role=$role
done

Step 3: Generate JSON Key

gcloud iam service-accounts keys create key.json --iam-account=auditclaw-scanner@PROJECT_ID.iam.gserviceaccount.com

Step 4: Configure Credentials

Set environment variables:

GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
GCP_PROJECT_ID=your-project-id

Step 5: Verify Connection

Run: python3 {baseDir}/scripts/gcp_evidence.py --test-connection

The exact roles are documented in scripts/gcp-roles.json. Show with:

python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider gcp

版本历史

共 1 个版本

v1.0.2 当前

2026-03-29 08:46 安全安全

安全检测

腾讯云安全 (Keen)

安全，无风险

查看报告

腾讯云安全 (Sanbu)