Begin Scanning a Google Cloud Storage App

Add the GCP (Google Cloud Storage) app to SaaS Security API to begin scanning and monitoring assets for possible security risks.
Before you begin scanning a Google Cloud Storage app, you must create a service account and enable Administrator and client API access.
To connect Google Cloud Storage app to SaaS Security API and begin scanning assets, you need to:
  • Create a service account from Google Cloud Console.
  • Enable Administrator and client API access from Google Admin Console.
  • Add the Google Cloud Storage app to SaaS Security API.
  • Configure initial scan settings.
For information on which automated remediation capabilities SaaS Security API supports with Google Cloud Storage, refer to Supported Applications with Remediation.

Create Service Account for Google Cloud Storage

As you prepare the Google Cloud Storage account, take note of the following values, as they are required to add the Google Cloud Storage app on SaaS Security API:
Item
Description
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on SaaS Security API when adding the Google Cloud Storage app.
Private Key Password
The default password for the new private key.
Client ID
The client ID is entered when enabling Google Cloud Storage domain-wide delegation, and on SaaS Security API when adding the Google Cloud Storage app.
Google Administrator email
The email entered to create a service account in Google Cloud Storage, and on SaaS Security API when adding the Google Cloud Storage app.
  1. Log in to Google Developer Console as the Google Cloud Storage administrator.
    If you have not used the Developer Console before,
    Agree
    to the Google Cloud Platform Terms of Service. Otherwise, proceed to the next step.
  2. Create a new project from GCP.
    1. At the top of the screen, open your project list, then
      NEW PROJECT
      .
    2. Name your project (for example,
      SaaS Security API GCP
      ), select your organization (domain), then
      CREATE
      the project.
  3. Authorize OAuth consent for the new project.
    1. Select
      APIs & Services
      OAuth consent screen
      .
    2. Select
      Internal
      user type, then
      CREATE
      .
    3. Specify an
      Application name
      (for example,
      SaaS Security API
      ) and
      Support email
      .
    4. Specify
      Authorized domain
      —the domain name for your Google Administrator email, then
      SAVE
      to authorize.
  4. Create the Service Account Key for the new project.
    1. Select
      APIs & Services
      Credentials
      CREATE CREDENTIALS
      .
    2. Select
      Service account
      and specify a
      Service account name
      (for example,
      SaaS Security API
      ), which automatically populates the
      Service account ID
      , then
      CREATE
      CONTINUE
      DONE
      , authorizing no optional permissions or access.
  5. Enable Domain-wide Delegation for the new service account.
    GCP creates a service account client when domain-wide delegation is enabled on a service account.
    1. Select
      APIs & Services
      Credentials
      Manage service accounts
      .
    2. Locate the service account, then
      Actions
      Edit
      .
    3. Select
      Enable G Suite Domain-wide Delegation
      .
    4. Select
      ADD KEY
      P12
      , then
      CREATE
      without specifying a role.
      After GCP issues a default password and new private key, your browser automatically downloads the new private key to your computer.
    5. Store the default password and key to a secure location as the key cannot be recovered if lost.
      SaaS Security API requires this key when you Add Google Cloud Storage App.
    6. Save
      your changes.
  6. Retrieve and save the Client ID for the new service account client.
    1. Select
      APIs & Services
      Credentials
      Service Accounts: Manage service accounts
      .
    2. In
      Domain wide delegation
      , click
      View Client ID
      , then copy and save the
      Client ID
      .
  7. Enable API access for the new service account.
    1. Select
      SaaS Security API GCP
      project.
    2. Select
      APIs & Services
      + ENABLE APIS AND SERVICES
      .
    3. Search for and
      ENABLE
      the following APIs:
      • Google Admin SDK
      • Google Cloud Resource Manager API
      • Google Cloud Storage API
      • Google Cloud Pub/Sub API
  8. Log in to Google Admin Account as the Google Cloud Storage Administrator.
  9. Enable API client access to Google Cloud Storage.
    1. Select
      Security
      App access control (API Controls)
      Domain wide Delegation
      MANAGE DOMAIN WIDE DELEGATION
      .
    2. Click
      Add new
      , then specify Client ID and required scopes.
      • In
        Client Name
        , enter the
        Client ID
        that you saved in 6.
      • In
        One or More API S copes
        , copy and paste the following scope, then
        AUTHORIZE
        access to data in Google services.
        https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/admin.directory.group

