Onboard Your GCP Organization

Add your GCP Organization to Prisma Cloud to ingest and monitor your data.
Begin here to add a GCP organization to Prisma Cloud. If you have added a GCP project to Prisma Cloud and you now want to add the GCP organization to which the project belongs, the existing GCP project is moved under the organization in Prisma Cloud.
When you add the GCP organization to Prisma Cloud, you can specify which folders and projects to include or exclude under the organization resource hierarchy.
  1. Access Prisma Cloud and select
    Cloud Accounts
    Add Cloud Account
  2. Select
    Google Cloud Platform
    as the cloud account you want to onboard and
    Get Started
    1. Select
      for better security coverage.
    2. Select the
      Security Capabilities and Permissions
      that you want to enable for the GCP organization.
      The capabilities are grouped in to
      . Based on your selection, Prisma Cloud dynamically generates a CFT that includes the associated permissions for the Prisma Cloud role.
      • Use the
        (recommended) capabilities during the start of your organization’s cloud adoption journey to effectively manage assets in the cloud and on-premises.
        capabilities are enabled, by default:
        • Misconfigurations
          grants the permissions required to scan cloud resources and ingest metadata.
        • Identity Security
          grants the permissions required to calculate net effective permissions for identities and manage access.
        • Enable and add permissions for Agentless Workload Scanning (selected by default) to scan hosts and containers for vulnerabilities and compliance risks without having to install a defender. If you do not want the Agentless Workload Scanning capability, you can deselect the checkbox. Scans start automatically once you onboard your organization. You can also update the scanning configuration for agentless scans.
      • Use the
        (additional) capabilities to proactively control your cloud operations and identify and remediate issues before they manifest within your runtime environments.
        capabilities that you can choose to enable are:
        • Threat Detection
          (enabled by default) grants the permissions required to detect Network and Identity threats.
        • Enable and add permissions for
          Serverless Function Scanning
          to scan cloud provider functions such as, AWS Lambda, Azure, and Google functions for vulnerabilities and compliance. Scans start automatically once you onboard your organization. You can also update the scanning configuration for serverless scans.
        • Add permissions for
          Agent-Based Workload Protection
          to allow for automated deployment of defenders to provide protection to secure cloud VMs, containers, and Kubernetes orchestrators. Registry scanning, Kubernetes audits, and other features required by defenders are also enabled.
    3. Click
  3. Configure Account
    1. Enter your
      Org ID
      Account Name
      A cloud account name is auto-populated for you. You can replace it with a cloud account name that uniquely identifies this GCP organization on Prisma Cloud.
      All the GCP projects under the Organization hierarchy—current and future—will be monitored by Prisma Cloud. To find your GCP Org ID, log in to the GCP console and select your organization.
    2. (
      ) Select
      to address policy violations reported for remediable configuration policies on Prisma Cloud. This feature is not enabled by default. After you enable it, the Prisma Cloud role gets read-write access permissions to your Google cloud account to successfully execute remediation commands.
    3. (
      ) Enable
      Flow Logs
      Enter the name of your
      Flow Logs Storage Bucket
      and (
      Dataflow Enabled Project ID
      , which is the Project ID where you enabled the Cloud Dataflow service. It is best if this project is where you send your VPC flow logs too.
      The Terraform template does not enable flow logs, and you must complete the workflow in Enable Flow Logs for GCP Organization for Prisma Cloud to retrieve flow logs. Additionally, if you want to enable flow log compression on Prisma cloud and address the lack of native compression support for flow logs sink setup on GCP, you must do it manually too. When you enable flow logs compression, Prisma Cloud sets up the network and compute resources required for flow log compression and this can take up to five minutes.
      When you enable flow logs, the service ingests flow log data for the last seven days. Then if flow logs become unavailable for any reason such as if you manually disabled flow logs, modified API permissions, or an internal error occurred, when access is restored, logs from the preceding seven days only are ingested.
    4. Configure the
      Service Account
      for Prisma Cloud.
      A service account is an identity to which you can grant granular permissions instead of creating individual user accounts. To monitor all the GCP projects that are within the GCP Organizational hierarchy, the service account requires four roles. Of the four roles, three are common for granting permissions at the GCP project level too; the Organization Role Viewer and Folder Viewer roles are additionally required to grant access to the Organization’s properties:
      • Viewer—Primitive role.
      • (
        Required for Prisma Cloud Compute, Optional for Prisma Cloud
        ) Compute Security Admin—Predefined role.
