Add your GCP Organization and folders to Prisma Cloud
to ingest and monitor your data.
Begin here to add a GCP Organization and folders
to Prisma Cloud. If you have added a GCP project to Prisma Cloud
and you now want to add the GCP Organization to which the project
belongs, the existing GCP project is moved under the Organization
in Prisma Cloud.
When you add the GCP Organization to Prisma
Cloud, you can specify which folders and projects to include or
exclude under the organization resource hierarchy.
Review the best practices for onboarding your
GCP Organization to Prisma Cloud.
Enable the GCP APIs on each GCP project.
For the cloud services that you want Prisma Cloud to monitor
or monitor and protect, you must enable the APIs listed in Permissions and Roles for GCP Account on Prisma Cloud. If a cloud
service API is not enabled on a GCP project, Prisma Cloud skips
the ingestion for the respective service; you must, however, ensure
that Service Usage API is enabled on each GCP project that you want
Prisma Cloud to monitor or monitor and protect under your GCP Organization
hierarchy.
To skip ingestion for a cycle, Prisma cloud watches
the response from the Service Usage API for the details on which
cloud services are enabled in a GCP project. For example, if you have
not enabled cloud functions in one or more GCP projects within the
GCP Organization, Prisma cloud can learn about it and skip the ingestion
cycle for this cloud service.
Create the service account in a dedicated GCP project.
GCP enforces a limit on the API calls allowed to a GCP
project/IAM service account. When you create the service account
in a dedicated GCP project, you can ensure that the API calls that
Prisma Cloud makes do not interfere with any quota limits against
your production workloads and services hosted in the separate GCP
project.
Verify that you have granted all the required permissions
to the Prisma Cloud service account.
If the service account does not have the IAM permissions
required to retrieve data, Prisma Cloud skips ingestion of the respective
cloud.service(s) for your onboarded account.
A cloud account name is auto-populated for you. You can
replace it with a cloud account name that uniquely identifies this
GCP organization on Prisma™ Cloud.
Select the
Mode
.
Decide whether to enable permissions to only monitor (read-only
access) or to monitor and protect (read-write access) the resources
in your cloud account. Your selection determines which Terraform
template is used to automate the process of creating the service
account and attaching the roles required for Prisma Cloud.
Select
Organization
for
Onboard
Using
and enter additional details.
Enter your
Organization Name
and
Organization
ID
.
All the GCP projects under the Organization hierarchy—current
and future—will be monitored by Prisma Cloud. To find your GCP Organization
ID, log in to the GCP console and select
your organization.
Enter your
Project ID
and the
name of your
Flow Log Storage Bucket
.
(
Optional
) Enable
Use Dataflow
to generate compressed logs
.
The Terraform template does not enable flow logs, and you
must complete the workflow in Enable Flow Logs for GCP Organization for Prisma
Cloud to retrieve flow logs. Additionally, if you want to enable
flow log compression on Prisma cloud and address the lack of native
compression support for flow logs sink setup on GCP, you must do
it manually too. When you enable log compression, Prisma Cloud sets
up the network and compute resources required for flow log compression
and this can take up to five minutes.
When you enable
flow logs, the service ingests flow log data for the last seven
days. Then if flow logs become unavailable for any reason such as
if you manually disabled flow logs, modified API permissions, or
an internal error occurred, when access is restored, logs from the
preceding seven days only are ingested.
Enter the Project ID where you enabled the Cloud Dataflow
service and click
Next
.
It is best if this project is where you send your VPC flow
logs too.
Set up the Service Account for Prisma Cloud.
A service account is an identity to which you can grant
granular permissions instead of creating individual user accounts.
To monitor all the GCP projects that are within the GCP Organizational
hierarchy, the service account requires four roles. Of the four
roles, three are common for granting permissions at the GCP project
level too; the Organization Role Viewer and Folder Viewer roles
are additionally required to grant access to the Organization's
properties:
Viewer—Primitive role.
(
Required for Prisma Cloud Compute, Optional for Prisma
Cloud
) Compute Security Admin—Predefined role.
RedLock Viewer—Custom role.
Organization Role Viewer—Predefined role.
Folder Viewer- Predefined role.
Download the Terraform template for the
mode you selected.
