Prerequisites to Onboard GCP Organizations and Projects
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Prisma Cloud
- Prisma Cloud License Types
- Prisma Cloud—How it Works
- Get Prisma Cloud From the AWS Marketplace
- Get Prisma Cloud From the GCP Marketplace
- Access Prisma Cloud
- Prisma Cloud—First Look
- Prisma Cloud—Next Steps
- Enable Access to the Prisma Cloud Console
- Access the Prisma Cloud REST API
- Prisma Cloud FAQs
-
- Cloud Account Onboarding
-
- Onboard Your AWS Organization
- Onboard Your AWS Account
- Configure Audit Logs
- Configure Flow Logs
- Configure Data Security
- Configure DNS Logs
- Configure Findings
- Update an Onboarded AWS Organization
- Add AWS Member Accounts on Prisma Cloud
- Update an Onboarded AWS Account
- Update an Onboarded AWS Account to AWS Organization
- AWS APIs Ingested by Prisma Cloud
- Troubleshoot AWS Onboarding Errors
- Prisma Cloud on AWS China
- Manually Set Up Prisma Cloud Role for AWS Accounts
- Automate AWS Cloud Accounts Onboarding
-
- Connect your Azure Account
- Connect your Azure Tenant
- Connect an Azure Subscription
- Connect an Azure Active Directory Tenant
- Authorize Prisma Cloud to access Azure APIs
- Update Azure Application Permissions
- View and Edit a Connected Azure Account
- Troubleshoot Azure Account Onboarding
- Microsoft Azure API Ingestions and Required Permissions
-
- Prerequisites to Onboard GCP Organizations and Projects
- Onboard Your GCP Organization
- Onboard Your GCP Projects
- Flow Logs Compression on GCP
- Enable Flow Logs for GCP Organization
- Enable Flow Logs for GCP Project
- Update an Onboarded GCP Account
- Create a Service Account With a Custom Role
- GCP API Ingestions
- Cloud Service Provider Regions on Prisma Cloud
-
- Prisma Cloud Administrator Roles
- Create and Manage Account Groups on Prisma Cloud
- Create Prisma Cloud Roles
- Create Custom Prisma Cloud Roles
- Prisma Cloud Administrator Permissions
- Manage Roles in Prisma Cloud
- Add Administrative Users On Prisma Cloud
- Add Service Accounts On Prisma Cloud
- Create and Manage Access Keys
- Manage your Prisma Cloud Profile
-
- Get Started
- Set up ADFS SSO on Prisma Cloud
- Set up Azure AD SSO on Prisma Cloud
- Set up Google SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Google
- Set up Okta SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Okta
- Set up OneLogin SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on OneLogin
- View Audit Logs
- Define Prisma Cloud Enterprise and Anomaly Settings
- Add a Resource List on Prisma Cloud
- Adoption Advisor
-
- Prisma Cloud Alerts and Notifications
- Trusted IP Addresses on Prisma Cloud
- Enable Prisma Cloud Alerts
- Create an Alert Rule for Run-Time Checks
- Configure Prisma Cloud to Automatically Remediate Alerts
- Send Prisma Cloud Alert Notifications to Third-Party Tools
- View and Respond to Prisma Cloud Alerts
- Suppress Alerts for Prisma Cloud Anomaly Policies
- Generate Reports on Prisma Cloud Alerts
- Alert Payload
- Prisma Cloud Alert Resolution Reasons
- Alert Notifications on State Change
- Create Views
-
- Prisma Cloud Integrations
- Integrate Prisma Cloud with Amazon GuardDuty
- Integrate Prisma Cloud with Amazon Inspector
- Integrate Prisma Cloud with Amazon S3
- Integrate Prisma Cloud with AWS Security Hub
- Integrate Prisma Cloud with Amazon SQS
- Integrate Prisma Cloud with Azure Service Bus Queue
- Integrate Prisma Cloud with Cortex XSOAR
- Integrate Prisma Cloud with Google Cloud Security Command Center (SCC)
- Integrate Prisma Cloud with Jira
- Integrate Prisma Cloud with Microsoft Teams
- Integrate Prisma Cloud with PagerDuty
- Integrate Prisma Cloud with Qualys
- Integrate Prisma Cloud with ServiceNow
- Integrate Prisma Cloud with Slack
- Integrate Prisma Cloud with Splunk
- Integrate Prisma Cloud with Tenable
- Integrate Prisma Cloud with Webhooks
- Prisma Cloud Integrations—Supported Capabilities
-
- What is Prisma Cloud IAM Security?
