Add Your GCP Organization to Prisma Cloud

Add your GCP Organization and folders to Prisma Cloud to ingest and monitor your data.
Begin here to add a GCP Organization and folders to Prisma Cloud. If you have added a GCP project to Prisma Cloud and you now want to add the GCP Organization to which the project belongs, the existing GCP project is moved under the Organization in Prisma Cloud.
When you add the GCP Organization to Prisma Cloud, you can specify which folders and projects to include or exclude under the organization resource hierarchy.
  1. Review the best practices for onboarding your GCP Organization to Prisma Cloud.
    1. Enable the GCP APIs on each GCP project.
      For the cloud services that you want Prisma Cloud to monitor or monitor and protect, you must enable the APIs listed in Permissions and Roles for GCP Account on Prisma Cloud. If a cloud service API is not enabled on a GCP project, Prisma Cloud skips the ingestion for the respective service; you must, however, ensure that Service Usage API is enabled on each GCP project that you want Prisma Cloud to monitor or monitor and protect under your GCP Organization hierarchy.
      To skip ingestion for a cycle, Prisma cloud watches the response from the Service Usage API for the details on which cloud services are enabled in a GCP project. For example, if you have not enabled cloud functions in one or more GCP projects within the GCP Organization, Prisma cloud can learn about it and skip the ingestion cycle for this cloud service.
    2. Create the service account in a dedicated GCP project.
      GCP enforces a limit on the API calls allowed to a GCP project/IAM service account. When you create the service account in a dedicated GCP project, you can ensure that the API calls that Prisma Cloud makes do not interfere with any quota limits against your production workloads and services hosted in the separate GCP project.
    3. Verify that you have granted all the required permissions to the Prisma Cloud service account.
      If the service account does not have the IAM permissions required to retrieve data, Prisma Cloud skips ingestion of the respective cloud.service(s) for your onboarded account.
  2. Access Prisma Cloud and select
    Settings
    Cloud Accounts
    Add New
    .
  3. Select
    Google Cloud
    as the
    Cloud to Protect
    .
  4. Enter a
    Cloud Account Name
    .
    A cloud account name is auto-populated for you. You can replace it with a cloud account name that uniquely identifies this GCP organization on Prisma™ Cloud.
    add-gcp-step1.png
  5. Select the
    Mode
    .
    Decide whether to enable permissions to only monitor (read-only access) or to monitor and protect (read-write access) the resources in your cloud account. Your selection determines which Terraform template is used to automate the process of creating the service account and attaching the roles required for Prisma Cloud.
  6. Select
    Organization
    for
    Onboard Using
    and enter additional details.
    add-gcp-step2-org.png
    1. Enter your
      Organization Name
      and
      Organization ID
      .
      All the GCP projects under the Organization hierarchy—current and future—will be monitored by Prisma Cloud. To find your GCP Organization ID, log in to the GCP console and select your organization.
      gcp-organization-info.png
    2. Enter your
      Project ID
      and the name of your
      Flow Log Storage Bucket
      .
    3. (
      Optional
      ) Enable
      Use Dataflow to generate compressed logs
      .
      The Terraform template does not enable flow logs, and you must complete the workflow in Enable Flow Logs for GCP Organization for Prisma Cloud to retrieve flow logs. Additionally, if you want to enable flow log compression on Prisma cloud and address the lack of native compression support for flow logs sink setup on GCP, you must do it manually too. When you enable log compression, Prisma Cloud sets up the network and compute resources required for flow log compression and this can take up to five minutes.
      When you enable flow logs, the service ingests flow log data for the last seven days. Then if flow logs become unavailable for any reason such as if you manually disabled flow logs, modified API permissions, or an internal error occurred, when access is restored, logs from the preceding seven days only are ingested.
    4. Enter the Project ID where you enabled the Cloud Dataflow service and click
      Next
      .
      It is best if this project is where you send your VPC flow logs too.
  7. Set up the Service Account for Prisma Cloud.
    A service account is an identity to which you can grant granular permissions instead of creating individual user accounts. To monitor all the GCP projects that are within the GCP Organizational hierarchy, the service account requires four roles. Of the four roles, three are common for granting permissions at the GCP project level too; the Organization Role Viewer and Folder Viewer roles are additionally required to grant access to the Organization's properties:
    • Viewer—Primitive role.
    • (
      Required for Prisma Cloud Compute, Optional for Prisma Cloud
      ) Compute Security Admin—Predefined role.
