Begin Scanning a Google Cloud Storage App
Add the Google Cloud Storage app for GCP (Global Cloud
Platform) to SaaS Security API to begin scanning and monitoring
assets for possible security risks.
Before you begin scanning a Google Cloud Storage
app, you must create a service account and enable Administrator
and client API access.
To connect Google Cloud Storage app
to SaaS Security API and begin scanning assets, you need to:
- Create a service account from Google Cloud Console or use an existing service account.
- Enable Administrator and client API access from Google Admin Console.
- Add the Google Cloud Storage app to SaaS Security API.
- Configure initial scan settings.
For information
on which automated remediation capabilities SaaS Security API supports
with Google Cloud Storage, refer to Supported Content, Remediation and Monitoring.
Create a Service Account for Google Cloud Storage
You must create a service account before you
can add the Google Cloud Storage app; alternatively, you can Use an Existing Project and Service Account instead. As you prepare
the Google Cloud Storage account, take note of the following values,
as they are required to add the Google Cloud
Storage app on SaaS Security API. Each web interface might
refer to the value by a different name.
Item | Web interface | Description | ||
---|---|---|---|---|
Google Cloud Console | Google Admin Console | SaaS Security | ||
Google Administrator email | Google account | Google account | Administrator email | The Google account you used to log in to
Google Cloud Console to create the service account in Google Cloud
Storage. You will use this same Google account to log in to the
Google Admin Console when to enable API client access. You specify
this email on SaaS Security API when add the Google Cloud Storage app. |
Private Key | Private key | n/a | Certificate | A P12 format private key certificate issued
from your Google service account. This required certificate is uploaded
on SaaS Security API when adding the Google Cloud Storage app. |
Private Key Password | Private key password | n/a | n/a | The default password for the new private
key. |
Client ID | Client ID and Unique ID | Client ID | n/a | The client ID automatically displays on
Google Cloud Console when enabling Google Cloud Storage domain-wide
delegation, on SaaS Security API when you add the Google Cloud Storage app,
and on Google Admin Console when enable API client access. |
Service Account ID | Email and Service account ID | n/a | Service account ID | The service account ID is automatically
generated on Google Cloud Console when you create the service project
and is partly based on the service account name you assign. You
will specify the service account ID on SaaS Security web interface
when you add the Google Cloud Storage app. |
- Log in to Google Cloud Console as the Google Cloud Storage administrator.If you have not used the Google Cloud Console before,Agreeto the Google Cloud Platform Terms of Service. Otherwise, proceed to the next step.
- Create a new project from GCP.
- In the drop‑down menu at the top of the screen, open your project list, then.NEW PROJECT
- Name your project (for example,SaaS Security API GCP), select your organization (domain), thenCREATEthe project.
- Authorize OAuth consent for the new project.
- Select.APIs & ServicesOAuth consent screen
- Select the project you created above.
- SelectInternaluser type, thenCREATE.
- Specify anApp name(for example,SaaS Security API) andUser support email.
- Click+ ADD DOMAIN, then specifyAuthorized domain—the domain name for your Google Administrator email, to authorize.
- SpecifyDeveloper contact information, thenSAVE AND CONTINUE.
- Create the Service Account Key for the new project.
- Select.APIs & ServicesCredentialsCREATE CREDENTIALS
- SelectService accountand specify aService account name(for example,SaaS Security API), which automatically populates theService account ID, then, authorizing no optional permissions or access.CREATECONTINUEDONE
- Enable Domain-wide Delegation for the new service account.GCP creates a service account client when domain-wide delegation is enabled on a service account.
- Select.APIs & ServicesCredentials
- InService Accounts, locate the service account, then.Edit service account
- Record theEmail, which you’ll use to specify theService account IDlater on SaaS Security web interface.
- Select.KEYSADD KEYCreate new keyP12CREATEAfter GCP issues a default password and new private key, your browser automatically downloads the new private key to your computer.
- Store the default password and key to a secure location as the key cannot be recovered if lost.SaaS Security API requires this key when you Add Google Cloud Storage App.
- Saveyour changes.
- Retrieve and save the Client ID for the new service account client.
- Select.APIs & ServicesCredentials
- InOAuth 2.0 Client IDs, locate the client, then copy and save theClient ID.
- Enable API access for the new service account.
- Select the project.
- Select.APIs & Services+ ENABLE APIS AND SERVICES
- Search for andENABLEthe following APIs:
- Google Admin SDK API
- Google Cloud Resource Manager API
- Google Cloud Storage API
- Google Cloud Pub/Sub API
- Google Identity and Access Management (IAM) API
- Google Cloud Logging API
- Provide the local admin account with the required roles.You’ll use this admin account to onboard SaaS Security API. This admin account does not need to be a Super Admin; however, the admin account does require minimum permissions at the organization level—Storage AdminandSecurity Adminpermissions.
- Log in to Google Cloud Console as Super Admin.
- At the top of the screen and in the project list, select your organization.
- Select, thenIAM & AdminIAM+ ADD
- Add your account asSecurity AdminandStorage Admin.
- Enable API client access to Google Cloud Storage.