- Enable IAM Security
- Investigate IAM Incidents on Prisma Cloud
- Cloud Identity Inventory
- Create an IAM Policy
- Integrate Prisma Cloud with IdP Services
- Integrate Prisma Cloud with Okta
- Integrate Prisma Cloud with AWS IAM Identity Center
- Remediate Alerts for IAM Security
- Context Used to Calculate Effective Permissions
Prerequisites to Onboard GCP Organizations and Projects
Learn about the Service account and APIs that enable Prisma Cloud to ingest, analyze, and monitor the resources deployed within a GCP organization or project.
In order to analyze and monitor your GCP account, Prisma Cloud requires access to specific APIs and a service account which is an authorized identity that enables authentication between Prisma Cloud and GCP. A combination of custom, predefined, and primitive roles grant the service account the permissions it needs to complete specific actions on the resources in your GCP organization or project.
To successfully onboard and monitor the resources within your GCP organization or project, make sure you have completed the following prerequisites:
Service Account Permissions
The permissions that the Prisma Cloud service account needs to monitor your GCP resources depends on your cloud protection needs.
- If you are onboarding a GCP organization, you must assign the roles to the IAM policy for the organization.
- If you are onboarding a GCP project, you must assign the roles to the IAM policy for each project.
- If you are using a master service account (MSA), you have two options:
- (Recommended) Add permissions to the IAM policy for the organization.
- Assign the roles to the IAM policy for each project individually.
The roles for read or read-write access permission that the service account requires are:
- Viewer—Primitive role on GCP.
- Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
- Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
- Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
- Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow logs compression using the Dataflow service. See Flow Logs Compression on GCP for details.
- Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders (include or exclude folders), and to automatically create account groups based on the folder hierarchy.
Rate Limit Exception for GCP APIs
The API calls from Prisma Cloud use quota from the GCP project that you’ve onboarded, which enables Prisma Cloud to ingest resource metadata across multiple projects without exceeding the GCP API rate limits.
To ensure continuous insights in to all your GCP resources and to prevent rate limit exception errors from occurring for Prisma Cloud’s authorized API calls to GCP, make sure to:
- Grant either a new permission serviceusage.services.use or add a new roleService Usage Consumer(roles/serviceusage.serviceUsageConsumer) to the service account that Prisma Cloud uses to access GCP APIs.
- [Optional] For the GCP services (appengine.googleapis.com, recommender.googleapis.com, sqladmin.googleapis.com, apikeys.googleapis.com, iam.googleapis.com,cloudresourcemanager.googleapis.com, orgpolicy.googleapis.com, cloudasset.googleapis.com, accessapproval.googleapis.com, essentialcontacts.googleapis.com):
- Disable them on the source project where the service account is created, and
- Enable them on the target project from which Prisma Cloud gets resource metadata.
GCP APIs
Prisma Cloud can ingest data from several GCP APIs.
When you use the Terraform template that Prisma Cloud provides to automate the onboarding of your GCP organization or project, the required permissions are automatically enabled for you.
- In the GCP project where you create the service account, you must enable the Stackdriver Logging API (logging.googleapis.com) to monitor audit logs, and any other GCP APIs for which you want Prisma Cloud to monitor resources.
- If a cloud service API is not enabled on a GCP project, Prisma Cloud skips the ingestion for the respective service; you must, however, ensure thatService UsageAPI is enabled on each GCP project that you want Prisma Cloud to monitor under your GCP organization hierarchy.To skip ingestion for a cycle, Prisma cloud watches the response from the Service Usage API for the details on which cloud services are enabled in a GCP project. For example, if you have not enabled cloud functions in one or more GCP projects within the GCP organization, Prisma cloud can learn about it and skip the ingestion cycle for this cloud service.
- Prisma Cloud recommends you create the service account in a dedicated GCP project.GCP enforces a limit on the API calls allowed to a GCP project/IAM service account. When you create the service account in a dedicated GCP project, you can ensure that the API calls that Prisma Cloud makes do not interfere with any quota limits against your production workloads and services hosted in the separate GCP project.
