1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. SaaS Security API
    5. Secure Sanctioned SaaS Apps on SaaS Security API
    6. Add Cloud Apps to SaaS Security API
    7. Begin Scanning a Google Cloud Storage App

    Begin Scanning a Google Cloud Storage App

    Add the Google Cloud Storage app for GCP (Global Cloud Platform) to SaaS Security API to begin scanning and monitoring assets for possible security risks.
    Before you begin scanning a Google Cloud Storage app, you must create a service account and enable Administrator and client API access.
    To connect Google Cloud Storage app to SaaS Security API and begin scanning assets, you need to:
    • Create a service account from Google Cloud Console or use an existing service account.
    • Enable Administrator and client API access from Google Admin Console.
    • Add the Google Cloud Storage app to SaaS Security API.
    • Configure initial scan settings.
    For information on which automated remediation capabilities SaaS Security API supports with Google Cloud Storage, refer to Supported Content, Remediation and Monitoring.

    Create a Service Account for Google Cloud Storage

    You must create a service account before you can add the Google Cloud Storage app; alternatively, you can Use an Existing Project and Service Account instead. As you prepare the Google Cloud Storage account, take note of the following values, as they are required to add the Google Cloud Storage app on SaaS Security API. Each web interface might refer to the value by a different name.
    Item
    Web interface
    Description
    Google Cloud Console
    Google Admin Console
    SaaS Security
    Google Administrator email
    Google account
    Google account
    Administrator email
    The Google account you used to log in to Google Cloud Console to create the service account in Google Cloud Storage. You will use this same Google account to log in to the Google Admin Console when to enable API client access. You specify this email on SaaS Security API when add the Google Cloud Storage app.
    Private Key
    Private key
    n/a
    Certificate
    A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on SaaS Security API when adding the Google Cloud Storage app.
    Private Key Password
    Private key password
    n/a
    n/a
    The default password for the new private key.
    Client ID
    Client ID and Unique ID
    Client ID
    n/a
    The client ID automatically displays on Google Cloud Console when enabling Google Cloud Storage domain-wide delegation, on SaaS Security API when you add the Google Cloud Storage app, and on Google Admin Console when enable API client access.
    Service Account ID
    Email and Service account ID
    n/a
    Service account ID
    The service account ID is automatically generated on Google Cloud Console when you create the service project and is partly based on the service account name you assign. You will specify the service account ID on SaaS Security web interface when you add the Google Cloud Storage app.
    1. Log in to Google Cloud Console as the Google Cloud Storage administrator.
      If you have not used the Google Cloud Console before,
      Agree
       to the Google Cloud Platform Terms of Service. Otherwise, proceed to the next step.
    2. Create a new project from GCP.
      1. In the drop‑down menu at the top of the screen, open your project list, then
        NEW PROJECT
        .
      2. Name your project (for example,
        SaaS Security API GCP
        ), select your organization (domain), then
        CREATE
         the project.
    3. Authorize OAuth consent for the new project.
      1. Select
        APIs & Services
        OAuth consent screen
        .
      2. Select the project you created above.
      3. Select
        Internal
         user type, then
        CREATE
        .
      4. Specify an
        App name
         (for example,
        SaaS Security API
        ) and
        User support email
        .
      5. Click
        + ADD DOMAIN
        , then specify
        Authorized domain
        —the domain name for your Google Administrator email, to authorize.
      6. Specify
        Developer contact information
        , then
        SAVE AND CONTINUE
        .
    4. Create the Service Account Key for the new project.
      1. Select
        APIs & Services
        Credentials
        CREATE CREDENTIALS
        .
      2. Select
        Service account
         and specify a
        Service account name
         (for example,
        SaaS Security API
        ), which automatically populates the
        Service account ID
        , then
        CREATE
        CONTINUE
        DONE
        , authorizing no optional permissions or access.
    5. Enable Domain-wide Delegation for the new service account.
      GCP creates a service account client when domain-wide delegation is enabled on a service account.
      1. Select
        APIs & Services
        Credentials
        .
      2. In
        Service Accounts
        , locate the service account, then
        Edit service account
        .
      3. Record the
        Email
        , which you’ll use to specify the
        Service account ID
         later on SaaS Security web interface.
      4. Select
        Enable Google Domain-wide Delegation
        , then
        SAVE
        .
        If prompted to provide a value in
        Product name for the consent screen field
        , you did not perform 3 and 4 as instructed. GCP is very particular.
      5. Select
        KEYS
        ADD KEY
        Create new key
        P12
        CREATE
        .
        After GCP issues a default password and new private key, your browser automatically downloads the new private key to your computer.
      6. Store the default password and key to a secure location as the key cannot be recovered if lost.
        SaaS Security API requires this key when you Add Google Cloud Storage App.
      7. Save
         your changes.
    6. Retrieve and save the Client ID for the new service account client.
      1. Select
        APIs & Services
        Credentials
        .
      2. In
        OAuth 2.0 Client IDs
        , locate the client, then copy and save the
        Client ID
        .
    7. Enable API access for the new service account.
      1. Select the project.
      2. Select
        APIs & Services
        + ENABLE APIS AND SERVICES
        .
      3. Search for and
        ENABLE
         the following APIs:
        • Google Admin SDK API
        • Google Cloud Resource Manager API
        • Google Cloud Storage API
        • Google Cloud Pub/Sub API
        • Google Identity and Access Management (IAM) API
        • Google Cloud Logging API
    8. Provide the local admin account with the required roles.
      You’ll use this admin account to onboard SaaS Security API. This admin account does not need to be a Super Admin; however, the admin account does require minimum permissions at the organization level—
      Storage Admin
       and
      Security Admin
       permissions.
      1. Log in to Google Cloud Console as Super Admin.
      2. At the top of the screen and in the project list, select your organization.
      3. Select
        IAM & Admin
        IAM
        , then
        + ADD
      4. Add your account as
        Security Admin
         and
        Storage Admin
        .
    9. Enable API client access to Google Cloud Storage.
      1. Log in to Google Admin Console as the Google Cloud Storage Administrator.
        The admin console is not the same as the cloud console that you’ve been accessing up to this point in this procedure; rather, the admin console is a different console.
      2. Select
        Security
        App access control (API Controls)
        Domain wide Delegation
        MANAGE DOMAIN WIDE DELEGATION
        .
        Trust internal, domain-owned apps
         is not needed for onboarding the Google Cloud Storage app; however, GCP web interface enables this setting by default. You can safely disable this setting if you want.
      3. Click
        Add new
        , then specify Client ID and required scopes.
        • In
          Client Name
          , specify the
          Client ID
           that you recorded in 6.
        • In
          One or More API S copes
          , copy and paste the following scope, then
          AUTHORIZE
           access to data in Google services.
          https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/admin.directory.group

