Begin Scanning a Google Cloud Storage App

Add your Google Cloud Storage app to Prisma SaaS to begin scanning and monitoring assets for possible security risks.
Before you begin scanning a Google Cloud Storage app, you must create a service account and enable Administrator and client API access.
To connect Google Cloud Storage app to Prisma SaaS and begin scanning assets, you need to:
  • Create a service account from Google Cloud Console.
  • Enable Administrator and client API access from Google Admin Console.
  • Add the Google Cloud Storage app to Prisma SaaS.
  • Configure initial scan settings.
For information on which automated remediation capabilities Prisma SaaS supports with Google Cloud Storage, refer to Supported Applications with Remediation.

Create Service Account for Google Cloud Storage

As you prepare the Google Cloud Storage account, take note of the following values, as they are required to add the Google Cloud Storage app on Prisma SaaS:
Item
Description
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on Prisma SaaS when adding the Google Cloud Storage app.
Private Key Password
The default password for the new private key.
Client ID
The client ID is entered when enabling Google Cloud Storage domain-wide delegation, and on Prisma SaaS when adding the Google Cloud Storage app.
Google Administrator email
The email entered to create a service account in Google Cloud Storage, and on Prisma SaaS when adding the Google Cloud Storage app.
  1. Log in to Google Developer Console as the Google Cloud Storage administrator.
    If you have not used the Developer Console before,
    Agree
    to the Google Cloud Platform Terms of Service. Otherwise, proceed to the next step.
    g-suite-terms.png
  2. Create a new project from GCP.
    1. At the top of the screen, open your project list, then
      NEW PROJECT
      .
    2. Name your project (for example,
      Prisma SaaS GCP
      ), select your organization (domain), then
      CREATE
      the project.
      gcp-create-project.png
  3. Authorize OAuth consent for the new project.
    1. Select
      APIs & Services
      OAuth consent screen
      .
    2. Select
      Internal
      user type, then
      CREATE
      .
    3. Specify an
      Application name
      (for example,
      Prisma SaaS
      ) and
      Support email
      .
    4. Specify
      Authorized domain
      —the domain name for your Google Administrator email, then
      SAVE
      to authorize.
      gcp-oauth-consent.png
  4. Create the Service Account Key for the new project.
    gcp-credentials-api-manager.png
    1. Select
      APIs & Services
      Credentials
      CREATE CREDENTIALS
      .
    2. Select
      Service account
      and specify a
      Service account name
      (for example,
      Prisma SaaS
      ), which automatically populates the
      Service account ID
      , then
      CREATE
      CONTINUE
      DONE
      , authorizing no optional permissions or access.
      gcp-service-account-key.png
  5. Enable Domain-wide Delegation for the new service account.
    GCP creates a service account client when domain-wide delegation is enabled on a service account.
    gcp-service-account-manage.png
    1. Select
      APIs & Services
      Credentials
      Manage service accounts
      .
    2. Locate the service account, then
      Actions
      Edit
      .
    3. Select
      Enable G Suite Domain-wide Delegation
      .
    4. Select
      ADD KEY
      P12
      , then
      CREATE
      without specifying a role.
      After GCP issues a default password and new private key, your browser automatically downloads the new private key to your computer.
      gcp-private-key-download.png
    5. Store the default password and key to a secure location as the key cannot be recovered if lost.
      Prisma SaaS requires this key when you Add Google Cloud Storage App.
    6. Save
      your changes.
  6. Retrieve and save the Client ID for the new service account client.
    1. Select
      APIs & Services
      Credentials
      Service Accounts: Manage service accounts
      .
    2. In
      Domain wide delegation
      , click
      View Client ID
      , then copy and save the
      Client ID
      .
      gcp-clientID-copy.png
  7. Enable API access for the new service account.
    1. Select
      Prisma SaaS GCP
      project.
    2. Select
      APIs & Services
      + ENABLE APIS AND SERVICES
      .
    3. Search for and
      ENABLE
      the following APIs:
      • Google Admin SDK
      • Google Cloud Resource Manager API
      • Google Cloud Storage API
      • Google Cloud Pub/Sub API
    gcp-enable-apis.png
  8. Log in to Google Admin Account as the Google Cloud Storage Administrator.
  9. Enable API client access to Google Cloud Storage.
    1. Select
      Security
      App access control (API Controls)
      Domain wide Delegation
      MANAGE DOMAIN WIDE DELEGATION
      .
      gcp-api-controls.png
    2. Click
      Add new
      , then specify Client ID and required scopes.
      • In
        Client Name
        , enter the
        Client ID
        that you saved in 6.
      • In
        One or More API S copes
        , copy and paste the following scope, then
        AUTHORIZE
        access to data in Google services.
        https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/admin.directory.group
      gcp-api-client-manage-access.png