- Verify that you have granted all the required permissions to the Prisma Cloud service account.If the service account does not have the IAM permissions required to retrieve data, Prisma Cloud skips ingestion of the respective cloud.service(s) for your onboarded account. When you use the Terraform template provide by Prisma Cloud to automate the onboarding of your GCP organization or project, the required permissions are automatically enabled for you.To enable the APIs that allow Prisma Cloud to monitor your GCP projects, use it as shown in this example (that uses some of the APIs listed in the table below):gcloud services enable serviceusage.googleapis.com appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com sqladmin.googleapis.com compute.googleapis.com storage-component.googleapis.com recommender.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.comVerify the APIs that you have enabled withgcloud services list.The following table lists the APIs and associated granular permissions if you want to Create a Service Account With a Custom Role to onboard your GCP account. When the APIs are enabled and the service account has the correct set of roles and associated permissions, Prisma Cloud can retrieve data on your resources from GCP cloud accounts. Make sure to create a custom role before you continue to add your GCP Organization or GCP Project to Prisma Cloud.API Keysapikeys.googleapis.comAuthenticates requests associated with your project for usage and billing purposes.API Keys Viewerapikeys.keys.listapikeys.keys.getApp Engine APIappengine.googleapis.comAllows you to access App Engine, which is a fully managed serverless platform on GCP.App Engine Viewerappengine.applications.getProject where you have created the service accountAccess Context Manager APIaccesscontextmanager.googleapis.comRead access to policies, access levels, and access zones.Access Context Manager Readeraccesscontextmanager.accessPolicies.listaccesscontextmanager.policies.listaccesscontextmanager.accessLevels.listaccesscontextmanager.servicePerimeters.listProject where you have created the service accountAccess Approvalaccessapproval.googleapis.comAllows you to access settings associated with a project, folder, or organization.Project Vieweraccessapproval.settings.getProject where you have created the service accountAPI Gatewayapigateway.googleapis.comEnables you to create, secure, and monitor APIs for Google Cloud serverless back ends, including Cloud Functions, Cloud Run, and App Engine.API Gateway Viewerapigateway.gateways.getIamPolicyapigateway.gateways.listapigateway.gateways.getapigateway.locations.listEvery project that the service account can accessBigQuery APIcloudasset.googleapis.comAllows you to create, manage, share, and query data.Cloud Asset Viewerbigquery.tables.getcloudasset.assets.searchAllResourcescloudasset.assets.searchAllIamPoliciesProject where you have created the service accountBinary Authorization APIbinaryauthorization.googleapis.comEnables you to configure a policy that the service enforces when an attempt is made to deploy a container image on one of the supported container-based platforms.Project Viewerbinaryauthorization.policy.getbinaryauthorization.policy.getIamPolicyProject where you have created the service accountCloud Data Fusiondatafusion.googleapis.comCloud Data Fusion is a fully managed, cloud-native, enterprise data integration service for quickly building and managing data pipelines.Project Viewerdatafusion.instances.listdatafusion.instances.getIamPolicyEvery project that the service account can accessCloud Functionscloudfunctions.googleapis.comCloud Functions is Google Cloud’s event-driven serverless compute platform.Project Viewercloudfunctions.functions.getIamPolicycloudfunctions.functions.listcloudfunctions.functions.getcloudfunctions.locations.listProject where you have created the service accountCloud DataFlow APIdataflow.googleapis.comManages Google Cloud Dataflow projects.Dataflow Adminiam.serviceAccounts.actAsresourcemanager.projects.getstorage.buckets.getstorage.objects.createstorage.objects.get
See Flow Logs Compressionstorage.objects.listProject that runs Data FlowCloud DNS APIdns.googleapis.comCloud DNS translates requests for domain names into IP addresses and manages and publishes DNS zones and records.DNS Readerdns.dnsKeys.listdns.managedZones.listdns.projects.getdns.policies.listdns.managedZones.listdns.resourceRecordSets.listdns.responsePolicyRules.listEvery project that the service account can accessCloud Pub/Subpubsub.googleapis.comReal-time messaging service that allows you to send and receive messages between independent applications.Project Viewer and a custom role with granular privilegespubsub.topics.listpubsub.topics.getpubsub.topics.getIamPolicypubsub.subscriptions.listpubsub.subscriptions.getpubsub.subscriptions.getIamPolicypubsub.snapshots.listpubsub.snapshots.getIamPolicycloudasset.assets.searchAllIamPoliciesEvery