Add Your GCP Organization to Prisma Cloud

Add your GCP Organization and folders to Prisma Cloud to ingest and monitor your data.
Begin here to add a GCP Organization and folders to Prisma™ Cloud. If you have added a GCP project to Prisma Cloud and you now want to add the GCP Organization to which the project belongs, the existing GCP project is moved under the Organization in Prisma Cloud.
When you add the GCP Organization to Prisma Cloud, you can specify which folders and projects to include or exclude under the organization resource hierarchy.
  1. Review the best practices for onboarding your GCP Organization to Prisma Cloud.
    1. Enable the GCP APIs on each GCP project.
      For the cloud services that you want Prisma Cloud to monitor or monitor and protect, you must enable the APIs listed in Permissions and APIs Required for GCP Account on Prisma Cloud. If a cloud service API is not enabled on a GCP project, Prisma Cloud skips the ingestion for the respective service; you must, however, ensure that Service Usage API is enabled on each GCP project that you want Prisma Cloud to monitor or monitor and protect under your GCP Organization hierarchy.
      To skip ingestion for a cycle, Prisma cloud watches the response from the Service Usage API for the details on which cloud services are enabled in a GCP project. For example, if you have not enabled cloud functions in one or more GCP projects within the GCP Organization, Prisma cloud can learn about it and skip the ingestion cycle for this cloud service.
    2. Create the service account in a dedicated GCP project.
      GCP enforces a limit on the API calls allowed to a GCP project/IAM service account. When you create the service account in a dedicated GCP project, you can ensure that the API calls that Prisma Cloud makes do not interfere with any quota limits against your production workloads and services hosted in the separate GCP project.
    3. Verify that you have granted all the required permissions to the Prisma Cloud service account.
      If the service account does not have the IAM permissions required to retrieve data, Prisma Cloud skips ingestion of the respective cloud.service(s) for your onboarded account.
  2. Access Prisma Cloud and select
    Settings
    Cloud Accounts
    Add New
    .
  3. Select
    Google Cloud
    as the
    Cloud to Protect
    .
  4. Enter a
    Cloud Account Name
    .
    A cloud account name is auto-populated for you. You can replace it with a cloud account name that uniquely identifies this GCP organization on Prisma™ Cloud.
  5. Select the
    Mode
    .
    Decide whether to enable permissions to only monitor (read-only access) or to monitor and protect (read-write access) the resources in your cloud account. Your selection determines which Terraform template is used to automate the process of creating the service account and attaching the roles required for Prisma Cloud.
  6. Select
    Organization
    for
    Onboard
    and enter additional details.
    1. Enter your
      Organization Name
      and
      Organization ID
      .
      All the GCP projects under the Organization hierarchy—current and future—will be monitored by Prisma Cloud. To find your GCP Organization ID, log in to the GCP console and select your organization.
    2. Enter your
      Project ID
      and the name of your
      Flow Log Storage Bucket
      .
      Make sure to enter your Project ID and not your Project Number.
    3. (
      Optional
      ) Enable
      Use Dataflow to generate compressed logs
      .
      The Terraform template does not enable flow logs, and you must complete the workflow in Enable Flow Logs for GCP Organization for Prisma Cloud to retrieve flow logs. Additionally, if you want to enable flow log compression on Prisma cloud and address the lack of native compression support for flow logs sink setup on GCP, you must do it manually too. When you enable log compression, Prisma Cloud sets up the network and compute resources required for flow log compression and this can take up to five minutes.
      When you enable flow logs, the service ingests flow log data for the last seven days. Then if flow logs become unavailable for any reason such as if you manually disabled flow logs, modified API permissions, or an internal error occurred, when access is restored, logs from the preceding seven days only are ingested.
    4. Enter the Project ID where you enabled the Cloud Dataflow service and click
      Next
      .
      It is best if this project is where you send your VPC flow logs too.
  7. Set up the Service Account for Prisma Cloud.
    A service account is an identity to which you can grant granular permissions instead of creating individual user accounts. To monitor all the GCP projects that are within the GCP Organizational hierarchy, the service account requires four roles. Of the four roles, three are common for granting permissions at the GCP project level too; the Organization Role Viewer and Folder Viewer roles are additionally required to grant access to the Organization's properties:
    • Viewer—Primitive role.
    • (
      Required for Prisma Cloud Compute, Optional for Prisma Cloud
      ) Compute Security Admin—Predefined role.
    • Prisma Cloud Viewer—Custom role.
    • Organization Role Viewer—Predefined role.
    • Folder Viewer—Predefined role.
    1. Download the Terraform template for the mode you selected.
      Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Google organization to Prisma Cloud. Give the directory a name that uniquely identifies the subscription for which you're using it (for example, onboard-<subscription-name>).
