Description

GCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and IAM policies through a time-series database. The information recorded includes metadata on Google Cloud resources, metadata on policies set on Google Cloud projects or resources, and runtime information gathered within a Google Cloud resource.

Cloud Asset Inventory Service (CAIS) API enablement is not required for operation of the service, but it enables the mechanism for searching and exporting CAIS asset data directly.

Rationale

The GCP resources and IAM policies captured by GCP Cloud Asset Inventory enable security analysis, resource change tracking, and compliance auditing.

It is recommended that GCP Cloud Asset Inventory be enabled for all GCP projects.

Audit

From Google Cloud Console

Ensure that the Cloud Asset API is enabled:

Go to API & Services/Library by visiting https://console.cloud.google.com/apis/library
Search for Cloud Asset API and select the result for Cloud Asset API
Ensure that API Enabled is displayed.

From Google Cloud CLI

Ensure that the Cloud Asset API is enabled:

Query enabled services:
```
gcloud services list \
    --enabled \
    --filter=name:cloudasset.googleapis.com
```
If the API is listed, then it is enabled. If the response is Listed 0 items the API is not enabled.

Default Value

The Cloud Asset Inventory API is disabled by default in each project.

References

https://cloud.google.com/asset-inventory/docs

Additional Information

Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If a longer history is desired, automation to export the history to Cloud Storage or BigQuery should be evaluated.

Users do not need to enable the CAI API if they do not plan to export.

Rationale​

Audit​

From Google Cloud Console​

From Google Cloud CLI​

Default Value​

References​

Additional Information​