project that the service account can accessContainer Analysiscontaineranalysis.googleapis.comContainer Analysis provides vulnerability scanning and metadata storage for containers through Container Analysis.Project Viewercontaineranalysis.occurrences.listEvery project that the service account can accessGoogle Dataplexdataplex.googleapis.comUnifies distributed data and automates data management and governance across that data to power analytics at scale.Project Viewerdataplex.assets.listdataplex.assets.getIamPolicydataplex.assetActions.listdataplex.content.listdataplex.content.getIamPolicydataplex.entities.listdataplex.locations.listdataplex.lakes.listdataplex.lakes.getIamPolicydataplex.tasks.listdataplex.tasks.getIamPolicydataplex.zones.listdataplex.lakeActions.listdataplex.zoneActions.listProject where you have created the service accountGoogle Cloud Resource Manager APIcloudresourcemanager.googleapis.comCreates, reads, and updates metadata for Google Cloud Platform resource containers.Project Viewerresourcemanager.projects.getIamPolicyProject where you have created the service accountresourcemanager.folders.getIamPolicyOnly required for GCP OrganizationProject where you have created the service accountAndEvery project that the service account can accessGoogle Cloud Data Loss Preventiondlp.googleapis.comCloud Data Loss Prevention is a fully managed service designed to discover, classify, and protect the most sensitive data.Project Viewerdlp.inspectTemplates.listdlp.deidentifyTemplates.listdlp.jobTriggers.listdlp.deidentifyTemplates.listdlp.inspectTemplates.listdlp.storedInfoTypes.listProject where you have created the service accountGoogle Cloud Deployclouddeploy.googleapis.comGoogle Cloud Deploy is an opinionated, serverless, secure continuous delivery service for GKE to manage release progression from dev to staging to prod.Project Viewerclouddeploy.config.getclouddeploy.locations.listclouddeploy.deliveryPipelines.listclouddeploy.deliveryPipelines.getIamPolicyclouddeploy.targets.listclouddeploy.targets.getIamPolicyEvery project that the service account can accessGoogle Firebase App Distributionfirebaseappdistribution.googleapis.comcloudresourcemanager.googleapis.comFirebase App Distributimakes painless distribution of apps to trusted testers by getting the apps onto testers' devices quickly and also can get feedback early and often.Project Viewerresourcemanager.projects.getfirebaseappdistro.testers.listProject where you have created the service accountGoogle Firebase Remote Configfirebaseremoteconfig.googleapis.comFirebase Remote Config gives visibility and fine-grained control over app’s behavior and appearance by simply updating its configuration.Project Viewercloudconfig.configs.getProject where you have created the service accountCloud Key Management Service (KMS) APIcloudasset.googleapis.comGoogle Cloud KMS allows customers to manage encryption keys and perform cryptographic operations with those keys.Cloud Asset Viewercloudasset.assets.searchAllResourcescloudasset.assets.searchAllIamPoliciescloudkms.keyRings.getcloudkms.keyRings.getIamPolicycloudkms.cryptoKeys.getcloudkms.cryptoKeys.getIamPolicyProject where you have created the service accountCloud Service Usage APIserviceusage.googleapis.comAPI that lists the available or enabled services, or disables services that service consumers no longer use on GCP.Project Viewerserviceusage.services.listProject where you have created the service accountGoogle Binary Authorizationbinaryauthorization.googleapis.comA service that enables policy-based deployment validation and control for images deployed to Google Kubernetes Engine (GKE), Anthos Service Mesh, Anthos Clusters, and Cloud Run.Project Viewerbinaryauthorization.policy.getbinaryauthorization.policy.getIamPolicyEvery project that the service account can accessGoogle Cloud Armorcompute.googleapis.comNetwork security service that provides defenses against DDoS and application attacks, and offers WAF rules.Project Viewercompute.securityPolicies.listcompute.securityPolicies.getEvery project that the service account can accessGoogle Cloud Billingcloudbilling.googleapis.comCloud Billing is a collection of tools to track and to understand Google Cloud spending, pay bills, and optimize costs..Project Viewerresourcemanager.projects.getEvery project that the service account can accessGoogle Cloud Taskscloudtasks.googleapis.comAPI to fetch task and queue information.Project Viewercloudtasks.locations.listcloudtasks.tasks.listcloudtasks.queues.listrun.locations.listEvery project that the service account can accessGoogle AI Platformml.googleapis.comA suite of services on Google Cloud specifically targeted at building, deploying, and managing machine learning models in the cloud.ml.models.listml.models.getIamPolicyml.jobs.getIamPolicyml.jobs.listml.jobs.getGoogle