Onboard Your GCP Project

Add a single GCP project or multiple GCP projects to Prisma Cloud.
Begin here to add a GCP project to Prisma Cloud. If you want to add multiple projects, you must either repeat this process for each project you want to onboard or you allow Prisma Cloud to automatically monitor all GCP projects—current and future—that use the Service Account attached to the project you are adding to Prisma Cloud. Prisma Cloud refers to this service account as a Master Service Account.
After you start monitoring your project using Prisma Cloud, if you delete the project on GCP, Prisma Cloud automatically deletes the account from the list of monitored accounts on
Cloud Accounts
. To track the automatic deletion of the project, an audit log is generated with information on the name of the deleted account and the date that the action was performed.
  1. Access Prisma Cloud and select
    Cloud Accounts
    Add Cloud Account
  2. Select
    Google Cloud Platform
    as the cloud account you want to onboard and
    Get Started
    1. Select
    2. Select the
      Security Capabilities and Permissions
      that you want to enable for the GCP project.
      The capabilities are grouped in to
      . Based on your selection, Prisma Cloud dynamically generates a CFT that includes the associated permissions for the Prisma Cloud role.
      • Use the
        (recommended) capabilities during the start of your organization’s cloud adoption journey to effectively manage assets in the cloud and on-premises.
        capabilities are enabled, by default:
        • Misconfigurations
          grants the permissions required to scan cloud resources and ingest metadata.
        • Identity Security
          grants the permissions required to calculate net effective permissions for identities and manage access.
        • Enable and add permissions for Agentless Workload Scanning (selected by default) to scan hosts and containers for vulnerabilities and compliance risks without having to install a defender. If you do not want the Agentless Workload Scanning capability, you can deselect the checkbox. Scans start automatically once you onboard your organization. You can also update the scanning configuration for agentless scans.
      • Use the
        (additional) capabilities to proactively control your cloud operations and identify and remediate issues before they manifest within your runtime environments.
        capabilities that you can choose to enable are:
        • Threat Detection
          (enabled by default) grants the permissions required to detect Network and Identity threats.
        • Enable and add permissions for
          Serverless Function Scanning
          to scan cloud provider functions such as, AWS Lambda, Azure, and Google functions for vulnerabilities and compliance. Scans start automatically once you onboard your organization. You can also update the scanning configuration for serverless scans.
        • Add permissions for
          Agent-Based Workload Protection
          to allow for automated deployment of defenders to provide protection to secure cloud VMs, containers, and Kubernetes orchestrators. Registry scanning, Kubernetes audits, and other features required by defenders are also enabled.
    3. Click
  3. Configure Account
    1. Enter
      Project ID
      Account Name
      . An account name is auto-populated for you. You can replace it with an account name that uniquely identifies your GCP project on Prisma Cloud.
      Make sure to enter your Project ID and not your Project Number.
    2. (
      ) Select
      to address policy violations reported for remediable configuration policies on Prisma Cloud. This feature is not enabled by default. After you enable it, the Prisma Cloud role gets read-write access permissions to your Google cloud account to successfully execute remediation commands.
    3. (
      ) Enable
      Flow Logs
      and enter the name of your
      Flow Logs Storage Bucket
      . Optionally, select the
      Use Dataflow to generate compressed logs
      The Terraform template does not enable flow logs, and you must complete the workflow in Enable Flow Logs for GCP Project for Prisma Cloud to retrieve flow logs. Additionally, if you want to enable flow logs compression on Prisma cloud and address the lack of native compression support for flow logs sink setup on GCP, you must do it manually too. When you select
      Use Dataflow to generate compressed logs
      , Prisma Cloud sets up the network and compute resources required for flow log compression. This process can take up to five minutes to complete.
      When you enable flow logs, the service ingests flow log data for the last seven days. Later if flow logs become unavailable for any reason such as, if you manually disable flow logs, modify API permissions, or an internal error occurs, when access is restored, only the logs from the preceding seven days are ingested.
    4. (
      ) Allow Prisma Cloud to monitor all current and future GCP projects associated with the service account. This only applies to the Master Service Account.
      If you have multiple GCP projects, enable
      Automatically onboard projects that are accessible by this service account
      to allow Prisma Cloud to monitor all current and future GCP projects associated with the Service Account. For every project that you want to onboard, you must provide the same set of permissions to the service account.
      A project you onboard or a project that you had onboarded is in the
      <sys-26-digit number>
      format, it will be deleted.
    5. Configure the
      Service Account
      for Prisma Cloud.
    6. Download Terraform Script
      and follow the
      to upload your
      Service Account Key (JSON) file
      Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Google project to Prisma Cloud. Give the directory a name that uniquely identifies the project for which you’re using it (for example, onboard-<project-name>).
    7. Select the Account Groups to associate with your project.
      Make sure to assign each cloud account to an account group and create an Alert Rule for run-time checks to associate the account group with it to generate alerts when a policy violation occurs.
    8. Click
  4. Review Status
    Verify the
    of the GCP project and the status checks for the
    Security Capabilities
    you selected while onboarding the project on Prisma Cloud.
    • Ensure that all the security capabilities you selected display a green
      ( ) icon.
    • For the security capabilities that display a red
      Checks Failed
      ( ) icon, click the corresponding drop-down to view the cause of failure.
      It takes between 4-24 hours for the flow log data to be exported and analyzed before you can review it on Prisma Cloud. To verify if the flow log data from your GCP project has been analyzed, you can run a network query on the
      If Prisma Cloud GCP IAM role does not have adequate permissions to ingest data on the monitored resources within your project, the status icon displays as red or amber and it lists the permissions that are missing.
  5. Click
    Save and Close
    to complete onboarding or
    Save and Onboard Another Account

Recommended For You