Begin Scanning a Google Cloud Storage App

Add your Google Cloud Storage app to Prisma SaaS to begin scanning and monitoring assets for possible security risks.
Before you begin scanning a Google Cloud Storage app, you must create a service account and enable Administrator and client API access.
To connect Google Cloud Storage app to Prisma SaaS and begin scanning assets, you need to:
  • Create a service account from Google Cloud Console.
  • Enable Administrator and client API access from Google Admin Console.
  • Add the Google Cloud Storage app to Prisma SaaS.
  • Configure initial scan settings.
For information on which automated remediation capabilities Prisma SaaS supports with Google Cloud Storage, refer to Supported Applications with Remediation.

Create Service Account for Google Cloud Storage

As you prepare the Google Cloud Storage account, take note of the following values, as they are required to add the Google Cloud Storage app on Prisma SaaS:
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on Prisma SaaS when adding the Google Cloud Storage app.
Private Key Password
The default password for the new private key.
Client ID
The client ID is entered when enabling Google Cloud Storage domain-wide delegation, and on Prisma SaaS when adding the Google Cloud Storage app.
Google Administrator email
The email entered to create a service account in Google Cloud Storage, and on Prisma SaaS when adding the Google Cloud Storage app.
  1. Log in to Google Developer Console as the Google Cloud Storage administrator.
    If you have not used the Developer Console before,
    to the Google Cloud Platform Terms of Service. Otherwise, proceed to the next step.
  2. Create a new project from GCP.
    1. At the top of the screen, open your project list, then
    2. Name your project (for example,
      Prisma SaaS GCP
      ), select your organization (domain), then
      the project.
  3. Authorize OAuth consent for the new project.
    1. Select
      APIs & Services
      OAuth consent screen
    2. Select
      user type, then
    3. Specify an
      Application name
      (for example,
      Prisma SaaS
      ) and
      Support email
    4. Specify
      Authorized domain
      —the domain name for your Google Administrator email, then
      to authorize.
  4. Create the Service Account Key for the new project.
    1. Select
      APIs & Services
    2. Select
      Service account
      and specify a
      Service account name
      (for example,
      Prisma SaaS
      ), which automatically populates the
      Service account ID
      , then
      , authorizing no optional permissions or access.
  5. Enable Domain-wide Delegation for the new service account.
    GCP creates a service account client when domain-wide delegation is enabled on a service account.
    1. Select
      APIs & Services
      Manage service accounts
    2. Locate the service account, then
    3. Select
      Enable G Suite Domain-wide Delegation
    4. Select
      ADD KEY
      , then
      without specifying a role.
      After GCP issues a default password and new private key, your browser automatically downloads the new private key to your computer.
    5. Store the default password and key to a secure location as the key cannot be recovered if lost.
      Prisma SaaS requires this key when you Add Google Cloud Storage App.
    6. Save
      your changes.
  6. Retrieve and save the Client ID for the new service account client.
    1. Select
      APIs & Services
      Service Accounts: Manage service accounts
    2. In
      Domain wide delegation
      , click
      View Client ID
      , then copy and save the
      Client ID
  7. Enable API access for the new service account.
    1. Select
      Prisma SaaS GCP
    2. Select
      APIs & Services
    3. Search for and
      the following APIs:
      • Google Admin SDK
      • Google Cloud Resource Manager API
      • Google Cloud Storage API
      • Google Cloud Pub/Sub API
  8. Log in to Google Admin Account as the Google Cloud Storage Administrator.
  9. Enable API client access to Google Cloud Storage.
    1. Select
      App access control (API Controls)
      Domain wide Delegation
    2. Click
      Add new
      , then specify Client ID and required scopes.
      • In
        Client Name
        , enter the
        Client ID
        that you saved in 6.
      • In
        One or More API S copes
        , copy and paste the following scope, then
        access to data in Google services.,,,

Add Google Cloud Storage App

Before you add the Google Cloud Storage app, you must Create Service Account for Google Cloud Storage.
  1. From the Prisma SaaS
    Add a Cloud App
  2. Select
    Google Cloud Storage
    and then
    Connect to Account
  3. Enter the Google
    Administrator Email
    Service account ID
    that you saved in 4.b.
  4. Upload P12
    GCP issued GCP in 5.d.
  5. Click
    to add the cloud app.
  6. Review the initial project scan discoveries and select the projects to monitor.
    If you
    the setup at any time, you must start over again.
    1. Enable
      Automatically scan new projects
      to scan all new projects.
    2. To select individual projects, select the
      to scan from the list.
    3. Save
      your scan setting to proceed scanning all discovered projects.
    4. Cancel
      if you do not want to proceed with scanning the discovered projects.
  7. Review the initial bucket scan discoveries and select the buckets to monitor.
    1. Enable
      Scan all current and any new buckets
      to scan all new buckets.
    2. To select individual buckets, select the
      to scan from the list.
    3. Save
      your scan setting to proceed scanning all discovered buckets.
    4. Cancel
      if you do not want to proceed with scanning the discovered buckets.
      After authentication, Prisma SaaS adds the new Google Cloud Storage app to the Cloud Apps list as
      Google Cloud Storage
      is the number of Google Cloud Storage app instances that you have connected to Prisma SaaS. For example, if you added one Google Cloud Storage app, the name displays as
      Google Cloud Storage 1
      . You’ll specify a descriptive name soon.
      From this point forward, keep this project exclusively for Prisma SaaS. Do not revoke, disable authorization, or change the project in any way. If you do, Prisma SaaS stops scanning.
  8. Next Step
    : Proceed to Identify Risks.

Identify Risks

Select the projects and buckets that you want Prisma SaaS to monitor.
When you add a new cloud app and enable scanning, Prisma SaaS automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
  1. Start scanning the new Google Cloud Storage app for risks.
  2. During the discovery phase, Prisma SaaS scans files and matches them against enabled default policy rules.
    Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, proceed to the next step.
  3. (
    ) Add new policy rules.
    Consider the business use of your app, then identify risks unique to your enterprise. As necessary, add new:
  4. (
    ) Configure or edit a data pattern.
    You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.

View Scan Settings for Project and Buckets

When you added the cloud app, you configured the projects and buckets you want Prisma SaaS to monitor. You can view the scan settings for the
that are currently being scanned.
  1. Log in to Prisma SaaS.
  2. Select
    Cloud App and Scan Settings
  3. Select a Google Cloud Storage app from the list of
    Cloud Apps
    and expand the
    to view the scan details.

Customize Google Cloud Storage App

If you plan to manage more than one instance of Google Cloud Storage app, consider differentiating your instances.
  1. (
    ) Give a descriptive name to this app instance.
    1. Select the Google Storage 
      link on the Cloud Apps list.
    2. Enter a descriptive
    3. Click
      to save your changes.

Fix Google Cloud Storage Onboarding Issues

The most common issues related to onboarding the Google Cloud Storage app are as follows:
Your onboarding and initial discovery went smoothly, but there appears to be a delay in subsequent discovery.
Google's APIs allows for a set amount of event updates (API calls) in a specific period. This throttling ensures maximum uptime of SaaS apps.
Prisma SaaS promptly requests event updates from Google, but this limit (quota) results in a latency in event delivery, depending on the amount of data being requested.
This latency is most noticeable when updates occur immediately after onboarding.
Wait 24 hours after onboarding before you remediate in bulk or, alternatively, configure automatic remediation. Waiting enables you to see all your data in context before you make strategic policy decisions.
Timestamps for all events remain accurate—as of the actual event.

Recommended For You