Analytics Hubanalyticshub.googleapis.comAnalytics Hub is a data exchange that allows to efficiently and securely exchange data assets across organizations to address challenges of data reliability and cost.Project Vieweranalyticshub.dataExchanges.listEvery project that the service account can accessGoogle Anthos GKE Fleet Managementgkehub.googleapis.comAnthos offers capabilities built around the idea of the fleet: a logical grouping of Kubernetes clusters and other resources that can be managed together.Project Viewergkehub.locations.listgkehub.memberships.listgkehub.memberships.getIamPolicygkehub.features.listgkehub.features.getIamPolicyEvery project that the service account can accessGoogle Apigee Xapigee.googleapis.comApigee X is a new version of Google Cloud’s API management platform that assists enterprises in making the transition to digital platforms.Project Viewerapigee.apiproducts.getapigee.apiproducts.listapigee.organizations.getapigee.organizations.listapigee.sharedflows.listapigee.sharedflows.getapigee.deployments.listapigee.datacollectors.listapigee.datastores.listapigee.instances.listapigee.instanceattachments.listapigee.envgroups.listapigee.environments.getapigee.environments.getIamPolicyapigee.hostsecurityreports.listapigee.proxies.getapigee.proxies.listapigee.reports.listapigee.securityProfiles.listEvery project that the service account can accessGoogle Artifact Registryartifactregistry.googleapis.comArtifact Registry is a scalable and integrated service to store and manage build artifacts.Project Viewerartifactregistry.locations.listartifactregistry.repositories.listartifactregistry.repositories.getIamPolicyEvery project that the service account can accessGoogle Essential Contactsessentialcontacts.googleapis.comAllows you to customize who receives notifications from Google Cloud services, such as Cloud Billing, by providing a list of contacts.Project Vieweressentialcontacts.contacts.listProject where you have created the service accountGoogle Firebase Rulesfirebaserules.googleapis.comAn application development software that enables developers to develop iOS, Android and Web apps.firebaserules.rulesets.getfirebaserules.rulesets.listfirebaserules.releases.listGoogle Cloud Composercomposer.googleapis.comProject Viewercomposer.environments.listcomposer.environments.getEvery project that the service account can accessGoogle Cloud Source Repositories APIsourcerepo.googleapis.comA private Git repository to design, develop, and securely manage your code.Source Repository Readersource.repos.listsource.repos.getIamPolicyEvery project that the service account can accessGoogle Cloud Spanner APIspanner.googleapis.comA globally distributed NewSQL database service and storage solution designed to support global online transaction processing deployments.Cloud Spanner Viewerspanner.databases.listspanner.databases.getIamPolicyspanner.instances.listspanner.instanceConfigs.listspanner.instances.getIamPolicyspanner.backups.listspanner.backups.getIamPolicyProject where you have created the service accountAndEvery project that the service account can accessCloud SQL Admin APIsqladmin.googleapis.comAPI for Cloud SQL database instance management.Custom Rolecloudsql.instances.listProject where you have created the service accountCompute Engine APIcompute.googleapis.comCreates and runs virtual machines on the Google Cloud Platform.Project Viewercloudasset.assets.searchAllIamPoliciescompute.addresses.listcompute.backendServices.listcompute.backendBuckets.listcompute.sslCertificates.listcompute.disks.getcompute.disks.listcompute.firewalls.listcompute.forwardingRules.listcompute.globalForwardingRules.listcompute.images.getcompute.images.listcompute.images.getIamPolicycompute.instances.getIamPolicycompute.instances.listcompute.instanceGroups.listcompute.instanceTemplates.listcompute.instanceTemplates.getIamPolicycompute.targetSslProxies.listcompute.networks.getcompute.networks.listcompute.subnetworks.getcompute.projects.getcompute.regionBackendServices.listcompute.routers.getcompute.routers.listcompute.routes.listcompute.snapshots.listcompute.snapshots.getIamPolicycompute.sslPolicies.getcompute.sslPolicies.listcompute.subnetworks.listcompute.targetHttpProxies.listcompute.targetHttpsProxies.listcompute.targetPools.listcompute.urlMaps.listcompute.vpnTunnels.listcompute.externalVpnGateways.listProject where you have created the service accountCloud Bigtable APIbigtableadmin.googleapis.comGoogle Cloud Bigtable is a NoSQL Big Data database service.Custom Rolebigtable.appProfiles.getbigtable.appProfiles.listbigtable.clusters.getbigtable.clusters.listbigtable.instances.getbigtable.instances.listbigtable.instances.getIamPolicybigtable.tables.getbigtable.tables.listbigtable.tables.getIamPolicybigtable.backups.listbigtable.backups.getIamPolicyProject where you have created the service accountGoogle Cloud Storage APIstorage-component.googleapis.comCloud