Resources deployed in Google Cloud environments

Views:

Learn which resources are deployed in your Google Cloud environment for each TrendAI Vision One™ feature that you can enable on a Google Cloud project. For more information about each feature and permission set, see Google Cloud features and permissions.

Google Cloud Project Services deployed by feature

Feature name	Google Cloud Project services deployed (number)
Core features and permissions	Resources: Service Account (1) Workload Identity Pool (1) Workload Identity Pool Provider (1) IAM (3) Tag Key (1) Tag Value (1) Cloud Storage (1) Enabled APIs: IAM Service Account Credentials Cloud Resource Manager Identity and Access Management Cloud Build Deployment Manager Cloud Functions Cloud Pub/Sub Secret Manager
Agentless Vulnerability & Threat Detection	IAM & Service Accounts: iam member (25) service account iam member (10) iam custom role (3) service account (3) Cloud Run Services & Jobs: cloud run v2 service (22) cloud run v2 service iam policy (19) cloud run service iam policy (3) cloud run v2 job (4) cloud run v2 job iam policy (4) Cloud Scheduler: cloud scheduler job (9) Pub/Sub: pubsub topic (4) pubsub subscription (4) pubsub topic iam policy (3) pubsub topic iam member (3) pubsub subscription iam policy (3) Cloud Storage: storage bucket iam member (5) storage bucket (2) storage bucket object (1) Secret Manager: secret manager secret (2) secret manager secret iam policy (2) Workflows: workflows (2) Networking: compute network (1) compute subnetwork (1) compute firewall (1) Firestore: firestore database (1) Logging: logging project sink (1) Eventarc: eventarc trigger (1) Virtual Machines: virtual machine (10 per region when disks are available for scanning) Enabled APIs: Cloud Run Admin API (run.googleapis.com) Cloud Logging API (logging.googleapis.com) IAM Service Account Credentials API (iamcredentials.googleapis.com) Cloud Billing API (cloudbilling.googleapis.com) Cloud Firestore API (firestore.googleapis.com) Secret Manager API (secretmanager.googleapis.com) Compute Engine API (compute.googleapis.com) Cloud Scheduler API (cloudscheduler.googleapis.com) Cloud Workflows API (workflows.googleapis.com) Workflow Executions API (workflowexecutions.googleapis.com) Eventarc API (eventarc.googleapis.com) For more information on the permissions required for each service account, see Google Cloud required permissions.
Real-Time Posture Monitoring	Resources: Logging Sink Pub/Sub Topic Pub/Sub IAM Binding Cloud Storage Bucket Cloud Storage Object Service Account Cloud Function (Gen 2) Cloud Run Service IAM Binding Eventarc Trigger Artifact Registry Repository Enabled APIs: Cloud Logging API (Service: logging.googleapis.com) Cloud Pub/Sub API (Service: pubsub.googleapis.com) Cloud Storage API (Service: storage.googleapis.com) Cloud Functions API (Service: cloudfunctions.googleapis.com) Cloud Run Admin API (Service: run.googleapis.com) Eventarc API (Service: eventarc.googleapis.com) Cloud Build API (Service: cloudbuild.googleapis.com) Artifact Registry API (Service: artifactregistry.googleapis.com) Cloud Deployment Manager (Service: deploymentmanager.googleapis.com) Identity and Access Management (IAM) API (Service: iam.googleapis.com) Permissions: Used in deployment: resourcemanager.projects.get iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.actAs cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.update run.services.get run.services.setIamPolicy eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get artifactregistry.repositories.create artifactregistry.repositories.get pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.setIamPolicy pubsub.topics.getIamPolicy logging.sinks.create logging.sinks.delete logging.sinks.get storage.buckets.create storage.buckets.get storage.buckets.delete storage.objects.create storage.objects.delete storage.objects.get deploymentmanager.deployments.get deploymentmanager.deployments.delete Roles used by the service account created: roles/run.invoker roles/pubsub.publisher
Data Security Posture	Phase: Deployment IAM: google_service_account (1) google_project_iam_member (14) Networking: google_compute_network (1) google_compute_subnetwork (1) google_compute_router (1) google_compute_router_nat (1) google_compute_firewall (4 to 5, conditional) google_vpc_access_connector (1) Storage: google_storage_bucket (2) google_storage_bucket_object (1) google_storage_bucket_iam_member (1) Compute: google_compute_disk (0 to 1, conditional) Secret Manager: google_secret_manager_secret (1) google_secret_manager_secret_version (1) google_secret_manager_secret_iam_member (1) Monitoring: google_monitoring_metric_descriptor (1) google_monitoring_alert_policy (0 to 1, conditional) google_monitoring_notification_channel (0 to 1, conditional) Pub/Sub: google_pubsub_topic (2 to 3) google_pubsub_subscription (1) Cloud Functions: google_cloudfunctions2_function (2) google_cloudfunctions2_function_iam_member (0 to 1, conditional) Eventarc: google_eventarc_trigger (0 to 1, conditional) Cloud Scheduler: google_cloud_scheduler_job (1 to 2) Artifact Registry: google_artifact_registry_repository (1) Cloud Run: google_cloud_run_v2_service (1) Logging: google_logging_project_sink (0 to 1, conditional) Cloud Build: google_cloudbuild_trigger (0 to 1, conditional) Phase: Runtime The following resources are created at runtime by application code and are not managed by Terraform: VM Instance (google_compute_instance): Created per scan job, terminated after heartbeat timeout Ephemeral External IP: Non-production environments only, released with VM deletion Secret Manager Versions: New version per rotation cycle, keeps last 5 versions Custom Metric Time Series Data: Written during VM lifecycle for monitoring GCS Objects (Audit Logs): Delivered by GCP logging infrastructure