Set Up Your GCP Account for Prisma Cloud

Configure your GCP account to enable Prisma Cloud to ingest, analyze, and monitor the resources deployed within a project or at the organization level.
Before Prisma Cloud can analyze and monitor your Google Cloud Platform account, you must create a service account, create and associate roles to the service account and enable specific APIs. These accounts, roles and APIs enable Prisma Cloud to retrieve data about your GCP resources and identify potential security risks and compliance issues. You must configure your GCP account whether you elect to add a GCP project or organization to Prisma Cloud.
  1. Create a Prisma Cloud Viewer custom role on the GCP console.
    Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies.
    1. Log in to the GCP console, select your organization, and select
      IAM & Admin
      Roles
      Create Role
      .
    2. Enter a
      Title
      and
      Description
      .
    3. Verify that
      ID
      is set to CustomRole and select
      General Availability
      in the
      Role launch stage
      drop-down.
    4. Click
      + ADD PERMISSIONS
      , select
      storage.buckets.get
      to retrieve your list of storage buckets, and
      storage.buckets.getIampolicy
      to retrieve the IAM policy for the specified bucket.
    5. Click
      Add
      .
      custom-role-permissions-gcp.png
    6. Click
      Create
      .
  2. Create a GCP service account.
    You need a service account, which is an authorized identity, to enable authentication between Prisma Cloud and GCP. Because you can create a service account under a GCP project only and not directly under the GCP Organization, you must select a project when you create the service account.
    1. Select your project and select
      Service accounts
      + CREATE SERVICE ACCOUNT
      .
      service-account-gcp-project.png
    2. Enter
      Service account name
      ,
      Service account ID
      ,
      Service account description
      and click
      Create
      .
      create-service-account-gcp.png
  3. Grant the service account permissions to access your GCP project.
    The service account must have three roles to analyze and monitor your resources and data on GCP:
    • Viewer—Primitive role on GCP.
    • Prisma Cloud Viewer— Custom role that you created in Step 1.
    • Compute Security Admin—Predefined role on GCP. An optional privilege that is required for auto-remediation.
    1. Select
      Project
      Viewer
      and click
      + ADD ANOTHER ROLE
      .
      The Project Viewer role is a primitive role allowing Prisma Cloud read-only access to the resources or data in your selected project or projects.
    2. Select
      Custom
      Prisma Cloud Viewer
      (or another custom name) and click
      + ADD ANOTHER ROLE
      .
      This custom role allows Prisma Cloud to read storage bucket metadata and IAM policies associated with the selected project.
    3. Select
      Compute Engine
      Compute Security Admin
      and click
      Continue
      .
      (Optional role, only required for enabling auto-remediation) The Compute Security Admin is a predefined role that allows full control to remediate any incidents or policy violations on compute engine resources.
      service-account-gcp-permissions.png
  4. Create a security key for the service account.
    The service account security key is used for service-to-service authentication within GCP. The private key file is required to authenticate API calls between your GCP projects and Prisma Cloud.
    1. Click
      + CREATE KEY
      .
      gcp-service-account-key-new.png
      See Create a key, if you are modifying an existing service account.
    2. Select
      Key type
      as
      JSON
      .
    3. Create
      the key and download the JSON private key file for the service account.
    create-service-account-json-key.png
  5. Enable GCP APIs for your GCP project.
    Prisma Cloud can ingest data from several GCP APIs. While you must enable Stackdriver Logging API (logging.googleapis.com) to monitor audit logs, for all the other APIs, you can opt to enable only the ones you are using and want Prisma cloud to monitor across your cloud accounts.
