Add your GCP Organization and folders to Prisma Cloud
to ingest and monitor your data.
Begin here to add a GCP Organization and folders
to Prisma™ Cloud. If you have added a GCP project to Prisma Cloud
and you now want to add the GCP Organization to which the project
belongs, the existing GCP project is moved under the Organization
in Prisma Cloud.
When you add the GCP Organization to Prisma
Cloud, you can specify which folders and projects to include or
exclude under the organization resource hierarchy.
Review the best practices for onboarding your
GCP Organization to Prisma Cloud.
Enable the GCP APIs on each GCP project.
For the cloud services that you want Prisma Cloud to monitor
or monitor and protect, you must enable the APIs listed in Permissions and APIs Required for GCP Account on Prisma Cloud. If a cloud
service API is not enabled on a GCP project, Prisma Cloud skips
the ingestion for the respective service; you must, however, ensure
that Service Usage API is enabled on each GCP project that you want
Prisma Cloud to monitor or monitor and protect under your GCP Organization
hierarchy.
To skip ingestion for a cycle, Prisma cloud watches
the response from the Service Usage API for the details on which
cloud services are enabled in a GCP project. For example, if you
have not enabled cloud functions in one or more GCP projects within
the GCP Organization, Prisma cloud can learn about it and skip the ingestion
cycle for this cloud service.
Create the service account in a dedicated GCP project.
GCP enforces a limit on the API calls allowed to a GCP
project/IAM service account. When you create the service account
in a dedicated GCP project, you can ensure that the API calls that
Prisma Cloud makes do not interfere with any quota limits against
your production workloads and services hosted in the separate GCP
project.
Verify that you have granted all the required permissions
to the Prisma Cloud service account.
If the service account does not have the IAM permissions
required to retrieve data, Prisma Cloud skips ingestion of the respective
cloud.service(s) for your onboarded account.
A cloud account name is auto-populated for you. You can
replace it with a cloud account name that uniquely identifies this
GCP organization on Prisma™ Cloud.
Select the
Mode
.
Decide whether to enable permissions to only monitor (read-only
access) or to monitor and protect (read-write access) the resources
in your cloud account. Your selection determines which Terraform
template is used to automate the process of creating the service
account and attaching the roles required for Prisma Cloud.
Select
Organization
for
Onboard
and
enter additional details.
Enter your
Organization Name
and
Organization
ID
.
All the GCP projects under the Organization hierarchy—current
and future—will be monitored by Prisma Cloud. To find your GCP Organization
ID, log in to the GCP console and select
your organization.
Enter your
Project ID
and the
name of your
Flow Log Storage Bucket
.
Make sure to enter your Project ID and not your Project Number.
(
Optional
) Enable
Use Dataflow
to generate compressed logs
.
The Terraform template does not enable flow logs, and you
must complete the workflow in Enable Flow Logs for GCP Organization for Prisma
Cloud to retrieve flow logs. Additionally, if you want to enable
flow log compression on Prisma cloud and address the lack of native
compression support for flow logs sink setup on GCP, you must do
it manually too. When you enable log compression, Prisma Cloud sets
up the network and compute resources required for flow log compression
and this can take up to five minutes.
When you enable
flow logs, the service ingests flow log data for the last seven
days. Then if flow logs become unavailable for any reason such as
if you manually disabled flow logs, modified API permissions, or
an internal error occurred, when access is restored, logs from the
preceding seven days only are ingested.
Enter the Project ID where you enabled the Cloud Dataflow service
and click
Next
.
It is best if this project is where you send your VPC flow
logs too.
Set up the Service Account for Prisma Cloud.
A service account is an identity to which you can grant
granular permissions instead of creating individual user accounts.
To monitor all the GCP projects that are within the GCP Organizational
hierarchy, the service account requires four roles. Of the four
roles, three are common for granting permissions at the GCP project
level too; the Organization Role Viewer and Folder Viewer roles
are additionally required to grant access to the Organization's
properties:
Viewer—Primitive role.
(
Required for Prisma Cloud Compute, Optional for Prisma
Cloud
) Compute Security Admin—Predefined role.
Prisma Cloud Viewer—Custom role.
Organization Role Viewer—Predefined role.
Folder Viewer—Predefined role.
Download the Terraform template for the
mode you selected.
Prisma Cloud recommends that you create a directory to
store the Terraform template you download. This allows you to manage
the templates when you add a different Google organization to Prisma
Cloud. Give the directory a name that uniquely identifies the subscription
for which you're using it (for example, onboard-<subscription-name>).
Open a new tab on your browser and sign in to the
Google Cloud Shell.
Upload the template to the Google Cloud Shell.
After the Terraform script is ran, a JSON file will be
created that saves the credentials to a file with the following
format:
OrgId-randomString.json
Enable the GCP APIs.
In the GCP project where you created the service account,
you must enable the Stackdriver Logging API (logging.googleapis.com)
to monitor audit logs, and any other GCP APIs for which you
want Prisma Cloud to monitor resources. For example, in the Google
Cloud Shell, enter:
This
is not an exhaustive list of the GCP APIs. To view the most recent
list, view GCP APIs.
