Add a single GCP project or multiple GCP projects to
Prisma Cloud.
Begin here to add a GCP project to Prisma
Cloud. If you want to add multiple projects, you must either repeat
this process for each project you want to onboard, or you allow
Prisma Cloud to automatically monitor all GCP projects—current and
future—that use the Service Account attached to the project you
are adding to Prisma Cloud. Prisma Cloud refers to this service
account as a
Master Service Account
.
After you
start monitoring your project using Prisma Cloud, if you delete
the project on GCP, Prisma Cloud learns about it and automatically
deletes the account from the list of monitored accounts on
Settings
Cloud Accounts
.
To track the automatic deletion of the project, an audit log is
generated with information on the name of the deleted account and
the date that the action was performed.
A cloud account name is auto-populated for you. You can
replace it with a cloud account name that uniquely identifies your
GCP project on Prisma™ Cloud.
Select the
Mode
.
Decide whether to enable permissions to only monitor (read-only
access) or to monitor and protect (read-write access) the resources
in your cloud account. Your selection determines which Terraform
template is used to automate the process of creating the service
account and attaching the roles required for Prisma Cloud.
Select
Project
for
Onboard
Using
and enter your
Project ID
and
the name of your
Flow Log Storage Bucket
.
The
Terraform template does not enable flow logs, and you must complete
the workflow in Enable Flow Logs for GCP Projects for Prisma
Cloud to retrieve flow logs. Additionally, if you want to enable
flow log compression on Prisma cloud and address the lack of native
compression support for flow logs sink setup on GCP, you must do
it manually too. When you enable
Use Dataflow to generate
compressed logs
, Prisma Cloud sets up the network and
compute resources required for flow log compression and this can
take up to five minutes.
When you enable flow logs, the
service ingests flow log data for the last seven days. Then if flow
logs become unavailable for any reason such as if you manually disabled flow
logs, modified API permissions, or an internal error occurred, when
access is restored, logs from the preceding seven days only are
ingested.
(
Optional
) Allow Prisma Cloud to monitor all
current and future GCP projects associated with the service account.
If you have multiple GCP projects, enable
Automatically
onboard projects that are accessible by this service account.
to
allow Prisma Cloud to monitor all current and future GCP projects
associated with the Service Account.
Set up the Service Account for Prisma Cloud.
Download the Terraform template for the
mode you selected.
Prisma Cloud recommends that you create a directory to
store the Terraform template you download. This allows you to manage
the templates when you add a different Google project to Prisma
Cloud. Give the directory a name that uniquely identifies the subscription
for which you're using it (for example, onboard-<subscription-name>).
Open a new tab on your browser and sign in to the
Google Cloud Shell.
Upload the template to the Google Cloud Shell.
Run the following Terraform commands to generate the
Service Account.
terraform init
terraform apply
Upload your
Service Account Key (JSON)
file,
review the GCP onboarding configuration displayed on screen to verify
that it is correct, and click
Next.
The service account security key is used for service-to-service
authentication within GCP. The private key file is required to authenticate
API calls between your GCP projects and Prisma Cloud.
If
you are on a PC, when you copy the JSON file output from Google
Cloud Shell the content is formatted as text instead of JSON. When
you upload this file to Prisma Cloud, the
Invalid JSON file error
displays.
To fix the error, use a JSON formatting tool such as Sublime or
Atom to find the errors (for example, the certificate value should
be a single line) and validate the format before you upload the
file on Prisma Cloud.
Enable the GCP APIs on all projects.
You must enable the Stackdriver Logging API (logging.googleapis.com)
to monitor audit logs and any other GCP APIs for which you
want Prisma Cloud to monitor resources, on all GCP projects; enabling
it only of the project that hosts the service account is not adequate.
For example, in the Google Cloud Shell, enter:
Select the account groups to
associate to your project and click
Next
.
You must assign each cloud account to an account group,
and Create an Alert Rule for Run-Time Checks to associate
the account group with it to generate alerts when a policy violation occurs.
Verify the onboarding
Status
of
your GCP project to Prisma Cloud and click
Done
.
You can review the status and take necessary actions to
resolve any issues encountered during the onboarding process by
viewing the
Cloud Accounts
page. It takes
between 4-24 hours for the flow log data to be exported and analyzed
before you can review it on Prisma Cloud. To verify if the flow
log data from your GCP project has been analyzed, you can run a
network query on the
Investigate
page.
Go to
Cloud Accounts
,
locate your GCP project and view the status.
If Prisma
Cloud GCP IAM role does not have adequate permissions to ingest
data on the monitored resources within your project, the status
icon displays as red or amber and it lists the permissions that
are missing.
Go to
Investigate
, replace
the name with your GCP Cloud Account name and enter the following
network query.
This query allows you to list all network traffic from
the Internet or from Suspicious IP addresses with over 0 bytes of
data transferred to a network interface on any resource on any cloud
environment.
network where cloud.account = ‘{{cloud account name}}’ AND source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0