Description
GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.
Cloud Asset Inventory Service (CAIS) API enablement is not required for operation of the service, but rather enables the mechanism for searching/exporting CAIS asset data directly.
Rationaleβ
The GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing.
It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.
Auditβ
From Google Cloud Consoleβ
Ensure that the Cloud Asset API is enabled:
- Go to
API & Services/Libraryby visiting https://console.cloud.google.com/apis/library - Search for
Cloud Asset APIand select the result for Cloud Asset API - Ensure that
API Enabledis displayed.
From Google Cloud CLIβ
Ensure that the Cloud Asset API is enabled:
-
Query enabled services:
gcloud services list --enabled --filter=name:cloudasset.googleapis.com
If the API is listed, then it is enabled. If the response is Listed 0 items the API is not enabled.
Default Valueβ
The Cloud Asset Inventory API is disabled by default in each project.
Referencesβ
Additional Informationβ
Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If a longer history is desired, automation to export the history to Cloud Storage or BigQuery should be evaluated.
Users need not enable CAI API if they don't have any plans to export.