Begin Scanning a Google Cloud Storage App

Before you begin scanning a Google Cloud Storage app, you must create a service account and enable Administrator and client API access. As you prepare the Google Cloud Storage account, take note of the following values that you need to setup the app within Aperture:
ItemDescription
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded in Aperture when adding the Google Cloud Storage app.
Private Key Password
The default password for the new private key.
Client ID
The client ID is entered when enabling Google Cloud Storage domain-wide delegation, and in Aperture when adding the Google Cloud Storage app.
Google Administrator email
The email entered to create a service account in Google Cloud Storage, and in Aperture when adding the Google Cloud Storage app.
  1. Create a service account in Google for Google Cloud Storage.
    1. Log in to Google Developer Console as the Google Cloud Storage administrator.
      If you have not used the Developer Console before, Agree to the Google Cloud Platform Terms of Service.
    2. At the top of the screen next to your most recent project name, click down-pointer.png to open your projects list and then Create a new project.
      g-suite-login-console.png
    3. Select your organization (domain) and click plus.png to create your new project.
      google-storage-create-project.png
    4. Name your project Aperture Google Cloud Storage and Create the project.
      google-storage-name-project.png
    5. Click the notification.png and then Create Project: Aperture Google Cloud Storage.
      google-storage-create-project-bell.png
    6. Search for Credentials.
    7. Select OAuth Consent screen and enter Aperture Google Cloud Storage in Product Name Shown to Users and Save the project.
      google-storage-api-credentials.png
    8. Select CredentialsCreate CredentialsService Account Key.
      g-suite-select-credentials.png
    9. Select New Service Account and enter a service account name as Aperture Google Storage. Select P12 as the Key Type and Create the service account key.
      Select Create Without Role if a warning message displays.
      google-storage-create-p12-key.png
    10. A default password and new private key are issued, Save the new private key to your computer.
      Store the private key securely as the key cannot be recovered if lost, and is required for adding the Google Cloud Storage app in Aperture.
      google-storage-private-key-saved.png
    11. Select CredentialsManage Service Accounts.
      google-storage-credentials-manage-service-account.png
    12. Click the three dots to the right of the service account you created and select Edit.
      google-storage-create-service-account.png
    13. Enable G Suite Storage Domain-wide Delegation and Save the setting.
      google-storage-edit-service-account.png
    14. Click View Client ID for Aperture Google Storage.
      google-storage-view-client-id.png
      Note the value of the Client ID, and Save the ID.
  2. Enable API Access in Google Cloud Storage.
    1. In your account, select APIs & ServicesDashboardEnable APIs and Services.
      google-storage-enable-api.png
    2. Select Google Cloud Storage Admin SDK API, and then Enable the API.
      google-storage-admin-sdk.png
    3. Go back to DashboardAPIs & ServicesLibrary and Enable the following APIs:
      1. Google Cloud Resource Manager API.
        google-storage-cloud-resource-manager-api.png
      2. Google Cloud Storage.
        google-cloud-storage-api.png
      3. Google Cloud Pub/Sub API.
        google-cloud-pub-sub-api.png
  3. Enable API Client access to Google Cloud Storage.
    1. In a new browser window, log in to Google Admin Account as the Google Cloud Storage Administrator.
    2. Select SecurityShow more.
      g-suite-api-client-more.png
    3. Select Advanced SettingsManage API Client Access.
      g-suite-api-client-advanced-settings.png
    4. Enter the Client ID previously noted in Client Name.
      g-suite-api-client-manage-access.png
      Copy and paste the following scope in One or More API Scopes, and then Authorize access to data in Google services.
      https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/admin.directory.group
      Code copied to clipboard
      Unable to copy due to lack of browser support.
  4. Add the Google Cloud Storage app.
    1. From the Aperture Dashboard, Add a Cloud App.
      google-tile-frame-preview.png
    2. Select Google Cloud Storage and then Click here to prepare your Google Cloud Storage Account.
      google-storage-preview-connect-to-account.png
    3. Enter the Google Administrator Email, the Service account ID previously noted, and click Certificate to browse and upload the P12 format private key certificate issued from your Google service account. Click Next.
      google-storage-preview-enter-credentials.png
  5. Review the initial project scan discoveries and select the projects to monitor.
    If you Cancel the setup at any time, you must start over again.
    1. Enable Automatically scan new projects to scan all new projects.
    2. To select individual projects, select the Project to scan from the list.
    3. Save your scan setting to proceed scanning all discovered projects.
    4. Cancel if you do not want to proceed with scanning the discovered projects.
    google-storage-preview-select-projects-to-scan.png
  6. Review the initial bucket scan discoveries and select the buckets to monitor.
    1. Enable Scan all current and any new buckets to scan all new buckets.
    2. To select individual buckets, select the Bucket to scan from the list.
    3. Save your scan setting to proceed scanning all discovered buckets.
    4. Cancel if you do not want to proceed with scanning the discovered buckets.
    google-storage-preview-select-buckets-to-scan.png
  7. Define global scan settings.
  8. Add policy rules.
    When you add a new cloud app, the Aperture service automatically scans the app against the default data patterns and displays the match occurrences. As a best practice, consider the business use of your app to determine whether you want to Add a New Policy Rule for Content to look for risks unique to the new app.
  9. (Optional) Configure or edit a data pattern.
    When you add a new cloud app, the Aperture service automatically scans the app against the default data patterns and displays the match occurrences. You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
  10. Start scanning the new Google Cloud Storage app for risks.
    1. Select SettingsCloud Apps & Scan Settings.
    2. In the Cloud Apps row that corresponds to the new Google Cloud Storage app, select ActionsStart Scanning.
  11. Monitor the results of the scan.
    As the Aperture service starts scanning files and matching them against enabled policy rules, Monitor Scan Results on the Dashboard to verify that your policy rules are effective.
    Monitoring the progress of the scan during the discovery phase allows you to Fine-Tune Policy to modify the match criteria and ensure better results.
  12. (Optional) To view the status of the Projects and Buckets that are currently being scanned, select SettingsCloud App and Scan Settings. Select a Google Cloud Storage App from the list of Cloud Apps and expand the ProjectsBuckets to view the scan details.
    google-storage-preview-monitor-scan.png

Related Documentation