Storage is a RESTful service for storing and accessing your data on Google’s infrastructure.Custom Rolestorage.buckets.getstorage.buckets.getIamPolicystorage.buckets.listNo specific requirement for Prisma CloudGoogle Organization Policyorgpolicy.googleapis.comOrganization Policy Service provides centralized and programmatic control over organization’s cloud resources through configurable constraints across the entire resource hierarchy.Project Viewerorgpolicy.constraints.listorgpolicy.policy.getProject where you have created the service accountGoogle Dataproc Clusters APIdataproc.googleapis.comDataproc is a managed service for creating clusters of compute that can be used to run Hadoop and Spark applications.Project Viewerdataproc.clusters.listdataproc.clusters.getdataproc.clusters.getIamPolicycloudasset.assets.searchAllIamPoliciesdataproc.workflowTemplates.listdataproc.workflowTemplates.getIamPolicydataproc.autoscalingPolicies.listdataproc.autoscalingPolicies.getIamPolicyEvery project that the service account can accessGoogle Dataproc Metastoremetastore.googleapis.comDataproc is a managed service for creating clusters of compute that can be used to run Hadoop and Spark applications.Project Viewermetastore.locations.listmetastore.services.listmetastore.services.getIamPolicyEvery project that the service account can accessGoogle Data Catalogdatacatalog.googleapis.comData Catalog is a fully managed, scalable metadata management service which helps in searching and tagging data entries.Project Viewerdatacatalog.taxonomies.listdatacatalog.taxonomies.getIamPolicydatacatalog.taxonomies.getdatacatalog.entryGroups.listdatacatalog.entryGroups.getIamPolicydatacatalog.entryGroups.getProject where you have created the service accountGoogle Datastoredatastore.googleapis.comDatastore is a schemaless NoSQL database to provide fully managed, robust, scalable storage for any application.Project Viewerdatastore.indexes.listProject where you have created the service accountGoogle Datastreamdatastream.googleapis.comDatastream is a serverless change data capture (CDC) and replication service to synchronize data across heterogeneous databases and applications.Project Viewerdatastream.locations.listdatastream.privateConnections.listdatastream.connectionProfiles.listdatastream.streams.listGoogle Recommendation APIs
GCP IAM Recommenderrecommender.googleapis.comgcloud-recommender-organization-iam-policy-lateral-movement-insightGoogle Recommender provides usage recommendations for Google Cloud resources. Recommenders are specific to a single Google Cloud product and resource type.IAM Recommender Viewerrecommender.iamPolicyRecommendations.listrecommender.iamPolicyInsights.listrecommender.iamServiceAccountInsights.listrecommender.iamPolicyLateralMovementInsights.listProject where you have created the service accountGoogle HealthCarehealthcare.googleapis.comManages solutions for storing and accessing healthcare data in Google Cloud.Project Viewerhealthcare.locations.listhealthcare.datasets.gethealthcare.datasets.listhealthcare.datasets.getIamPolicyEvery project that the service account can accessGoogle Hybrid Connectivitynetworkconnectivity.googleapis.comNetwork Connectivity is Google’s suite of products that provide enterprise connectivity from your on-premises network or from another cloud provider to your Virtual Private Cloud (VPC) network.Project Viewernetworkconnectivity.hubs.listnetworkconnectivity.hubs.getIamPolicynetworkconnectivity.locations.listnetworkconnectivity.spokes.listnetworkconnectivity.spokes.getIamPolicyEvery project that the service account can accessGoogle Cloud Run APIrun.googleapis.comDeploys and manages user provided container images.Project Viewerrun.locations.listrun.services.listcloudasset.assets.searchAllIamPoliciesrun.jobs.listrun.jobs.getIamPolicyEvery project that the service account can accessGoogle Secrets Managersecretmanager.googleapis.comStores sensitive data such as API keys, passwords, and certificates.Secret Manager Viewersecretmanager.secrets.listsecretmanager.secrets.getIamPolicysecretmanager.versions.listEvery project that the service account can accessGoogle Security Command Centersecuritycenter.googleapis.comSecurity Command Center is centralized vulnerability and threat reporting service which helps to mitigate and remediate security risks.Project Viewersecuritycenter.sources.listsecuritycenter.sources.getIamPolicysecuritycenter.organizationsettings.getsecuritycenter.notificationconfig.listsecuritycenter.muteconfigs.listProject where you have created the service accountGoogle Serverless VPC Accessvpcaccess.googleapis.comServerless VPC Access allows Cloud Functions and App Engine apps to access resources in a VPC network using those resources’ private IPs.Project Viewervpcaccess.locations.listvpcaccess.connectors.listEvery project that the service account can accessGoogle