    2. Open a new tab on your browser and sign in to the Google Cloud Shell.
    3. Upload the template to the Google Cloud Shell.
      After the Terraform script is ran, a JSON file will be created that saves the credentials to a file with the following format:
      OrgId-randomString.json
    4. Enable the GCP APIs.
      In the GCP project where you created the service account, you must enable the Stackdriver Logging API (logging.googleapis.com) to monitor audit logs, and any other GCP APIs for which you want Prisma Cloud to monitor resources. For example, in the Google Cloud Shell, enter:
      gcloud services enable compute.googleapis.com sqladmin.googleapis.com sql-component.googleapis.com storage-component.googleapis.com appengine.googleapis.com iam.googleapis.com container.googleapis.com logging.googleapis.com monitoring.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com bigquery-json.googleapis.com dns.googleapis.com dataflow.googleapis.com
      This is not an exhaustive list of the GCP APIs. To view the most recent list, view GCP APIs.
  8. Select the projects you want to add to Prisma Cloud.
    1. Select the projects to include or exclude.
      You can choose to include:
      • All projects
        included within the organization hierarchy.
      • Include a subset
        or
        Exclude a subset
        of projects. Select the relevant tab and choose the projects to include or exclude.
        When you select a folder, all existing projects within that folder or sub-folder are onboarded to Prisma Cloud. The periodic sync also checks for any new projects and sub-folders that you subsequently add on the cloud platform and adds them to Prisma Cloud.
    2. Resolve any missing permissions or errors.
      If the service account does not have adequate permissions, the following warning displays.
      If the folders permissions are missing, the option to
      AutoMap
      and create account groups recursively based on your GCP resource hierarchy is disabled.
      If the service account is deleted, or disabled or when the key is deleted on the Google Cloud console, the following error displays.
  9. Configure Account Groups.
    You have two options for assigning account groups to this GCP organization account.
    1. Select an account group manually.
      With
      Automap
      disabled, you can select the account groups and assign it to this account.
      Or, if you selected
      Exclude a subset
      of folders, the ability to
      Maintain recursive hierarchy
      is disabled and you must select account groups manually.
    2. Allow Prisma Cloud to create account groups automatically.
    Based on the folders you selected earlier, Prisma Cloud can automatically create account groups and keep it synchronized with the GCP resource hierarchy.
    1. Select
      Automap
      , to create an account group for each top-level folder in the hierarchy.
    2. Select
      Maintain Recursive Hierarchy
      to create account groups for the folders that are nested within your GCP organization hierarchy.
      When you choose to create account groups recursively, each account group includes a list of all GCP projects nested within the heirarchical folder structure as you see it on the GCP console. Because the account groups are organized in a flat structure on Prisma Cloud, you cannot see the mapping visually.
      Account groups that are created automatically are indicated with , and cannot be edited on Prisma Cloud. See create account groups for more details.
    3. Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
  10. Verify the onboarding
    Status
    of your GCP Organization to Prisma Cloud and click
    Done
    .
    If you are missing permissions for the GCP IAM role to successfully ingest data from your GCP Organization, the icon displays red or amber and the details of the permission gaps display on screen.
    When you have nested projects allow 10-30 minutes for the auto created account groups to display on Prisma Cloud.
    To view the audit logs select
    Settings
    Audit Logs
    , and to view the auto created account groups select
    Settings
    Account Groups
    . The progress of the onboarding status is available as an audit log, and on successful completion a message will display:
    On-boarding completed for Google Cloud Platform type Organization <name you specified>, initiated by <admin>'(withe role <rolename>).
    It will take a maximum of 30 minutes for projects to appear on Prisma Cloud.
    You can review the status and take necessary actions to resolve any issues encountered during the onboarding process by viewing the
    Cloud Accounts
    page. It takes between 4-24 hours for the flow log data to be exported and analyzed before you can review it on Prisma Cloud. To verify if the flow log data from your GCP Organization have been analyzed, you can run a network query on the
    Investigate
    page.
    • After you add the GCP Organization to Prisma Cloud, you must create a support request to delete the GCP Organization or the projects within your GCP Organization. You cannot delete the account from Prisma Cloud.
    • Because Prisma Cloud has access to all projects associated with a Service Account, if you want to remove access to a project that is associated with the Service Account, you must remove the project from the Service Account on the GCP IAM console. In the next scanning cycle, the project is excluded and Prisma Cloud no longer has access to the project.
    1. Go to
      Cloud Accounts
      , locate your GCP account and view the status.
    2. Verify the projects that are onboarded to Prisma Cloud.
      Select the cloud account name and review the list of projects to verify the include/exclude selections you made earlier.
    3. Go to
      Investigate
      , replace the name with your GCP Cloud Account name and enter the following network query.
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.
      network from vpc.flow_record where source.publicnetwork IN ('Internet IPs', 'Suspicious IPs') AND bytes > 0

Recommended For You