Permissions and APIs Required for GCP Account on Prisma Cloud
Learn about the Service account and APIs that enable
Prisma Cloud to ingest, analyze, and monitor the resources deployed
within a GCP project or organization.
In order to analyze and monitor your Google
Cloud Platform (GCP) account, Prisma Cloud requires access to specific
APIs and a service account which is an authorized identity that enables
authentication between Prisma Cloud and GCP. A combination of custom,
predefined and primitive roles grant the service account the permissions
it needs to complete specific actions on the resources in your GCP
project or organization.
Service Account Permissions
The permissions that the Prisma Cloud service
account needs to monitor your GCP resources depends on your cloud
protection needs.
- If you are onboarding a GCP project, you must assign the roles to the IAM policy for each project.
- If you are onboarding a GCP organization, you must assign the roles to the IAM policy for the organization.
- If you are using a master service account (MSA), you have two options:
- (Recommended) Add permissions to the IAM policy for the organization.
- Assign the roles to the IAM policy for each project individually.
The roles for read or read-write
access permission that the service account requires are the following:
- Viewer—Primitive role on GCP.
- Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
- Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
- Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
- Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
- Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.
GCP APIs
Prisma Cloud can ingest data from several GCP APIs. In the GCP project
where you create the service account, you must enable the Stackdriver
Logging API (logging.googleapis.com) to monitor audit logs, and
any other APIs for which you want Prisma Cloud to monitor resources.
When
you use the Terraform template that Prisma Cloud provides to automate
the onboarding of your GCP project or organization, the required
permissions are automatically enabled for you.
The
following table lists the APIs and associated granular permissions
if you want to create a custom role to onboard your GCP account.
When the APIs are enabled and the service account has the correct
set of roles and associated permissions, Prisma Cloud can retrieve
data about your GCP resources and identify potential security risks
and compliance issues across your cloud accounts. To create a custom
role for the service account, see Create a Service Account With a Custom Role for GCP before you
continue to Add Your GCP Project to Prisma Cloud or Add Your GCP Organization to Prisma Cloud.
To enable the APIs that allow Prisma Cloud to
monitor your GCP projects, use it as shown in this example (that
uses some of the APIs below):
gcloud services enable serviceusage.googleapis.com appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com sqladmin.googleapis.com compute.googleapis.com storage-component.googleapis.com recommender.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com
Verify
the APIs that you have enabled with
gcloud services list
.App Engine API |
| Allows you to access App Engine, which is a fully managed serverless platform
on GCP. | App Engine Viewer |
| Project that hosts the service account |
Access Context Manager API |
| Read access to policies, access levels, and access zones. | Access Context Manager Reader |
| Project that hosts the service account |
Access Approval |
| Allows you to access settings associated with
a project, folder, or organization. | Viewer |
| Project that hosts the service account |
API Gateway |
| Enables you to create, secure, and monitor
APIs for Google Cloud serverless back ends, including Cloud Functions, Cloud Run, and App Engine. | API Gateway Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud |
BigQuery API |
| Allows you to create, manage, share, and query data. | BigQuery Metadata Viewer |
| Project that hosts the service account And Every project
that the service account accesses for enabling monitoring and protection using
Prisma Cloud |
Binary Authorization API |
| Enables you to configure a policy that the service enforces
when an attempt is made to deploy a container image on one of the supported container-based platforms. | Project Viewer |
| Project that hosts the service account |
Cloud Data Fusion |
| Cloud Data Fusion is a fully managed, cloud-native, enterprise data integration service for quickly building
and managing data pipelines. | Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud |
Cloud Functions |
| Cloud Functions is Google Cloud’s event-driven serverless compute platform. | Cloud Functions Viewer |
| Project that hosts the service account |
Cloud DataFlow API |
| Manages Google Cloud Dataflow projects. | Dataflow Admin |
See Flow Log Compression on GCP | Project that runs Data Flow |