Cloud Filestorefile.instances.listCreates and manages cloud file servers.Cloud Filestore Viewerfile.instances.listfile.snapshots.listfile.backups.listEvery project that the service account can accessGoogle Cloud Firestorefirestore.googleapis.comCloud Firestore is a flexible, scalable NoSQL cloud database to store and sync data for client- and server-side development.Project Viewerdatastore.databases.listEvery project that the service account can accessGoogle Cloud Identity Platformidentitytoolkit.googleapis.comIdentity Platform is a customizable authentication service which makes it easier for users to sign-up and sign-in by providing back-end services, SDKs, and UI libraries.Project Viewerfirebaseauth.configs.getidentitytoolkit.tenants.listfirebaseauth.users.getidentitytoolkit.tenants.listidentitytoolkit.tenants.getidentitytoolkit.tenants.getIamPolicyEvery project that the service account can accessGoogle Certificate Authority Serviceprivateca.googleapis.comEnables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).CA Service Auditorprivateca.caPools.getIamPolicyprivateca.caPools.listprivateca.certificateAuthorities.listprivateca.certificates.listprivateca.certificateRevocationLists.listprivateca.certificateRevocationLists.getIamPolicyprivateca.locations.listEvery project that the service account can accessGoogle Deployment Managerdeploymentmanager.googleapis.comGoogle Cloud Deployment Manager is an infrastructure deployment service that automates the creation and management of Google Cloud resources.Project ViewerNOTE:You must manually add the permission or update the Terraform template to enable
.deploymentmanager.deployments.getIamPolicydeploymentmanager.deployments.listdeploymentmanager.deployments.getIamPolicydeploymentmanager.deployments.listdeploymentmanager.manifests.listEvery project that the service account can accessGoogle Identity Aware Proxyiap.googleapis.comProvides application-level access control model instead of relying on network-level firewalls by establishing a central authorization layer for applications.Custom Roleclientauthconfig.brands.listclientauthconfig.clients.listWithSecretsEvery project that the service account can accessGoogle Traffic Directornetworksecurity.googleapis.comTraffic Director is Google Cloud’s fully managed application networking platform and service mesh.Project Viewernetworksecurity.authorizationPolicies.listnetworksecurity.authorizationPolicies.getIamPolicynetworksecurity.clientTlsPolicies.listnetworksecurity.clientTlsPolicies.getIamPolicynetworksecurity.serverTlsPolicies.listnetworksecurity.serverTlsPolicies.getIamPolicynetworkservices.locations.listnetworkservices.gateways.listnetworkservices.meshes.listnetworkservices.meshes.getIamPolicyProject where you have created the service accountGoogle Traffic Director Network Servicenetworkservices.googleapis.comTraffic Director is Google Cloud’s fully managed application networking platform and service mesh.Project Viewernetworkservices.httpRoutes.listnetworkservices.grpcRoutes.listnetworkservices.tcpRoutes.listnetworkservices.tlsRoutes.listEvery project that the service account can accessGoogle VPCcompute.googleapis.comEnables you to create and enforce a consistent firewall policy across your organization.This lets organization-wide admins manage critical firewall rules in one place.Project Viewercompute.firewallPolicies.listcompute.regionfirewallPolicies.listProject where you have created the service accountGoogle Vertex AInotebooks.googleapis.comVertex AI is an artificial intelligence platform with pre-trained and custom tooling to build, deploy, and scale ML models.Project Viewernotebooks.locations.listnotebooks.instances.listnotebooks.instances.checkUpgradabilitynotebooks.instances.getHealthnotebooks.instances.getIamPolicynotebooks.runtimes.listnotebooks.schedules.listProject where you have created the service accountIdentity and Access Management (IAM) APIiam.googleapis.comManages identity and access control for GCP resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.Project Vieweriam.roles.getiam.roles.listiam.serviceAccountKeys.listiam.serviceAccounts.listiam.workloadIdentityPools.listiam.workloadIdentityPoolProviders.listiam.denypolicies.getiam.denypolicies.listProject where you have created the service accountMemorystoreredis.googleapis.comMemorystore is a fully-managed database service that provides a managed version of two popular open source caching solutions: Redis and Memcached.Project Viewerredis.instances.getredis.instances.listEvery project that the service account can accessMemorystore for Memcachedmemcache.googleapis.comMemorystore for Memcached is a fully managed Memcached service for Google Cloud, using which avoids the burden of managing complex Memcached deployments.Project Viewermemcache.locations.listmemcache.instances.listEvery project that the service account can accessGoogle Managed