Begin Scanning a Google Cloud Storage App

Before you begin scanning a Google Cloud Storage app, you must create a service account and enable Administrator and client API access. As you prepare the Google Cloud Storage account, take note of the following values that you need to setup the app on Prisma SaaS:
Item
Description
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on Prisma SaaS when adding the Google Cloud Storage app.
Private Key Password
The default password for the new private key.
Client ID
The client ID is entered when enabling Google Cloud Storage domain-wide delegation, and on Prisma SaaS when adding the Google Cloud Storage app.
Google Administrator email
The email entered to create a service account in Google Cloud Storage, and on Prisma SaaS when adding the Google Cloud Storage app.
  1. Create a service account in Google for Google Cloud Storage.
    1. Log in to Google Developer Console as the Google Cloud Storage administrator.
      If you have not used the Developer Console before,
      Agree
      to the Google Cloud Platform Terms of Service.
    2. At the top of the screen next to your most recent project name, open your projects list, and then
      Create a new project
      .
      g-suite-login-console.png
    3. Select your organization (domain) and add your new project.
      g-suite-config-new-project.png
    4. Name your project and
      Create
      .
    5. Click Notifications and
      Create Project: <project name>
      .
      g-suite-create-prisma-saas-project.png
    6. Search for
      Credentials
      .
    7. Select
      OAuth Consent screen
      and enter
      Prisma SaaS Google Cloud Storage
      in
      Product Name Shown to Users
      and
      Save
      the project.
      g-suite-config-credentials.png
    8. Select
      Credentials
      Create Credentials
      Service Account Key
      .
      g-suite-select-credentials.png
    9. Select
      New Service Account
      and enter a service account name. Select
      P12
      for
      Key Type
      and
      Create
      the service account key.
      Select
      Create Without Role
      if a warning message displays.
      g-suite-create-service-account-key.png
    10. When the default password and new private key are issued,
      Save
      to your computer.
      Store the private key securely because the key cannot be recovered if lost, and is required for adding the Google Cloud Storage app on Prisma SaaS.
      g-suite-new-private-key-no-pw.png
    11. Select
      Credentials
      Manage Service Accounts
      .
      g-suite-credentials.png
    12. Click the three dots to the right of the service account you created and select
      Edit
      .
      g-suite-create-service-account-edit.png
    13. Enable G Suite Storage Domain-wide Delegation
      and
      Save
      the setting.
      g-suite-edit-service-account.png
    14. Click
      View Client ID
      for
      <project name>
      .
      g-suite-view-client-id.png
      Note the value of the Client ID, and
      Save
      the ID.
  2. Enable API Access in Google Cloud Storage.
    1. In your account, select
      APIs & Services
      Dashboard
      Enable APIs and Services
      .
      g-suite-enable-api.png
    2. Select Google Cloud Storage
      Admin SDK API
      , and then
      Enable
      the API.
      google-admin-sdk.png
    3. Go back to
      Dashboard
      APIs & Services
      Library
      and
      Enable
      the following APIs:
      1. Google Cloud Resource Manager API
        .
      2. Google Cloud Storage
        .
      3. Google Cloud Pub/Sub API
        .
  3. Enable API Client access to Google Cloud Storage.
    1. In a new browser window, log in to Google Admin Account as the Google Cloud Storage Administrator.
    2. Select
      Security
      Show more
      .
    3. Select
      Advanced Settings
      Manage API Client Access
      .
    4. Enter the
      Client ID
      previously noted in
      Client Name
      .
      g-suite-api-client-manage-access.png
      Copy and paste the following scope in
      One or More API Scopes
      , and then
      Authorize
      access to data in Google services.
      https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/admin.directory.group
  4. Add the Google Cloud Storage app.
    1. From the Prisma SaaS
      Dashboard
      ,
      Add a Cloud App
      .
      google-storage-tile-frame.png
    2. Select
      Google Cloud Storage
      and then
      Click here to prepare your Google Cloud Storage Account
      .
    3. Enter the Google
      Administrator Email
      , the
      Service account ID
      previously noted, and click
      Certificate
      to browse and upload the P12 format private key certificate issued from your Google service account. Click
      Next
      .
      google-storage-enter-information.png
  5. Review the initial project scan discoveries and select the projects to monitor.
    If you
    Cancel
    the setup at any time, you must start over again.
    1. Enable
      Automatically scan new projects
      to scan all new projects.
    2. To select individual projects, select the
      Project
      to scan from the list.
    3. Save
      your scan setting to proceed scanning all discovered projects.
    4. Cancel
      if you do not want to proceed with scanning the discovered projects.
    google-storage-select-projects.png
  6. Review the initial bucket scan discoveries and select the buckets to monitor.
    1. Enable
      Scan all current and any new buckets
      to scan all new buckets.
    2. To select individual buckets, select the
      Bucket
      to scan from the list.
    3. Save
      your scan setting to proceed scanning all discovered buckets.
    4. Cancel
      if you do not want to proceed with scanning the discovered buckets.
    google-storage-scan-buckets.png
  7. Add policy rules.
    When you add a new cloud app, Prisma SaaS automatically scans the app against the default data patterns and displays the match occurrences. As a best practice, consider the business use of Google Storage to determine whether you need to add new asset rules, security control rules, or user activity rules to look for risks unique to the new app.
  8. (Optional)
    Configure or edit a data pattern.
    When you add a new cloud app, Prisma SaaS automatically scans the app against the default data patterns and displays the match occurrences. You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
  9. Start scanning the new Google Cloud Storage app for risks.
    1. Select
      Settings
      Cloud Apps & Scan Settings
      .
    2. In the Cloud Apps row that corresponds to the new Google Cloud Storage app, select
      Actions
      Start Scanning
      .
  10. Monitor the results of the scan.
    As Prisma SaaS starts scanning files and matching them against enabled policy rules, Monitor Scan Results on the Dashboard to verify that your policy rules are effective.
    Monitoring the progress of the scan during the discovery phase allows you to Fine-Tune Policy to modify the match criteria and ensure better results.
  11. (Optional)
    To view the status of the
    Projects
    and
    Buckets
    that are currently being scanned, select
    Settings
    Cloud App and Scan Settings
    . Select a Google Cloud Storage App from the list of
    Cloud Apps
    and expand the
    Projects
    Buckets
    to view the scan details.
    google-storage-monitor-scanning.png

Recommended For You