AuditClaw GCP
Companion skill for auditclaw-grc. Collects compliance evidence from Google Cloud Platform projects using read-only API calls.
12 checks | Viewer + Security Reviewer roles only | Evidence stored in shared GRC database
Security Model
- Read-only access: Requires 6 read-only IAM roles (Viewer, Security Reviewer, Cloud SQL Viewer, Logging Viewer, DNS Reader, Cloud KMS Viewer). No write/modify permissions.
- Credentials: Uses standard GCP credential chain (
GOOGLE_APPLICATION_CREDENTIALSorgcloud auth). No credentials stored by this skill. - Dependencies: Google Cloud SDK packages (all pinned in requirements.txt)
- Data flow: Check results stored as evidence in
~/.openclaw/grc/compliance.sqlitevia auditclaw-grc
Prerequisites
- GCP credentials configured (
gcloud auth application-default loginor service account JSON) GCP_PROJECT_IDenvironment variable setpip install -r scripts/requirements.txt- auditclaw-grc skill installed and initialized
Commands
- "Run GCP evidence sweep": Run all checks, store results in GRC database
- "Check GCP storage compliance": Run Cloud Storage checks
- "Check GCP firewall rules": Run firewall ingress checks
- "Check GCP IAM compliance": Run IAM service account checks
- "Check GCP logging status": Verify audit logging configuration
- "Check GCP KMS keys": Review KMS key rotation
- "Show GCP integration health": Last sync, errors, evidence count
Usage
All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite via the auditclaw-grc skill's db_query.py script.
To run a full evidence sweep:
python3 scripts/gcp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all
To run specific checks:
python3 scripts/gcp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks storage,firewall,iam
Check Categories (9 files, 12 findings)
| Check | What It Verifies |
|---|---|
| storage | Uniform bucket-level access, public access prevention |
| firewall | No unrestricted ingress (0.0.0.0/0) to SSH/RDP/all |
| iam | Service account key rotation (90 days), SA admin privilege restriction |
| logging | Audit logging enabled (all services), log export sink exists |
| kms | KMS key rotation period <= 90 days |
| dns | DNSSEC enabled on public zones |
| bigquery | No public dataset access (allUsers/allAuthenticatedUsers) |
| compute | No default service account with cloud-platform scope |
| cloudsql | SSL enforcement, no public IP with 0.0.0.0/0 |
Evidence Storage
Each check produces evidence items stored with:
source: "gcp"type: "automated"control_id: Mapped to relevant SOC2/ISO/HIPAA controlsdescription: Human-readable finding summaryfile_content: JSON details of the check result
Required IAM Roles
roles/viewerroles/iam.securityReviewerroles/cloudsql.viewerroles/logging.viewerroles/dns.readerroles/cloudkms.viewer
All checks use read-only access only.
Setup Guide
When a user asks to set up GCP integration, guide them through these steps:
Step 1: Create Service Account
gcloud iam service-accounts create auditclaw-scanner --display-name="AuditClaw Scanner"
Step 2: Grant IAM Roles
Grant these 6 read-only roles:
for role in roles/viewer roles/iam.securityReviewer roles/cloudsql.viewer roles/logging.viewer roles/dns.reader roles/cloudkms.viewer; do
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:auditclaw-scanner@PROJECT_ID.iam.gserviceaccount.com \
--role=$role
done
Step 3: Generate JSON Key
gcloud iam service-accounts keys create key.json --iam-account=auditclaw-scanner@PROJECT_ID.iam.gserviceaccount.com
Step 4: Configure Credentials
Set environment variables:
- GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
- GCP_PROJECT_ID=your-project-id
Step 5: Verify Connection
Run: python3 {baseDir}/scripts/gcp_evidence.py --test-connection
The exact roles are documented in scripts/gcp-roles.json. Show with:
python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider gcp