Microsoft ADmanagedidentities.googleapis.comManaged Service for Microsoft Active Directory offers high-availability, hardened Microsoft Active Directory domains hosted by Google Cloud.Project Viewermanagedidentities.domains.listmanagedidentities.domains.getmanagedidentities.domains.getIamPolicymanagedidentities.sqlintegrations.listNo specific requirement for Prisma Cloud.Google Network Intelligence Centerrecommender.googleapis.comNetwork Intelligence Center provides a single console for managing Google Cloud network visibility, monitoring, and troubleshooting.Project Viewerrecommender.computeFirewallInsights.listProject where you have created the service account.Kubernetes Engine APIcontainer.googleapis.comBuilds and manages container-based applications, powered by the open source Kubernetes technology.Kubernetes Engine Cluster Viewercontainer.clusters.getcontainer.clusters.listProject where you have created the service accountGoogle Cloud Translationtranslate.googleapis.comEnables websites and applications to dynamically translate text programmatically using a Google pre-trained or a custom machine learning model.Project Viewercloudtranslate.locations.listcloudtranslate.glossaries.listcloudtranslate.customModels.listcloudtranslate.datasets.listProject where you have created the service accountServices Usage APIserviceusage.googleapis.comAPI that lists the available or enabled services, or disables services that service consumers no longer use on GCP.Note: As a best practice, you must enable this API on all GCP projects that are onboarded to Prisma Cloud.Project Viewerserviceusage.services.listEvery project that the service account can accessStackdriver Monitoring APImonitoring.googleapis.comManages your Stackdriver Monitoring data and configurations.Helps to gain visibility into the performance, availability, and health of your applications and infrastructure.Monitoring Viewermonitoring.alertPolicies.listmonitoring.metricDescriptors.getredis.instances.listmonitoring.notificationChannels.listresourcemanager.folders.getIamPolicymonitoring.groups.listmonitoring.snoozes.listEvery project that the service account can accessAndSource project where the service account is created for enabling monitoring and protection using Prisma CloudStackdriver Logging APIlogging.googleapis.comWrites log entries and manages your Logging configuration.Logging Adminlogging.buckets.listlogging.logEntries.listlogging.logMetrics.getlogging.logMetrics.listlogging.sinks.getlogging.sinks.listlogging.exclusions.listlogging.cmekSettings.getEvery project that the service account can accessGoogle Web Security Scanner APIwebsecurityscanner.googleapis.comIdentifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications.Web Security Scanner Viewercloudsecurityscanner.scans.listProject where you have created the service accountGoogle Workflowsworkflows.googleapis.comWorkflows is a fully-managed orchestration platform to execute services in a defined order.Project Viewerworkflows.locations.listworkflows.workflows.listEvery project that the service account can accessCloud Spanner backupsspanner.googleapis.comA backup of a Cloud Spanner database.Project Viewerspanner.backups.listspanner.backups.getIamPolicySource project and destination.Google Service Directoryservicedirectory.googleapis.comA managed service that enhances service inventory management at scale and reduces the complexity of management and operations by providing a single place to publish, discover, and connect services.Project Viewerservicedirectory.namespaces.listservicedirectory.namespaces.getIamPolicyservicedirectory.services.listservicedirectory.services.getIamPolicyservicedirectory.endpoints.listEvery project that the service account can accessGCP Organization - Additional permissions required to onboardOrganization Role ViewerThe Organization Role Viewer is required for onboarding a GCP Organization. If you only provide the individual permissions listed below, the permissions set is not sufficient.resourcemanager.organizations.getresourcemanager.projects.listresourcemanager.organizations.getIamPolicyN/A
GCP Cloud Asset Inventory
GCP Cloud Asset Inventory (CAI) service allows you to search asset metadata within a project, folder, or organization using a single API instead of separate individual API calls to get the metadata. Prisma Cloud has adopted the CAI service for a few GCP services. The CAI service reduces the number of API calls to GCP and helps speed the time to report on assets on Prisma Cloud. CAI is enabled by default on Prisma Cloud.
The following GCP services (APIs) have CAI support on Prisma Cloud:
- KMS (Get IAM policy, List Keyrings, and Cryptokeys)
- Pub-Sub (Get IAM policy)
- Dataproc (Get IAM policy)
- Cloud Function (Get IAM policy)
- Cloud Run (Get IAM policy)
- BigQuery (Get IAM policy, List BigQuery Datasets, and Tables)
- Compute Instance (GET IAM policy)