Onboard Your GCP Project

Access Prisma Cloud and select
Settings
Cloud Accounts
Add Cloud Account
.
Select
Google Cloud Platform
as the cloud account you want to onboard and
Get Started
.

Select
Project
under
Scope
.
Select the
Security Capabilities and Permissions
that you want to enable for the GCP project.
The capabilities are grouped in to
Foundational
and
Advanced
. Based on your selection, Prisma Cloud dynamically generates a CFT that includes the associated permissions for the Prisma Cloud role.
Use the
Foundational
(recommended) capabilities during the start of your organization’s cloud adoption journey to effectively manage assets in the cloud and on-premises.
The
Foundational
capabilities are enabled, by default:
Misconfigurations
grants the permissions required to scan cloud resources and ingest metadata.
Identity Security
grants the permissions required to calculate net effective permissions for identities and manage access.
Enable and add permissions for Agentless Workload Scanning (selected by default) to scan hosts and containers for vulnerabilities and compliance risks without having to install a defender. If you do not want the Agentless Workload Scanning capability, you can deselect the checkbox. Scans start automatically once you onboard your organization. You can also update the scanning configuration for agentless scans.
Use the
Advanced
(additional) capabilities to proactively control your cloud operations and identify and remediate issues before they manifest within your runtime environments.
The
Advanced
capabilities that you can choose to enable are:
Threat Detection
(enabled by default) grants the permissions required to detect Network and Identity threats.
Enable and add permissions for
Serverless Function Scanning
to scan cloud provider functions such as, AWS Lambda, Azure, and Google functions for vulnerabilities and compliance. Scans start automatically once you onboard your organization. You can also update the scanning configuration for serverless scans.
Add permissions for
Agent-Based Workload Protection
to allow for automated deployment of defenders to provide protection to secure cloud VMs, containers, and Kubernetes orchestrators. Registry scanning, Kubernetes audits, and other features required by defenders are also enabled.
Click
Next
.
Configure Account
.

Enter
Project ID
and
Account Name
. An account name is auto-populated for you. You can replace it with an account name that uniquely identifies your GCP project on Prisma Cloud.
Make sure to enter your Project ID and not your Project Number.

(
Optional
) Select
Remediation
to address policy violations reported for remediable configuration policies on Prisma Cloud. This feature is not enabled by default. After you enable it, the Prisma Cloud role gets read-write access permissions to your Google cloud account to successfully execute remediation commands.
(
Optional
) Enable
Flow Logs
and enter the name of your
Flow Logs Storage Bucket
. Optionally, select the
Use Dataflow to generate compressed logs
checkbox.
The Terraform template does not enable flow logs, and you must complete the workflow in Enable Flow Logs for GCP Project for Prisma Cloud to retrieve flow logs. Additionally, if you want to enable flow logs compression on Prisma cloud and address the lack of native compression support for flow logs sink setup on GCP, you must do it manually too. When you select
Use Dataflow to generate compressed logs
, Prisma Cloud sets up the network and compute resources required for flow log compression. This process can take up to five minutes to complete.
When you enable flow logs, the service ingests flow log data for the last seven days. Later if flow logs become unavailable for any reason such as, if you manually disable flow logs, modify API permissions, or an internal error occurs, when access is restored, only the logs from the preceding seven days are ingested.
(
Optional
) Allow Prisma Cloud to monitor all current and future GCP projects associated with the service account. This only applies to the Master Service Account.
If you have multiple GCP projects, enable
Automatically onboard projects that are accessible by this service account
to allow Prisma Cloud to monitor all current and future GCP projects associated with the Service Account. For every project that you want to onboard, you must provide the same set of permissions to the service account.
A project you onboard or a project that you had onboarded is in the
<sys-26-digit number>
format, it will be deleted.
Configure the
Service Account
for Prisma Cloud.
Download Terraform Script
and follow the
Steps
to upload your
Service Account Key (JSON) file
.
Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Google project to Prisma Cloud. Give the directory a name that uniquely identifies the project for which you’re using it (for example, onboard-<project-name>).
Select the Account Groups to associate with your project.
Make sure to assign each cloud account to an account group and create an Alert Rule for run-time checks to associate the account group with it to generate alerts when a policy violation occurs.
Click
Next
.
Review Status
.

Verify the
Details
of the GCP project and the status checks for the
Security Capabilities
you selected while onboarding the project on Prisma Cloud.
Ensure that all the security capabilities you selected display a green
Enabled
( ) icon.
For the security capabilities that display a red
Checks Failed
( ) icon, click the corresponding drop-down to view the cause of failure.
It takes between 4-24 hours for the flow log data to be exported and analyzed before you can review it on Prisma Cloud. To verify if the flow log data from your GCP project has been analyzed, you can run a network query on the
Investigate
page.
If Prisma Cloud GCP IAM role does not have adequate permissions to ingest data on the monitored resources within your project, the status icon displays as red or amber and it lists the permissions that are missing.
Click
Save and Close
to complete onboarding or
Save and Onboard Another Account
.