Cloud DNS API |
| Cloud DNS translates requests for domain names into
IP addresses and manages and publishes DNS zones and records. | DNS Reader |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud |
Cloud Pub/Sub |
| Real-time messaging service that allows you
to send and receive messages between independent applications. | Project Viewer, or a custom role with granular privileges |
| Project that hosts the service account |
Container Analysis |
| Container Analysis provides vulnerability scanning
and metadata storage for containers through Container Analysis. | Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud |
Google Cloud Resource Manager
API |
| Creates, reads, and updates metadata
for Google Cloud Platform resource containers. | Viewer |
| Project that hosts the service account |
| Only required for GCP Organization Project that
hosts the service account And Every project that the
service account accesses for enabling monitoring and protection using
Prisma Cloud | ||||
Cloud Key Management Service (KMS) API |
| Google Cloud KMS allows customers to manage encryption keys and perform cryptographic operations with those keys. | Project Viewer |
| Project that hosts the service account And Every project
that the service account accesses for enabling monitoring and/or protection using
Prisma Cloud |
Cloud Service Usage API |
| API that lists the available or enabled services,
or disables services that service consumers no longer use on GCP. | Role Viewer |
| Project that hosts the service account |
Google Binary Authorization |
| A service that enables policy-based deployment validation
and control for images deployed to Google Kubernetes Engine (GKE), Anthos Service Mesh, Anthos Clusters,
and Cloud Run. | Project Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud. |
Google Cloud Armor |
| Network security service that provides defenses against DDoS and application attacks,
and offers WAF rules. | Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud. |
Google Cloud Tasks |
| API to fetch task and queue information. | Role Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud. |
Google AI Platform |
| A suite of services on Google Cloud specifically targeted
at building, deploying, and managing machine learning models in
the cloud. |
| ||
Google Essential Contacts |
| Allows you to customize who receives notifications from Google Cloud services,
such as Cloud Billing, by providing a list of contacts. | Viewer |
| Project that hosts the service account |
Google Firebase Rules |
| An application development software that enables developers
to develop iOS, Android and Web apps. |
| ||
Google Cloud Composer |
| Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud | |
Google Cloud Source Repositories API |
| A private Git repository to design, develop,
and securely manage your code. | Source Repository Reader |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud |
Google Cloud Spanner API |
| A globally distributed NewSQL database service and storage solution designed
to support global online transaction processing deployments. | Cloud Spanner Viewer |
| Project that hosts the service account And Every project
that the service account accesses for enabling monitoring and protection using
Prisma Cloud |
Cloud SQL Admin API |
| API for Cloud SQL database instance management. | Custom Role |
| Project that hosts the service account |
Compute Engine API
|
| Creates and runs virtual machines on the Google Cloud Platform. | Compute Network Viewer |
| Project that hosts the service account |
Cloud Bigtable API |
| Google Cloud Bigtable is a NoSQL Big Data database service. | Custom Role |
| Project that hosts the service account |
Google Cloud Storage API |
| Cloud Storage is a RESTful service for storing and accessing
your data on Google’s infrastructure. | Custom Role |
| No specific requirement for Prisma Cloud |
Google Organization Policy |
| Organization Policy Service provides centralized and programmatic control over organization's cloud resources through configurable constraints across the entire resource hierarchy. | Project Viewer |
| Project that hosts the service account |
Google Dataproc Clusters API |
| Dataproc is a managed service for creating clusters
of compute that can be used to run Hadoop and Spark applications. | Project Viewer, or a custom role with granular privileges. |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud |
Google Data Catalog |
| Data Catalog is a fully managed, scalable metadata management service which helps in searching
and tagging data entries. | Viewer Role |
| Project that hosts the service account. |
Google Recommendations API |
GCP
IAM Recommender | Google Recommender provides usage recommendations
for Google Cloud resources. Recommenders are specific to a single Google Cloud product and resource
type. | IAM Recommender Viewer |
| Project that hosts the service account |
