Begin Scanning a Google Cloud Storage App
Add your Google Cloud Storage app to Prisma SaaS to begin scanning and monitoring assets for possible security risks.
Before you begin scanning a Google Cloud Storage app, you must create a service account and enable Administrator and client API access.
To connect Google Cloud Storage app to Prisma SaaS and begin scanning assets, you need to:
- Create a service account from Google Cloud Console.
- Enable Administrator and client API access from Google Admin Console.
- Add the Google Cloud Storage app to Prisma SaaS.
- Configure initial scan settings.
For information on which automated remediation capabilities Prisma SaaS supports with Google Cloud Storage, refer to Supported Applications with Remediation.
Create Service Account for Google Cloud Storage
As you prepare the Google Cloud Storage account, take note of the following values, as they are required to add the Google Cloud Storage app on Prisma SaaS:
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on Prisma SaaS when adding the Google Cloud Storage app.
Private Key Password
The default password for the new private key.
The client ID is entered when enabling Google Cloud Storage domain-wide delegation, and on Prisma SaaS when adding the Google Cloud Storage app.
Google Administrator email
The email entered to create a service account in Google Cloud Storage, and on Prisma SaaS when adding the Google Cloud Storage app.
- Log in to Google Developer Console as the Google Cloud Storage administrator.If you have not used the Developer Console before,Agreeto the Google Cloud Platform Terms of Service. Otherwise, proceed to the next step.
- Create a new project from GCP.
- At the top of the screen, open your project list, then.NEW PROJECT
- Name your project (for example,Prisma SaaS GCP), select your organization (domain), thenCREATEthe project.
- Authorize OAuth consent for the new project.
- Select.APIs & ServicesOAuth consent screen
- SelectInternaluser type, thenCREATE.
- Specify anApplication name(for example,Prisma SaaS) andSupport email.
- SpecifyAuthorized domain—the domain name for your Google Administrator email, thenSAVEto authorize.
- Create the Service Account Key for the new project.
- Select.APIs & ServicesCredentialsCREATE CREDENTIALS
- SelectService accountand specify aService account name(for example,Prisma SaaS), which automatically populates theService account ID, then, authorizing no optional permissions or access.CREATECONTINUEDONE
- Enable Domain-wide Delegation for the new service account.GCP creates a service account client when domain-wide delegation is enabled on a service account.
- Select.APIs & ServicesCredentialsManage service accounts
- Locate the service account, then.ActionsEdit
- SelectEnable G Suite Domain-wide Delegation.
- Select, thenADD KEYP12without specifying a role.CREATEAfter GCP issues a default password and new private key, your browser automatically downloads the new private key to your computer.
- Store the default password and key to a secure location as the key cannot be recovered if lost.
- Saveyour changes.
- Retrieve and save the Client ID for the new service account client.
- Select.APIs & ServicesCredentialsService Accounts: Manage service accounts
- InDomain wide delegation, clickView Client ID, then copy and save theClient ID.
- Enable API access for the new service account.
- SelectPrisma SaaS GCPproject.
- Select.APIs & Services+ ENABLE APIS AND SERVICES
- Search for andENABLEthe following APIs:
- Google Admin SDK
- Google Cloud Resource Manager API
- Google Cloud Storage API
- Google Cloud Pub/Sub API
- Log in to Google Admin Account as the Google Cloud Storage Administrator.
- Enable API client access to Google Cloud Storage.
- Select.SecurityApp access control (API Controls)Domain wide DelegationMANAGE DOMAIN WIDE DELEGATION
- ClickAdd new, then specify Client ID and required scopes.
- InClient Name, enter theClient IDthat you saved in 6.
- InOne or More API S copes, copy and paste the following scope, thenAUTHORIZEaccess to data in Google services.https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/admin.directory.group
Add Google Cloud Storage App
- From the Prisma SaaSDashboard,Add a Cloud App.
- SelectGoogle Cloud Storageand thenConnect to Account.
- Enter the GoogleAdministrator EmailandService account IDthat you saved in 4.b.
- Upload P12CertificateGCP issued GCP in 5.d.
- ClickNextto add the cloud app.
- Review the initial project scan discoveries and select the projects to monitor.If youCancelthe setup at any time, you must start over again.
- EnableAutomatically scan new projectsto scan all new projects.
- To select individual projects, select theProjectto scan from the list.
- Saveyour scan setting to proceed scanning all discovered projects.
- Cancelif you do not want to proceed with scanning the discovered projects.
- Review the initial bucket scan discoveries and select the buckets to monitor.
- EnableScan all current and any new bucketsto scan all new buckets.
- To select individual buckets, select theBucketto scan from the list.
- Saveyour scan setting to proceed scanning all discovered buckets.
- Cancelif you do not want to proceed with scanning the discovered buckets.After authentication, Prisma SaaS adds the new Google Cloud Storage app to the Cloud Apps list asGoogle Cloud Storagen,wherenis the number of Google Cloud Storage app instances that you have connected to Prisma SaaS. For example, if you added one Google Cloud Storage app, the name displays asGoogle Cloud Storage 1. You’ll specify a descriptive name soon.From this point forward, keep this project exclusively for Prisma SaaS. Do not revoke, disable authorization, or change the project in any way. If you do, Prisma SaaS stops scanning.
- Next Step: Proceed to Identify Risks.
Select the projects and buckets that you want Prisma SaaS to monitor.
When you add a new cloud app and enable scanning, Prisma SaaS automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
- Start scanning the new Google Cloud Storage app for risks.
- During the discovery phase, Prisma SaaS scans files and matches them against enabled default policy rules.Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, proceed to the next step.
- (Optional) Configure or edit a data pattern.
- Next Step: Proceed to View Scan Settings for Project and Buckets.
View Scan Settings for Project and Buckets
When you added the cloud app, you configured the projects and buckets you want Prisma SaaS to monitor. You can view the scan settings for the
Bucketsthat are currently being scanned.
- Log in to Prisma SaaS.
- Select.SettingsCloud App and Scan Settings
- Select a Google Cloud Storage app from the list ofCloud Appsand expand theProjectsBucketsto view the scan details.
Customize Google Cloud Storage App
If you plan to manage more than one instance of Google Cloud Storage app, consider differentiating your instances.
- (Optional) Give a descriptive name to this app instance.
- Select the Google Storagenlink on the Cloud Apps list.
- Enter a descriptiveName.
- ClickDoneto save your changes.
- Next Step: Proceed to Fix Google Cloud Storage Onboarding Issues.
Fix Google Cloud Storage Onboarding Issues
The most common issues related to onboarding the Google Cloud Storage app are as follows:
Your onboarding and initial discovery went smoothly, but there appears to be a delay in subsequent discovery.
Google's APIs allows for a set amount of event updates (API calls) in a specific period. This throttling ensures maximum uptime of SaaS apps.
Prisma SaaS promptly requests event updates from Google, but this limit (quota) results in a latency in event delivery, depending on the amount of data being requested.
This latency is most noticeable when updates occur immediately after onboarding.
Recommended For You
Recommended videos not found.