Add Your GCP Project to Prisma Cloud

Add a single GCP project or multiple GCP projects to Prisma Cloud.
Begin here to add a GCP project to Prisma™ Cloud. If you want to add multiple projects, you must either repeat this process for each project you want to onboard or you allow Prisma Cloud to automatically monitor all GCP projects—current and future—that use the Service Account attached to the project you are adding to Prisma Cloud. Prisma Cloud refers to this service account as a Master Service Account.
After you start monitoring your project using Prisma Cloud, if you delete the project on GCP, Prisma Cloud learns about it and automatically deletes the account from the list of monitored accounts on
Cloud Accounts
. To track the automatic deletion of the project, an audit log is generated with information on the name of the deleted account and the date that the action was performed.
  1. Access Prisma Cloud and select
    Cloud Accounts
    Add Cloud Account
  2. Select
    Google Cloud
    as the
    Cloud to Secure
  3. Enter an
    Account Name
    An account name is auto-populated for you. You can replace it with an account name that uniquely identifies your GCP project on Prisma Cloud.
  4. Select
    and enter your
    Project ID
    and the name of your
    Flow Log Storage Bucket
    Make sure to enter your Project ID and not your Project Number.
    The Terraform template does not enable flow logs, and you must complete the workflow in Enable Flow Logs for GCP Projects for Prisma Cloud to retrieve flow logs. Additionally, if you want to enable flow log compression on Prisma cloud and address the lack of native compression support for flow logs sink setup on GCP, you must do it manually too. When you enable
    Use Dataflow to generate compressed logs
    , Prisma Cloud sets up the network and compute resources required for flow log compression and this can take up to five minutes.
    When you enable flow logs, the service ingests flow log data for the last seven days. Then if flow logs become unavailable for any reason such as if you manually disabled flow logs, modified API permissions, or an internal error occurred, when access is restored, logs from the preceding seven days only are ingested.
  5. (
    ) Allow Prisma Cloud to monitor all current and future GCP projects associated with the service account.
    If you have multiple GCP projects, enable
    Automatically onboard projects that are accessible by this service account
    to allow Prisma Cloud to monitor all current and future GCP projects associated with the Service Account. For every project that you want to onboard, you must provide the same set of permissions to the service account.
    If a project you onboard, or a project that you had onboarded is in the following format
    <sys-26-digit number>
    , then it will be deleted.
  6. Select the
    Security Capabilities and Permissions
    that you want to enable. Based on your selection, Prisma Cloud dynamically generates a
    Terraform Script
    that includes the associated permissions for the Prisma Cloud role.
    By default,
    Agentless Workload Scanning
    Serverless Function Scanning
    are enabled.
    Workload Discovery
    is also automatically enabled to help you find all cloud-native services being used on your Google account to help mitigate exposure.
    • Enable and add permissions for
      Agentless Workload Scanning
      to scan hosts and containers for vulnerabilities and compliance risks without having to install a defender. Scans start automatically once you onboard your account. You can also update scanning configuration for agentless scans.
    • Enable and add permissions for
      Serverless Function Scanning
      to scan cloud provider functions such as, Google functions for vulnerabilities and compliance. Scans start automatically once you onboard your account. You can also update scanning configuration for serverless scans.
    • Add permissions for
      Agent Based Workload Protection
      . The permissions allow for automated deployment of defenders to provide protection to secure cloud VMs, containers, and Kubernetes orchestrators. Registry scanning, Kubernetes audits, and other features required by defenders are also enabled.
    • Enable
      to address policy violations reported for remediable configuration policies on Prisma Cloud. This feature is not enabled by default. After you enable it, the Prisma Cloud role gets read-write access permissions to your Google cloud account to successfully execute remediation commands.
      After you onboard your Google account on Prisma Cloud, the account is automatically available in Compute and enabled for
      Workload Discovery
      Serverless Function
      scans. You can also review the permissions required for individual security capabilities.
  7. Set up the Service Account for Prisma Cloud.
    1. Download Terraform Script
      Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Google project to Prisma Cloud. Give the directory a name that uniquely identifies the project for which you’re using it (for example, onboard-<project-name>).
    2. Open a new tab on your browser and sign in to Google Cloud Shell.
    3. Upload the script to the Cloud Shell.
      After the Terraform script is ran, a JSON file will be created that saves the credentials to a file with the following format:
    4. Download the JSON file.
      Click on the vertical ellipsis on the header and then select
    5. While authenticated on Prisma Cloud, click
      Drag and drop file here
      Browse File
      to upload the JSON file to Prisma Cloud and click
    6. Enable the GCP APIs on all projects in the GCP console.
      You must enable the Stackdriver Logging API ( to monitor audit logs and any other GCP APIs for which you want Prisma Cloud to monitor resources, on all GCP projects; enabling it only of the project that hosts the service account is not adequate. For example, in the Google Cloud Shell, enter:
      gcloud services enable
      Here’s a screen shot of how this command looks in Google Cloud Shell:
  8. Select the Account Groups to associate with your project and click
    You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
  9. Review the onboarding
    of your GCP project to Prisma Cloud and click
    You can review the status and take necessary actions to resolve any issues encountered during the onboarding process by viewing the
    Cloud Accounts
    page. It takes between 4-24 hours for the flow log data to be exported and analyzed before you can review it on Prisma Cloud. To verify if the flow log data from your GCP project has been analyzed, you can run a network query on the
    1. Go to
      Cloud Accounts
      , locate your GCP project and view the status.
      If Prisma Cloud GCP IAM role does not have adequate permissions to ingest data on the monitored resources within your project, the status icon displays as red or amber and it lists the permissions that are missing.
    2. Go to
      , replace the name with your GCP Account name and enter the following network query.
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.
      network from vpc.flow_record where cloud.account = ‘{{cloud account name}}’ AND source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0

Recommended For You