Google Cloud Platform

These requirements apply regardless of which protection scope you select.

A Google account with sufficient IAM permissions

The Google account you authenticate with during the integration wizard must have the IAM permissions to create and configure the following resources on your behalf:

•A new GCP project (the CWP management project)

•A service account in that project

•IAM role bindings on your organization or projects

•Organization policy modifications (if integrating at the organization level)

The simplest way to satisfy this is to use an account that holds the Organization Administrator role (roles/resourcemanager.organizationAdmin) at the organization level. This role grants the ability to create projects under the organization, manage IAM policies on the organization and its projects, and administer organization-level policies.

Sufficient project creation quota in your GCP Organization

GCP enforces a limit on the number of projects that can exist within your organization. CWP must create the ESET Cloud Workload Protection management project during onboarding. If your organization's project creation quota is exhausted, this step will fail and the integration cannot complete. Before starting the integration, verify that your organization has at least one available project slot.

These additional requirements apply when you select Organization-level protection.

Understand the organization policy modification

During onboarding, CWP modifies two organization policies in your GCP Organization:

•iam.allowedPolicyMemberDomains — ESET's Google Workspace Customer ID is added to the list of domains allowed to be members of IAM policies.

•iam.managed.allowedPolicyMembers — ESET's organization principal set is added to the list of principals allowed to be extended IAM members.

These changes are additive — CWP does not remove or overwrite existing policy entries. If the constraints are already set to allow all (*), or if they do not exist in your organization, this step is a no-op.

Deploying VM protection in CWP involves two levels of requirements:

•First, the GCP project must meet a set of project-level prerequisites before VM protection can be deployed, either automatically during onboarding or manually afterward.

•Second, each individual Compute Engine instance must meet VM-level requirements before the protection product can be installed on it. Other CWP functionality works on projects that do not meet these prerequisites.

Project prerequisites

These requirements apply at the GCP project level. CWP configures them automatically during onboarding when all conditions are satisfied. For projects that do not meet them at onboarding time or projects added later as part of an organization‑level integration, configuration is skipped and must be completed manually before VM protection can be enabled for that project.

•Billing is enabled

GCP requires billing to be active on a project before the OS Config API can be enabled. When a project does not have billing enabled during onboarding, CWP cannot configure the necessary prerequisites for VM protection deployment.

To deploy protection to GCP VM instances for projects that did not exist during the integration process or did not have billing enabled, the following must be configured manually:

1. Enable required APIs:

oOS Config API (osconfig.googleapis.com)

oEnsure billing is enabled on the project

2.Configure project metadata:

oSet enable-osconfig to TRUE

oSet enable-guest-attributes to TRUE

oSet enable-oslogin to TRUE

3.Enable full features in VM Manager:

oIn GCP Console, navigate to VM Manager > Project Settings and set the patch and config feature set to "Full" (OSCONFIG_C)

•Compute Engine API must be enabled on the target projects

CWP automatically enables the osconfig.googleapis.com API in your projects automatically. However, enabling OS Config also requires the Compute Engine API (compute.googleapis.com) to already be active in the target project (it is enabled automatically the first time you use Compute Engine in a project). Projects that have never used Compute Engine and do not have billing enabled will have VM Manager setup skipped automatically.

•OS Config API must be enabled on target projects

CWP automatically enables the OS Config API (osconfig.googleapis.com) during onboarding when all prerequisites are met. For projects that do not meet these prerequisites, configuration during onboarding is skipped.

•VM Manager must be set up

VM Manager is configured for all projects during onboarding. If the required prerequisites are not met, the configuration is skipped for that project. See the VM Manager documentation for details on manual setup.

•Sufficient OS Policy Assignment quota in target project regions

CWP deploys VM protection using GCP OS Config OS Policy Assignments. GCP enforces a quota on the number of OS policy assignments per project per region.

If this quota is exhausted in a given region, CWP cannot create a new OS policy assignment there, and VM protection cannot be deployed to instances in that region until an existing assignment is deleted. This quota is evaluated independently for each region. A full quota in one region does not affect other regions.

VM-level requirements

These requirements apply to each individual Compute Engine instance. When VM protection is enabled for a project, the protection product can be deployed to a VM only if it meets all of the following. These can be verified and addressed at any time, including after the integration and project-level prerequisites are already in place.

•Compute Engine instance must have network access

Each Compute Engine instance targeted for protection deployment must have internet access to allow installation of the ESET protection product.

•Google Cloud VM Manager must be compatible with your VM images

CWP enables GCP VM Manager (OS Config) on your projects. VM Manager communicates with VMs through the OS Config agent, which is pre-installed on all standard GCP-provided OS images (Debian, Ubuntu, CentOS, RHEL, Rocky Linux, Windows Server and others). VMs running custom images that do not include the OS Config agent will not be reachable by CWP for protection deployment.

Check if the OS config agent is installed on VM: GCP documentation

•VM must run a supported operating system

CWP can only deploy the ESET protection product on VMs running a supported OS distribution. See supported OS distributions below.

•VM must meet the protection product system requirements

Each VM targeted for protection deployment must satisfy the minimum hardware and software requirements for the ESET protection product.

Windows Server

oProcessor: Intel or AMD single-core x64

oMemory: 256 MB of free RAM

oHard drive: 700 MB of free disk space

Linux

oProcessor: Intel/AMD x64 with 2 cores (vCPUs)

oMemory: 2 GB of RAM

oHard drive: 700 MB of free disk space

oGlibc 2.28 or later

oLinux kernel version 4.18 or later

oAny UTF-8 encoding locale

oSecure Boot must be disabled