    • RedLock Viewer—Custom role.
    • Organization Role Viewer—Predefined role.
    • Folder Viewer- Predefined role.
    1. Download the Terraform template for the mode you selected.
      Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Google organization to Prisma Cloud. Give the directory a name that uniquely identifies the subscription for which you're using it (for example, onboard-<subscription-name>).
    2. Open a new tab on your browser and sign in to the Google Cloud Shell.
    3. Upload the template to the Google Cloud Shell.
    4. Run the following Terraform commands to generate the Service Account.
      1. terraform init
      2. terraform apply
    5. Upload your
      Service Account Key (JSON)
      file, review the GCP onboarding configuration displayed on screen to verify that it is correct, and click
      Next.
      The service account security key is used for service-to-service authentication within GCP. The private key file is required to authenticate API calls between your GCP projects and Prisma Cloud.
      If you are on a PC, when you copy the JSON file output from Google Cloud Shell the content is formatted as text instead of JSON. When you upload this file to Prisma Cloud, the
      Invalid JSON file error
      displays. To fix the error, use a JSON formatting tool such as Sublime or Atom (for example, the certificate value should be a single line), and validate the formatting before you upload the file on Prisma Cloud.
      add-gcp-step3.png
      add-gcp-step-3-2.png
    6. Select the projects you want to add to Prisma Cloud.
      You can choose to include:
      • All projects
        included within the organization hierarchy.
      • Include a subset
        or
        Exclude a subset
        of projects. Select the relevant tab and choose the projects to include or exclude.
        When you select a folder, all existing projects within that folder or sub-folder are onboarded to Prisma Cloud. The periodic sync also checks for any new projects and sub-folders that you subsequently add on the cloud platform and adds them to Prisma Cloud.
      add-gcp-step-3-3.png
    7. Resolve any missing permissions or errors.
      If the service account does not have adequate permissions, the following error displays.
      gcp-permissions-folder-missing.png
      and if there are issues with the following message indicates that there is an issue with the service account. This error occurs when the service account is deleted, or disabled or when the key is deleted on the Google Cloud console.
      gcp-permissions-folder-error.png
    8. Enable the GCP APIs.
      In the GCP project where you created the service account, you must enable the Stackdriver Logging API (logging.googleapis.com) to monitor audit logs, and any other GCP APIs for which you want Prisma Cloud to monitor resources. For example, in the Google Cloud Shell, enter:
      gcloud services enable compute.googleapis.com sqladmin.googleapis.com sql-component.googleapis.com storage-component.googleapis.com appengine.googleapis.com iam.googleapis.com container.googleapis.com logging.googleapis.com monitoring.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com bigquery-json.googleapis.com dns.googleapis.com dataflow.googleapis.com
  8. Select the account groups to associate to your GCP project and click
    Next
    .
    You must assign each cloud account to an account group, and Create an Alert Rule to associate the account group with it to generate alerts when a policy violation occurs.
    add-gcp-step-4-org.png
  9. Verify the onboarding
    Status
    of your GCP Organization to Prisma Cloud and click
    Done
    .
    add-gcp-status-org.png
    You can review the status and take necessary actions to resolve any issues encountered during the onboarding process by viewing the
    Cloud Accounts
    page. It takes between 4-24 hours for the flow log data to be exported and analyzed before you can review it on Prisma Cloud. To verify if the flow log data from your GCP Organization have been analyzed, you can run a network query on the
    Investigate
    page.
    • After you add the GCP Organization to Prisma Cloud, you must create a support request to delete the GCP Organization or the projects within your GCP Organization. You cannot delete the account from Prisma Cloud.
    • Because Prisma Cloud has access to all projects associated with a Service Account, if you want to remove access to a project that is associated with the Service Account, you must remove the project from the Service Account on the GCP IAM console. In the next scanning cycle, the project is excluded and Prisma Cloud no longer has access to the project.
    1. Go to
      Cloud Accounts
      , locate your GCP account and view the status.
      add-gcp-status-org-2.png
    2. Verify the projects that are onboarded to Prisma Cloud.
      Select the cloud account name and review the list of projects to verify the include/exclude selections you made earlier.
      add-gcp-status-org-3.png
    3. Go to
      Investigate
      , replace the name with your GCP Cloud Account name and enter the following network query.
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.
      network where cloud.account = ‘{{cloud account name}}’ AND source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0
      gcp-flow-log-network-query.png

Recommended For You