AuditClaw GCP

Companion skill for auditclaw-grc. Collects compliance evidence from Google Cloud Platform projects using read-only API calls.

12 checks | Viewer + Security Reviewer roles only | Evidence stored in shared GRC database

Security Model

• - Read-only access: Requires 6 read-only IAM roles (Viewer, Security Reviewer, Cloud SQL Viewer, Logging Viewer, DNS Reader, Cloud KMS Viewer). No write/modify permissions.
• Credentials: Uses standard GCP credential chain (GOOGLE_APPLICATION_CREDENTIALS or gcloud auth). No credentials stored by this skill.
• Dependencies: Google Cloud SDK packages (all pinned in requirements.txt)
• Data flow: Check results stored as evidence in ~/.openclaw/grc/compliance.sqlite via auditclaw-grc

Prerequisites

• - GCP credentials configured (gcloud auth application-default login or service account JSON)
• INLINECODE4 environment variable set
• INLINECODE5
• auditclaw-grc skill installed and initialized

Commands

• - "Run GCP evidence sweep": Run all checks, store results in GRC database
• "Check GCP storage compliance": Run Cloud Storage checks
• "Check GCP firewall rules": Run firewall ingress checks
• "Check GCP IAM compliance": Run IAM service account checks
• "Check GCP logging status": Verify audit logging configuration
• "Check GCP KMS keys": Review KMS key rotation
• "Show GCP integration health": Last sync, errors, evidence count

Usage

All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite via the auditclaw-grc skill's db_query.py script.

To run a full evidence sweep:
CODEBLOCK0

To run specific checks:
CODEBLOCK1

Check Categories (9 files, 12 findings)

Check	What It Verifies
storage	Uniform bucket-level access, public access prevention
firewall

No unrestricted ingress (0.0.0.0/0) to SSH/RDP/all | | iam | Service account key rotation (90 days), SA admin privilege restriction | | logging | Audit logging enabled (all services), log export sink exists | | kms | KMS key rotation period <= 90 days | | dns | DNSSEC enabled on public zones | | bigquery | No public dataset access (allUsers/allAuthenticatedUsers) | | compute | No default service account with cloud-platform scope | | cloudsql | SSL enforcement, no public IP with 0.0.0.0/0 |

Evidence Storage

Each check produces evidence items stored with:

• - INLINECODE6
• INLINECODE7
• INLINECODE8: Mapped to relevant SOC2/ISO/HIPAA controls
• INLINECODE9: Human-readable finding summary
• INLINECODE10: JSON details of the check result

Required IAM Roles

• - INLINECODE11
• INLINECODE12
• INLINECODE13
• INLINECODE14
• INLINECODE15
• INLINECODE16

All checks use read-only access only.

Setup Guide

When a user asks to set up GCP integration, guide them through these steps:

Step 1: Create Service Account

CODEBLOCK2

Step 2: Grant IAM Roles

Grant these 6 read-only roles: CODEBLOCK3

Step 3: Generate JSON Key

CODEBLOCK4

Step 4: Configure Credentials

Set environment variables:

• - GOOGLEAPPLICATIONCREDENTIALS=/path/to/key.json
• GCPPROJECTID=your-project-id

Step 5: Verify Connection

Run: INLINECODE17

The exact roles are documented in scripts/gcp-roles.json. Show with:
python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider gcp