Add Google Cloud Storage App

Before you add the Google Cloud Storage app, you must Create Service Account for Google Cloud Storage.
  1. From the
    Dashboard
    ,
    Add a Cloud App
    .
  2. Select
    Google Cloud Storage
    and then
    Connect to Account
    .
  3. Enter the Google
    Administrator Email
    and
    Service account ID
    that you saved in 4.b.
  4. Upload P12
    Certificate
    GCP issued GCP in 5.d.
  5. Click
    Next
    to add the cloud app.
  6. Review the initial project scan discoveries and select the projects to monitor.
    If you
    Cancel
    the setup at any time, you must start over again.
    1. Enable
      Automatically scan new projects
      to scan all new projects.
    2. To select individual projects, select the
      Project
      to scan from the list.
    3. Save
      your scan setting to proceed scanning all discovered projects.
    4. Cancel
      if you do not want to proceed with scanning the discovered projects.
  7. Review the initial bucket scan discoveries and select the buckets to monitor.
    1. Enable
      Scan all current and any new buckets
      to scan all new buckets.
    2. To select individual buckets, select the
      Bucket
      to scan from the list.
    3. Save
      your scan setting to proceed scanning all discovered buckets.
    4. Cancel
      if you do not want to proceed with scanning the discovered buckets.
      After authentication, SaaS Security API adds the new Google Cloud Storage app to the Cloud Apps list as
      Google Cloud Storage
      n, where n is the number of Google Cloud Storage app instances that you have connected to SaaS Security API. For example, if you added one Google Cloud Storage app, the name displays as
      Google Cloud Storage 1
      . You’ll specify a descriptive name soon.
      From this point forward, keep this project exclusively for SaaS Security API. Do not revoke, disable authorization, or change the project in any way. If you do, SaaS Security API stops scanning.
  8. Next Step
    : Proceed to Identify Risks.

Identify Risks

Select the projects and buckets that you want SaaS Security API to monitor.
When you add a new cloud app and enable scanning, SaaS Security API automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
  1. Start scanning the new Google Cloud Storage app for risks.
  2. During the discovery phase, SaaS Security API scans files and matches them against enabled default policy rules.
    Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, proceed to the next step.
  3. (
    Optional
    ) Add new policy rules.
    Consider the business use of your app, then identify risks unique to your enterprise. As necessary, add new:
  4. (
    Optional
    ) Configure or edit a data pattern.
    You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.

View Scan Settings for Project and Buckets

When you added the cloud app, you configured the projects and buckets you want SaaS Security API to monitor. You can view the scan settings for the
Projects
and
Buckets
that are currently being scanned.
  1. Log in to SaaS Security.
  2. Select
    Settings
    Cloud App and Scan Settings
    .
  3. Select a Google Cloud Storage app from the list of
    Cloud Apps
    and expand the
    Projects
    Buckets
    to view the scan details.

Customize Google Cloud Storage App

If you plan to manage more than one instance of Google Cloud Storage app, consider differentiating your instances.
  1. (
    Optional
    ) Give a descriptive name to this app instance.
    1. Select the Google Storage n link on the Cloud Apps list.
    2. Enter a descriptive
      Name
      .
    3. Click
      Done
      to save your changes.

Fix Google Cloud Storage Onboarding Issues

The most common issues related to onboarding the Google Cloud Storage app are as follows:
Symptom
Explanation
Solution

Recommended For You