Add Google Cloud Storage App

Before you add the Google Cloud Storage app, you must Create Service Account for Google Cloud Storage.
  1. From the Prisma SaaS
    Dashboard
    ,
    Add a Cloud App
    .
    google-storage-tile-frame.png
  2. Select
    Google Cloud Storage
    and then
    Connect to Account
    .
  3. Enter the Google
    Administrator Email
    and
    Service account ID
    that you saved in 4.b.
  4. Upload P12
    Certificate
    GCP issued GCP in 5.d.
  5. Click
    Next
    to add the cloud app.
    google-storage-enter-information.png
  6. Review the initial project scan discoveries and select the projects to monitor.
    If you
    Cancel
    the setup at any time, you must start over again.
    1. Enable
      Automatically scan new projects
      to scan all new projects.
    2. To select individual projects, select the
      Project
      to scan from the list.
    3. Save
      your scan setting to proceed scanning all discovered projects.
    4. Cancel
      if you do not want to proceed with scanning the discovered projects.
  7. Review the initial bucket scan discoveries and select the buckets to monitor.
    1. Enable
      Scan all current and any new buckets
      to scan all new buckets.
    2. To select individual buckets, select the
      Bucket
      to scan from the list.
    3. Save
      your scan setting to proceed scanning all discovered buckets.
    4. Cancel
      if you do not want to proceed with scanning the discovered buckets.
      After authentication, Prisma SaaS adds the new Google Cloud Storage app to the Cloud Apps list as
      Google Cloud Storage
      n,
      where
      n
      is the number of Google Cloud Storage app instances that you have connected to Prisma SaaS. For example, if you added one Google Cloud Storage app, the name displays as
      Google Cloud Storage 1
      . You’ll specify a descriptive name soon.
      From this point forward, keep this project exclusively for Prisma SaaS. Do not revoke, disable authorization, or change the project in any way. If you do, Prisma SaaS stops scanning.
  8. Next Step
    : Proceed to Identify Risks.

Identify Risks

Select the projects and buckets that you want Prisma SaaS to monitor.
When you add a new cloud app and enable scanning, Prisma SaaS automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
  1. Start scanning the new Google Cloud Storage app for risks.
  2. During the discovery phase, Prisma SaaS scans files and matches them against enabled default policy rules.
    Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, proceed to the next step.
  3. (
    Optional
    ) Add new policy rules.
    Consider the business use of your app, then identify risks unique to your enterprise. As necessary, add new:
  4. (
    Optional
    ) Configure or edit a data pattern.
    You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.

View Scan Settings for Project and Buckets

When you added the cloud app, you configured the projects and buckets you want Prisma SaaS to monitor. You can view the scan settings for the
Projects
and
Buckets
that are currently being scanned.
  1. Log in to Prisma SaaS.
  2. Select
    Settings
    Cloud App and Scan Settings
    .
  3. Select a Google Cloud Storage app from the list of
    Cloud Apps
    and expand the
    Projects
    Buckets
    to view the scan details.
    google-storage-monitor-scanning.png

Customize Google Cloud Storage App

If you plan to manage more than one instance of Google Cloud Storage app, consider differentiating your instances.
  1. (
    Optional
    ) Give a descriptive name to this app instance.
    1. Select the Google Storage 
      n
      link on the Cloud Apps list.
    2. Enter a descriptive
      Name
      .
    3. Click
      Done
      to save your changes.

Fix Google Cloud Storage Onboarding Issues

The most common issues related to onboarding the Google Cloud Storage app are as follows:
Symptom
Explanation
Solution
Your onboarding and initial discovery went smoothly, but there appears to be a delay in subsequent discovery.
Google's APIs allows for a set amount of event updates (API calls) in a specific period. This throttling ensures maximum uptime of SaaS apps.
Prisma SaaS promptly requests event updates from Google, but this limit (quota) results in a latency in event delivery, depending on the amount of data being requested.
This latency is most noticeable when updates occur immediately after onboarding.
Wait 24 hours after onboarding before you remediate in bulk or, alternatively, configure automatic remediation. Waiting enables you to see all your data in context before you make strategic policy decisions.
Timestamps for all events remain accurate—as of the actual event.

Recommended For You