- Log in to Google Admin Console as the Google Cloud Storage Administrator.The admin console is not the same as the cloud console that you’ve been accessing up to this point in this procedure; rather, the admin console is a different console.
- Select.SecurityApp access control (API Controls)Domain wide DelegationMANAGE DOMAIN WIDE DELEGATIONTrust internal, domain-owned appsis not needed for onboarding the Google Cloud Storage app; however, GCP web interface enables this setting by default. You can safely disable this setting if you want.
- ClickAdd new, then specify Client ID and required scopes.
- InOne or More API S copes, copy and paste the following scope, thenAUTHORIZEaccess to data in Google services.https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/admin.directory.group
- Proceed to Add Google Cloud Storage App
Use an Existing Project and Service Account
If you want to onboard the Google Cloud Storage
app using an existing GCP project and service account, simply set
up your admin account as the project IAM owner and service account
owner. If you don’t have an existing project or service account, Create a Service Account for Google Cloud Storage instead.
- Log in to Google Cloud Console as Super Admin.
- Set permissions for the existingproject.
- In the drop‑down menu at the top of the screen, open your project list, then select your existing project.
- Select.IAM & AdminIAM
- In, locate andPERMISSIONSMembersEdityour membership, which is your admin account.If you cannot quickly locate your admin account in theMemberstable, click+ ADDto use theNew memberssearch tool.
- SetRoletoOwner.
- Set permissions for the existingservice account.
- Select.IAM & AdminService Accounts
- Click on your service account, then.PERMISSIONS
- InMemberstable, locate andEdityour membership, which is your admin account.If you cannot quickly locate your admin account in theMemberstable, click+ GRANT ACCESSto use theNew memberssearch tool.
- SetRoletoOwner.
- Verify that the Oauth Consent settings outlined in 3 are correct.
- Proceed to Add Google Cloud Storage App.
Add Google Cloud Storage App
Before you add the Google Cloud Storage app,
you must Create a Service Account for Google Cloud Storage.
- From theDashboard,Add a Cloud App.
- SelectGoogle Cloud Storageand thenConnect to Account.
- Enter the GoogleAdministrator emailto which you granted roles in 8.d.
- EnterService account IDthat you created in 4.b.
- Upload P12CertificateGCP issued in 5.e.
- ClickNextto add the cloud app.
- Review the initial project scan discoveries and select the projects to monitor.If youCancelthe setup at any time, you must start over again.
- EnableAutomatically scan new projectsto scan all new projects.
- To select individual projects, select theProjectto scan from the list.
- Saveyour scan setting to proceed scanning all discovered projects.
- Cancelif you do not want to proceed with scanning the discovered projects.
- Review the initial bucket scan discoveries and select the buckets to monitor.
- EnableScan all current and any new bucketsto scan all new buckets.
- To select individual buckets, select theBucketto scan from the list.
- Saveyour scan setting to proceed scanning all discovered buckets.
- Cancelif you do not want to proceed with scanning the discovered buckets.After authentication, SaaS Security API adds the new Google Cloud Storage app to the Cloud Apps list asGoogle Cloud Storagen, where n is the number of Google Cloud Storage app instances that you have connected to SaaS Security API. For example, if you added one Google Cloud Storage app, the name displays asGoogle Cloud Storage 1. You’ll specify a descriptive name soon.From this point forward, keep this project exclusively for SaaS Security API. Do not revoke, disable authorization, or change the project in any way. If you do, SaaS Security API stops scanning.
- Proceed to Identify Risks.
Identify Risks
Select the projects and buckets that you want
SaaS Security API to monitor.
When you add a new cloud app
and enable scanning,
SaaS Security API automatically scans the cloud app against the
default data patterns and displays the match occurrences. You can
take action now to improve your scan results and identify risks.
- Start scanning the new Google Cloud Storage app for risks.
- During the discovery phase, SaaS Security API scans files and matches them against enabled default policy rules.Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, proceed to the next step.
- (Optional) Add new policy rules.Consider the business use of your app, then identify risks unique to your enterprise. As necessary, add new:
- (Optional) Configure or edit a data pattern.You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
- Proceed to View Scan Settings for Project and Buckets.
View Scan Settings for Project and Buckets
When you added the cloud app, you configured
the projects and buckets you want SaaS Security API to monitor.
You can view the scan settings for the
Projects
and Buckets
that
are currently being scanned.- Log in to SaaS Security.
- Select.SettingsCloud App and Scan Settings
- Select a Google Cloud Storage app from the list ofCloud Appsand expand theProjectsBucketsto view the scan details.
- Proceed to Customize Google Cloud Storage App and Fix Google Cloud Storage Onboarding Issues, if necessary.
Customize Google Cloud Storage App
If you plan to manage more than one instance
of Google Cloud Storage app, consider differentiating your instances.
- (Optional) Give a descriptive name to this app instance.
- Select the Google Storage n link on the Cloud Apps list.
- Enter a descriptiveName.
- ClickDoneto save your changes.
- Proceed to Fix Google Cloud Storage Onboarding Issues.
Fix Google Cloud Storage Onboarding Issues
The most common issues related to onboarding the Google
Cloud Storage app are as follows:
Symptom | Explanation | Solution |
---|
Recommended For You
Recommended Videos
Recommended videos not found.