Select the projects you want to add to Prisma Cloud.
Select the projects to include or exclude.
You can choose to include:
All
projects
included within the organization hierarchy.
Include a subset
or
Exclude a
subset
of projects. Select the relevant tab and choose
the projects to include or exclude.
When you select a folder,
all existing projects within that folder or sub-folder are onboarded
to Prisma Cloud. The periodic sync also checks for any new projects
and sub-folders that you subsequently add on the cloud platform
and adds them to Prisma Cloud.
Resolve any missing permissions or errors.
If the service account does not have adequate permissions,
the following warning displays.
If
the folders permissions are missing, the option to
AutoMap
and
create account groups recursively based on your GCP resource hierarchy
is disabled.
If the service account is deleted,
or disabled or when the key is deleted on the Google Cloud console,
the following error displays.
Configure Account Groups.
You have two options for assigning account groups to this
GCP organization account.
Select an account group manually.
With
Automap
disabled,
you can select the account groups and assign it to this account.
Or,
if you selected
Exclude a subset
of folders,
the ability to
Maintain recursive hierarchy
is
disabled and you must select account groups manually.
Allow Prisma Cloud to create account groups automatically.
Based on the folders you selected earlier, Prisma Cloud
can automatically create account groups and keep it synchronized
with the GCP resource hierarchy.
Select
Automap
,
to create an account group for each top-level folder in the hierarchy.
Select
Maintain Recursive Hierarchy
to create
account groups for the folders that are nested within your GCP organization hierarchy.
When
you choose to create account groups recursively, each account group includes
a list of all GCP projects nested within the heirarchical folder
structure as you see it on the GCP console. Because the account
groups are organized in a flat structure on Prisma Cloud, you cannot
see the mapping visually.
Account
groups that are created automatically are indicated with
, and cannot be
edited on Prisma Cloud. See create account groups for
more details.
of
your GCP Organization to Prisma Cloud and click
Done
.
If you are missing permissions for the GCP IAM role to successfully
ingest data from your GCP Organization, the icon displays red or amber
and the details of the permission gaps display on screen.
When
you have nested projects allow 10-30 minutes for the auto created
account groups to display on Prisma Cloud.
To view the
audit logs select
Settings
Audit Logs
, and to view the
auto created account groups select
Settings
Account Groups
. The progress
of the onboarding status is available as an audit log, and on successful
completion a message will display:
On-boarding completed for Google Cloud Platform type Organization <name you specified>, initiated by <admin>'(withe role <rolename>).
It
will take a maximum of 30 minutes for projects to appear on Prisma
Cloud.
You can review the status and take necessary
actions to resolve any issues encountered during the onboarding
process by viewing the
Cloud Accounts
page.
It takes between 4-24 hours for the flow log data to be exported
and analyzed before you can review it on Prisma Cloud. To verify
if the flow log data from your GCP Organization have been analyzed,
you can run a network query on the
Investigate
page.
After you add the GCP Organization to Prisma Cloud, you must
create a support request to delete the GCP Organization or the projects within
your GCP Organization. You cannot delete the account from Prisma
Cloud.
Because Prisma Cloud has access to all projects associated
with a Service Account, if you want to remove access to a project
that is associated with the Service Account, you must remove the
project from the Service Account on the GCP IAM console. In the
next scanning cycle, the project is excluded and Prisma Cloud no
longer has access to the project.
Go to
Cloud Accounts
, locate
your GCP account and view the status.
Verify the projects that are onboarded to Prisma Cloud.
Select the cloud account name and review the list of projects
to verify the include/exclude selections you made earlier.
Go to
Investigate
, replace
the name with your GCP Cloud Account name and enter the following
network query.
This query allows you to list all network traffic from
the Internet or from Suspicious IP addresses with over 0 bytes of
data transferred to a network interface on any resource on any cloud
environment.
network from vpc.flow_record where source.publicnetwork IN ('Internet IPs', 'Suspicious IPs') AND bytes > 0
If the folders permissions are missing, the option toAutoMapand create account groups recursively based on your GCP resource hierarchy is disabled.If the service account is deleted, or disabled or when the key is deleted on the Google Cloud console, the following error displays.
Account groups that are created automatically are indicated with
, and cannot be
edited on Prisma Cloud. See create account groups for
more details. 
If you are missing permissions for the GCP IAM role to successfully ingest data from your GCP Organization, the icon displays red or amber and the details of the permission gaps display on screen.When you have nested projects allow 10-30 minutes for the auto created account groups to display on Prisma Cloud.
On-boarding completed for Google Cloud Platform type Organization <name you specified>, initiated by <admin>'(withe role <rolename>).It will take a maximum of 30 minutes for projects to appear on Prisma Cloud.You can review the status and take necessary actions to resolve any issues encountered during the onboarding process by viewing theCloud Accountspage. It takes between 4-24 hours for the flow log data to be exported and analyzed before you can review it on Prisma Cloud. To verify if the flow log data from your GCP Organization have been analyzed, you can run a network query on theInvestigatepage.