    1. Go to the GCP Console API Library and select your GCP project.
    2. Select
      Enable APIs and Services
      .
      gcp-dashboard-api.png
    3. Enable the APIs.
      You can either enable all the necessary APIs using the Google Command Line Interface as follows:
      gcloud services enable compute.googleapis.com sql-component.googleapis.com storage-component.googleapis.com iam.googleapis.com container.googleapis.com logging.googleapis.com monitoring.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com bigquery-json.googleapis.com dns.googleapis.com
      or search for each API is in the list and enable them from the Google cloud console.
      gcp-enable-apis.png
      Description
      Service Name
      BigQuery API
      Allows you to create, manage, share, and query data.
      bigquery-json.googleapis.com
      Cloud Resource Manager API
      Creates, reads, and updates metadata for Google Cloud Platform resource containers.
      cloudresourcemanager.googleapis.com
      Cloud Key Management Service (KMS) API
      Google Cloud KMS allows customers to manage encryption keys and perform cryptographic operations with those keys.
      cloudkms.googleapis.com
      Cloud SQL Admin API
      API for Cloud SQL database instance management.
      sqladmin.googleapis.com
      Compute Engine API
      Creates and runs virtual machines on the Google Cloud Platform.
      compute.googleapis.com
      Google Cloud DNS API
      Google Cloud DNS translates requests for domain names into IP addresses and manages and publishes DNS zones and records.
      dns.googleapis.com
      Google Cloud Storage
      Google Cloud Storage is a RESTful service for storing and accessing your data on Google’s infrastructure.
      storage-component.googleapis.com
      Identity and Access Management (IAM) API
      Manages identity and access control for GCP resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.
      iam.googleapis.com
      Kubernetes Engine API
      Builds and manages container-based applications, powered by the open source Kubernetes technology.
      container.googleapis.com
      Stackdriver Monitoring API
      Manages your Stackdriver Monitoring data and configurations.
      monitoring.googleapis.com
      Stackdriver Logging API
      Writes log entries and manages your Logging configuration.
      logging.googleapis.com
    4. Verify you have enabled all the APIs listed above.
      You can use the GCP APIs and Services Dashboard (screenshot below) to verify or use the command
      gcloud services list
      on the Google Command Line Interface.
      gcp-apis-enabled.png
  6. Associate additional GCP projects with the service account and create a custom role within each project.
    Because the service account and custom roles are associated with a GCP project, if you plan to add more than one GCP project to Prisma Cloud but not the GCP organization, you must associate each project with the service account and then connect your service account to Prisma Cloud.
    This step is not required if you want to add just one project, you can continue to Add Your GCP Project to Prisma Cloud. If you want to ensure that all current and future projects and cloud resources within your organization are automatically monitored by Prisma Cloud, you can configure Prisma Cloud to
    Automatically onboard projects that are accessible by this service account.
    when you Add Your GCP Organization to Prisma Cloud.
    1. Copy the service account member address.
      To copy the service account member address, first select the project that you used to set up the service account, then find the service account member address from
      IAM & admin
      IAM
      .
      gcp-service-account-member.png
    2. Select the project you want to add (from the Project drop-down), and click
      Add
      .
    3. Add the service account member address you copied as
      New members
      , and
      Select a role
      .
    4. Select
      Project
      Viewer
      , and click
      + ADD ANOTHER ROLE
      .
    5. Select
      Compute Engine
      Compute Security Admin
      .
      gcp-service-account-member-additional-project-roles.png
    6. Save
      your changes.
    7. If you do not want to add all your GCP projects within the GCP Organizational level grouping, you need to create the custom Prisma Cloud Viewer role for each project.
    8. Add the custom role to the service account.
      1. Select
        IAM & Admin
        IAM
        , and select the service account.
      2. Edit the permissions to
        + ADD ANOTHER ROLE
      3. Select
        Custom
        Prisma Cloud Viewer
        , and click
        Save
        .
        gcp-service-account-member-additional-project.png
    9. Repeat the steps above for any additional projects you want to onboard to Prisma Cloud.
  7. When you enable flow logs, the service ingests flow log data for the last seven days. Then if flow logs become unavailable for any reason such as if you manually disabled flow logs, modified API permissions, or an internal error occurred, when access is restored, logs from the preceding seven days only are ingested.

Related Documentation