Frequently Asked Questions

This page includes answers to some frequently asked questions about Forseti Security.


Great! Please see the help page on how to submit your idea or get help.

Forseti documentation can be updated in the branch.

You can test your documentation changes locally, by following the instructions here.

After your updated documentation is merged, the Forseti team will merge it into the branch upon every major/minor release, which will trigger a new build of the website.

Installation and deployment

For information about how to update Forseti to the latest release, see the Upgrade guide.

To correct mistakes in setup, edit your Forseti deployment script by Updating Forseti, or edit your Forseti configuration file by Configuring Forseti.

Following are the reasons you should run Forseti in a separate project:

  • Google Cloud Platform (GCP) API quota
    • Setting Forseti up in a separate project ensures that Forseti has the quota it needs for API calls and managing service accounts and roles.
  • Project permissions
    • Setting Forseti up in a separate project restricts who has access to your Forseti-related permissions and resources.
  • Forseti clean up
    • Setting Forseti up in a separate project allows you to easily clean up your Forseti-related data by deleting the project. Clean up includes the Compute Engine instance, Cloud SQL instance, Cloud Storage bucket, service accounts, and Cloud IAM policies.

If Forseti is reading data from only one project, your Forseti service account might have access only to that particular project. To get read access to all of the projects under your organization, add the service account to the organization’s Cloud IAM policy with the required roles. Your Organization Admin should be able to help you with that.

Forseti is designed to install and run out of the box with complete org access, but you can install Forseti if you aren’t an org admin. You’ll then manually give Forseti the permissions to inventory and audit a subset of resources by one specific folder or by projects that are directly under the org. When you run Forseti without org access, Forseti Explain and Forseti IAM scanner will not contain the full results. This is because of Cloud IAM policy inheritance and limited access of the service account.

If you aren’t an org admin and an org admin isn’t available to grant org access to Forseti, follow the process below:

  1. Run the Forseti installer. The installer will try to assign org-level access. You can ignore the org-level role assignment.
  2. The installer will create all the necessary Forseti resources: Forseti project, VM instances, Cloud SQL database, Google Cloud Storage buckets, and service accounts.
  3. Edit forseti_conf_server.yaml and point the root_resource_id to the target folder: folders/<foo_folder_id>.
  4. Force the server to reload the updated configuration.
  5. Grant the folder editor role to the Forseti server service account, on the target folder.
  6. To inventory all the projects directly under the org, directly grant the project viewer role to the Forseti server service account, on the specific projects that you want Forseti to inventory.

When you run Forseti inventory again, all the projects and project resources will be collected in Inventory.

GCE VM instances have the unattended-upgrades tool to automatically update the operating system, software, or security patches from the Debian security repository.

However, kernel patches do not take effect until your VM instance is restarted. By default, GCE does not automatically restart running instances.So you must either restart your instances manually to update the kernel, or apply the mechanism provided by the unattended-upgrades tool to automatically do the restart.

Automatic updates from Debian security do not upgrade instances between major versions of the operating system. Debian also has a relevant guide:

Forseti is installed with the ubuntu account on the server VM. To update the cron job you need to SSH into the server VM and switch to the ubuntu user to update the cron job.

ssh to server VM 
sudo su - ubuntu
crontab -e

Using Forseti

We have some starter documentation for defining rules. If you have more questions, you can ask for help at

By default, Forseti runs Inventory and Scanner every 2 hours at random minutes, using a simple cronjob. To change the cron value, edit the server’s deployment template.

The installation log is stored in /tmp/deployment.log on the Forseti Compute Engine instance. You can view it with any editor. For example:

vim /tmp/deployment.log

To find the Forseti Inventory, Scanner, and Enforcer logs:

  1. Go to the Google Cloud Platform Console Logs page.
  2. On the resources drop-down list, select GCE VM Instance.
  3. On the All logs drop-down list, select forseti.

You can implement bucket lifecycle rules to delete the output or migrate them to a lower cost class. You can also export the output to BigQuery.

Security implications

Forseti uses a service account that is granted roles on the organization’s Cloud IAM policy. Because GCP roles are hierarchical, when someone has a Cloud IAM role at the organization level, child resources like folders and projects inherit the role. For example, if you grant the “Browser” role to someone at the organization level, they will also be able to see folders and projects within the organization.

For more information, see Service account for Forseti Security.

Because the Forseti service account needs many types of permissions to read certain data, you must grant grant Forseti the specific roles that it needs to do its job.

Google Cloud Platform Resource Coverage

This page lists the Google Cloud Platform (GCP) scanners that currently have coverage in Forseti or are planned to have coverage. If a scanner you’re interested in isn’t listed, please open an issue or contribute!

For more information, see the scanner descriptions.

Audit Logging Configuration Scanner
BigQuery Scanner
Blacklist Scanner
Bucket ACL Scanner
Cloud SQL ACL Scanner
Enabled APIs Scanner
Firewall Rules Scanner
Forwarding Rules Scanner
Google Groups Scanner
Cloud IAM Rules Scanner
Cloud IAP Scanner
Instance Network Interface Scanner
Kubernetes Engine Version Scanner

This page lists the Google Cloud Platform (GCP) enforcers that currently have coverage in Forseti or are planned to have coverage. If an enforcer you’re interested in isn’t listed, please open an issue or contribute!

For details about each of the enforcers, see the Enforcer guide.


Cloud Security Command Center only includes projects in an active state. The Forseti Inventory includes projects all possible states.

Learn more about project states in Google Cloud