      • Prisma Cloud Viewer—Custom role.
      • Organization Role Viewer—Predefined role.
      • Folder Viewer—Predefined role.
    5. Download Terraform Script
      and follow the
      to upload your
      Service Account Key (JSON) file
      Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Google organization to Prisma Cloud. Give the directory a name that uniquely identifies the organization for which you’re using it (for example, onboard-<organization-name>).
    6. Select the projects you want to add to Prisma Cloud. Prisma Cloud recommends to select
      All projects (default)
      You can choose to include:
      • All projects
        included within the organization hierarchy.
      • Include a subset
        Exclude a subset
        of projects. Select the relevant tab and choose the projects to include or exclude.
        When you select a folder, all existing projects within that folder or sub-folder are onboarded to Prisma Cloud. The periodic sync also checks for any new projects and sub-folders that you subsequently add on the cloud platform and adds them to Prisma Cloud.
    7. Resolve any missing permissions or errors.
      If the service account does not have adequate permissions for selecting monitored projects the following warning message displays:
      If the folders permissions are missing, the option to
      Auto Create
      and create account groups recursively based on your GCP resource hierarchy is disabled.
      If the service account is deleted, or disabled or when the key is deleted on the Google Cloud console, the following error message displays:
      Update the Service Account Key to continue the onboarding process.
    8. Assign
      Account Groups
      You have two options for assigning account groups to this GCP organization. Enable
      Auto Create Account Groups
      or disable it and manually select account group.
      • With
        Auto Create Account Groups
        disabled, you can select the account groups and assign it to the GCP organization.
      • With
        Auto Create Account Groups
        enabled and
        Recurse Hierarchy
        enabled, account groups are created and mapped for the folders that are nested within your GCP organization hierarchy.
      • With
        Auto Create Account Groups
        enabled and
        Recurse Hierarchy
        disabled, account groups are created and mapped for each top-level folder in your GCP organization hierarchy.
        If you selected
        Exclude a subset
        of folders, the ability to
        Maintain recurse hierarchy
        is disabled when
        Auto Create Account Groups
        is enabled.
        When you choose to create account groups recursively, each account group includes a list of all GCP projects nested within the heirarchical folder structure as you see it on the GCP console. Because the account groups are organized in a flat structure on Prisma Cloud, you cannot see the mapping visually.
        Account groups that are created automatically are indicated with , and cannot be edited on Prisma Cloud. See create account groups for more details.
        Make sure to create an Alert Rule for run-time checks to associate the account group with it to generate alerts when a policy violation occurs.
    9. Click
  4. Review Status
    Verify the
    of the GCP organization and the status checks for the
    Security Capabilities
    you selected while onboarding the organization on Prisma Cloud.
    1. Ensure that all the security capabilities you selected display a green
      ( ) icon.
    2. For the security capabilities that display a red
      Checks Failed
      ( ) icon, click the corresponding drop-down to view the cause of failure.
    3. Click
      Save and Close
      to complete onboarding or
      Save and Onboard Another Account
      After you sucessfully onboard your GCP organization on Prisma Cloud, the account is automatically available in Compute and enabled for
      Workload Discovery
      Serverless function scans
      . For
      Agentless scans
      , you have to complete the configuration to trigger the scan.
      You can view the newly onboarded GCP organization on the
      Cloud Accounts
      When you have nested projects allow 10-30 minutes for the auto created account groups to display on Prisma Cloud.
      It will take a maximum of 30 minutes for projects to appear on Prisma Cloud.
      You can review the status and take necessary actions to resolve any issues encountered during the onboarding process by viewing the
      Cloud Accounts
      page. It takes between 4-24 hours for the flow log data to be exported and analyzed before you can review it on Prisma Cloud. To verify if the flow log data from your GCP Organization have been analyzed, you can run a network query on the
      • When you delete the GCP Organization on Prisma Cloud, you can recover all the existing data related to these accounts if you re-onboard within 24 hours. After 24 hours, the data is deleted from Prisma Cloud.
      • Because Prisma Cloud has access to all projects associated with a Service Account, if you want to remove access to a project that is associated with the Service Account, you must remove the project from the Service Account on the GCP IAM console. In the next scanning cycle, the project is excluded and Prisma Cloud no longer has access to the project.
  5. Navigate to
    Cloud Accounts
    , locate your GCP account, and view the status.
    1. Verify the projects are onboarded to Prisma Cloud.
    2. Select the cloud account name and review the list of projects to verify the include/exclude selections you made earlier.

Recommended For You