Prisma Cloud recommends that you create a directory to
store the Terraform template you download. This allows you to manage
the templates when you add a different Google organization to Prisma
Cloud. Give the directory a name that uniquely identifies the subscription
for which you're using it (for example, onboard-<subscription-name>).
Open a new tab on your browser and sign in to the
Google Cloud Shell.
Upload the template to the Google Cloud Shell.
Run the following Terraform commands to generate the
Service Account.
terraform init
terraform apply
Upload your
Service Account Key (JSON)
file,
review the GCP onboarding configuration displayed on screen to verify
that it is correct, and click
Next.
The service account security key is used for service-to-service
authentication within GCP. The private key file is required to authenticate
API calls between your GCP projects and Prisma Cloud.
If
you are on a PC, when you copy the JSON file output from Google
Cloud Shell the content is formatted as text instead of JSON. When
you upload this file to Prisma Cloud, the
Invalid JSON file error
displays.
To fix the error, use a JSON formatting tool such as Sublime or
Atom (for example, the certificate value should be a single line),
and validate the formatting before you upload the file on Prisma
Cloud.
Select the projects you want to add to Prisma Cloud.
You can choose to include:
All
projects
included within the organization hierarchy.
Include a subset
or
Exclude
a subset
of projects. Select the relevant tab and choose
the projects to include or exclude.
When you select a folder,
all existing projects within that folder or sub-folder are onboarded
to Prisma Cloud. The periodic sync also checks for any new projects
and sub-folders that you subsequently add on the cloud platform
and adds them to Prisma Cloud.
Resolve any missing permissions or errors.
If the service account does not have adequate permissions,
the following error displays.
and if there
are issues with the following message indicates that there is an
issue with the service account. This error occurs when the service
account is deleted, or disabled or when the key is deleted on the
Google Cloud console.
Enable the GCP APIs.
In the GCP project where you created the service account,
you must enable the Stackdriver Logging API (logging.googleapis.com)
to monitor audit logs, and any other GCP APIs for which you
want Prisma Cloud to monitor resources. For example, in the Google
Cloud Shell, enter:
Select the account groups to
associate to your GCP project and click
Next
.
You must assign each cloud account to an account group,
and Create an Alert Rule for Run-Time Checks to associate
the account group with it to generate alerts when a policy violation occurs.
Verify the onboarding
Status
of
your GCP Organization to Prisma Cloud and click
Done
.
If you are missing permissions for the GCP IAM role to
successfully ingest data from your GCP Organization, the icon displays
red or amber and the details of the permission gaps display on screen.
You
can review the status and take necessary actions to resolve any
issues encountered during the onboarding process by viewing the
Cloud
Accounts
page. It takes between 4-24 hours for the flow
log data to be exported and analyzed before you can review it on
Prisma Cloud. To verify if the flow log data from your GCP Organization
have been analyzed, you can run a network query on the
Investigate
page.
After you add the GCP Organization to Prisma Cloud, you must
create a support request to delete the GCP Organization or the projects
within your GCP Organization. You cannot delete the account from
Prisma Cloud.
Because Prisma Cloud has access to all projects associated
with a Service Account, if you want to remove access to a project
that is associated with the Service Account, you must remove the
project from the Service Account on the GCP IAM console. In the
next scanning cycle, the project is excluded and Prisma Cloud no
longer has access to the project.
Go to
Cloud Accounts
,
locate your GCP account and view the status.
Verify the projects that are onboarded to Prisma Cloud.
Select the cloud account name and review the list of projects
to verify the include/exclude selections you made earlier.
Go to
Investigate
, replace
the name with your GCP Cloud Account name and enter the following
network query.
This query allows you to list all network traffic from
the Internet or from Suspicious IP addresses with over 0 bytes of
data transferred to a network interface on any resource on any cloud
environment.
network where cloud.account = ‘{{cloud account name}}’ AND source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0
If you are missing permissions for the GCP IAM role to successfully ingest data from your GCP Organization, the icon displays red or amber and the details of the permission gaps display on screen.You can review the status and take necessary actions to resolve any issues encountered during the onboarding process by viewing theCloud Accountspage. It takes between 4-24 hours for the flow log data to be exported and analyzed before you can review it on Prisma Cloud. To verify if the flow log data from your GCP Organization have been analyzed, you can run a network query on theInvestigatepage.