Google HealthCare |
| Manages solutions for storing and accessing healthcare data
in Google Cloud. | Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud |
Google Cloud Run API |
| Deploys and manages user provided container images. | Role Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud |
Google Secrets Manager |
| Stores sensitive data such as API keys, passwords, and certificates. | Secret Manager Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud |
Google Security Command Center |
| Security Command Center is centralized vulnerability and threat reporting service which helps to mitigate
and remediate security risks. | Viewer Role |
| Project that hosts the service account. |
Google Cloud Filestore |
| Creates and manages cloud file servers. | Cloud Filestore Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud |
Google Certificate Authority Service |
| Enables you to simplify, automate, and customize
the deployment, management, and security of private certificate authorities (CA). | CA Service Auditor |
| Required on destination only. |
Google Identity Aware Proxy |
| Provides application-level access control model instead of relying on network-level firewalls
by establishing a central authorization layer for applications. | Custom Role |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud. |
Google VPC |
| Enables you to create and enforce a consistent firewall policy across your organization.This
lets organization-wide admins manage critical firewall rules in one place. | Viewer |
| Project that hosts the service account |
Identity and Access Management (IAM) API |
| Manages identity and access control for GCP resources, including
the creation of service accounts, which you can use to authenticate to Google and make API calls. | Role Viewer |
| Project that hosts the service account |
Memorystore |
| Memorystore is a fully-managed database service that provides
a managed version of two popular open source caching solutions: Redis and Memcached. | Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud. |
Google Managed Microsoft AD |
| Managed Service for Microsoft Active Directory offers high-availability, hardened Microsoft Active Directory domains hosted by Google Cloud. | Viewer Role |
| No specific requirement for Prisma Cloud. |
Google Network Intelligence Center |
| Network Intelligence Center provides a single console for managing Google Cloud network visibility, monitoring, and troubleshooting. | Viewer Role |
| Project that hosts the service account. |
Kubernetes Engine API |
| Builds and manages container-based applications, powered
by the open source Kubernetes technology. | Kubernetes Engine Cluster Viewer |
| Project that hosts the service account |
Services Usage API |
| List all services available to the specified
GCP project, and the current state of those services with respect to
the project. Note : Prisma Cloud recommends that you enable this API
on all GCP projects that are onboarded to Prisma Cloud. | N/A |
| Project that hosts the service account |
Stackdriver Monitoring API |
| Manages your Stackdriver Monitoring data and configurations. Helps to
gain visibility into the performance, availability, and health of
your applications and infrastructure. | Monitoring Viewer |
| Project that hosts the service account And Source project where
the service account is created for enabling monitoring and protection using
Prisma Cloud |
Stackdriver Logging API |
| Writes log entries and manages your Logging configuration. | Logging Admin |
| Project that hosts the service account |
Google Web Security Scanner API |
| Identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications. | Web Security Scanner Viewer |
| Project that hosts the service account |
Cloud Spanner backups |
| A backup of a Cloud Spanner database. | Viewer |
| Source project and destination. |
Google Service Directory |
| A managed service that enhances service inventory management at
scale and reduces the complexity of management and operations by providing
a single place to publish, discover, and connect services. | Viewer |
| Every project that the service account accesses
for enabling monitoring and protection using Prisma Cloud. |
GCP Organization - Additional permissions
required to onboard | Organization Role Viewer | The Organization Role Viewer is required for
onboarding a GCP Organization. If you only provide the individual permissions
listed below, the permissions set is not sufficient.
| N/A | ||
Google Access Approval | accessapproval.googleapis.com | Access Approval ensures that Cloud Customer
Care and engineering require your explicit approval whenever they need
to access your customer content. Access Approval lets you select the Google Cloud services
you want to enroll in. | Viewer Role |
| Project that hosts the service account |
Recommended For You
Recommended Videos
Recommended videos not found.
