Add Your GCP Project to Prisma Cloud

Access Prisma Cloud and select

Settings

Cloud Accounts

Add New

.

Select

Google Cloud

as the

Cloud to Protect

.

Enter a

Cloud Account Name

.

A cloud account name is auto-populated for you. You can replace it with a cloud account name that uniquely identifies your GCP project on Prisma™ Cloud.



Select the

Mode

.

Decide whether to enable permissions to only monitor (read-only access) or to monitor and protect (read-write access) the resources in your cloud account. Your selection determines which Terraform template is used to automate the process of creating the service account and attaching the roles required for Prisma Cloud.

Select

Project

for

Onboard Using

and enter your

Project ID

and the name of your

Flow Log Storage Bucket

.



The Terraform template does not enable flow logs, and you must complete the workflow in Enable Flow Logs for GCP Projects for Prisma Cloud to retrieve flow logs. Additionally, if you want to enable flow log compression on Prisma cloud and address the lack of native compression support for flow logs sink setup on GCP, you must do it manually too. When you enable

Use Dataflow to generate compressed logs

, Prisma Cloud sets up the network and compute resources required for flow log compression and this can take up to five minutes.

When you enable flow logs, the service ingests flow log data for the last seven days. Then if flow logs become unavailable for any reason such as if you manually disabled flow logs, modified API permissions, or an internal error occurred, when access is restored, logs from the preceding seven days only are ingested.

(

Optional

) Allow Prisma Cloud to monitor all current and future GCP projects associated with the service account.

If you have multiple GCP projects, enable

Automatically onboard projects that are accessible by this service account.

to allow Prisma Cloud to monitor all current and future GCP projects associated with the Service Account.

Set up the Service Account for Prisma Cloud.

Download the Terraform template for the mode you selected.

Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Google project to Prisma Cloud. Give the directory a name that uniquely identifies the subscription for which you're using it (for example, onboard-<subscription-name>).

Open a new tab on your browser and sign in to the Google Cloud Shell.

Upload the template to the Google Cloud Shell.

Run the following Terraform commands to generate the Service Account.

terraform init
terraform apply

Upload your

Service Account Key (JSON)

file, review the GCP onboarding configuration displayed on screen to verify that it is correct, and click

Next.

The service account security key is used for service-to-service authentication within GCP. The private key file is required to authenticate API calls between your GCP projects and Prisma Cloud.

If you are on a PC, when you copy the JSON file output from Google Cloud Shell the content is formatted as text instead of JSON. When you upload this file to Prisma Cloud, the

Invalid JSON file error

displays. To fix the error, use a JSON formatting tool such as Sublime or Atom to find the errors (for example, the certificate value should be a single line) and validate the format before you upload the file on Prisma Cloud.





Enable the GCP APIs on all projects.

You must enable the Stackdriver Logging API (logging.googleapis.com) to monitor audit logs and any other GCP APIs for which you want Prisma Cloud to monitor resources, on all GCP projects; enabling it only of the project that hosts the service account is not adequate. For example, in the Google Cloud Shell, enter:

gcloud services enable serviceusage.googleapis.com appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com sqladmin.googleapis.com compute.googleapis.com storage-component.googleapis.com recommender.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com

Select the account groups to associate to your project and click

Next

.

You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.



Verify the onboarding

Status

of your GCP project to Prisma Cloud and click

Done

.

You can review the status and take necessary actions to resolve any issues encountered during the onboarding process by viewing the

Cloud Accounts

page. It takes between 4-24 hours for the flow log data to be exported and analyzed before you can review it on Prisma Cloud. To verify if the flow log data from your GCP project has been analyzed, you can run a network query on the

Investigate

page.

Go to

Cloud Accounts

, locate your GCP project and view the status.



If Prisma Cloud GCP IAM role does not have adequate permissions to ingest data on the monitored resources within your project, the status icon displays as red or amber and it lists the permissions that are missing.



Go to

Investigate

, replace the name with your GCP Cloud Account name and enter the following network query.

This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.

network where cloud.account = ‘{{cloud account name}}’ AND source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0