    Use an Existing Project and Service Account

    If you want to onboard the Google Cloud Storage app using an existing GCP project and service account, simply set up your admin account as the project IAM owner and service account owner. If you don’t have an existing project or service account, Create a Service Account for Google Cloud Storage instead.
    1. Log in to Google Cloud Console as Super Admin.
    2. Set permissions for the existing
      project
      .
      1. In the drop‑down menu at the top of the screen, open your project list, then select your existing project.
      2. Select
        IAM & Admin
        IAM
        .
      3. In
        PERMISSIONS
        Members
        , locate and
        Edit
         your membership, which is your admin account.
        If you cannot quickly locate your admin account in the
        Members
         table, click
        + ADD
         to use the
        New members
         search tool.
      4. Set
        Role
         to
        Owner
        .
    3. Set permissions for the existing
      service account
      .
      1. Select
        IAM & Admin
        Service Accounts
        .
      2. Click on your service account, then
        PERMISSIONS
        .
      3. In
        Members
         table, locate and
        Edit
         your membership, which is your admin account.
        If you cannot quickly locate your admin account in the
        Members
         table, click
        + GRANT ACCESS
         to use the
        New members
         search tool.
      4. Set
        Role
         to
        Owner
        .
    4. Verify that the Oauth Consent settings outlined in 3 are correct.

    Add Google Cloud Storage App

    Before you add the Google Cloud Storage app, you must Create a Service Account for Google Cloud Storage.
    1. From the
      Dashboard
      ,
      Add a Cloud App
      .
    2. Select
      Google Cloud Storage
       and then
      Connect to Account
      .
    3. Enter the Google
      Administrator email
       to which you granted roles in 8.d.
    4. Enter
      Service account ID
       that you created in 4.b.
    5. Upload P12
      Certificate
       GCP issued in 5.e.
    6. Click
      Next
       to add the cloud app.
    7. Review the initial project scan discoveries and select the projects to monitor.
      If you
      Cancel
       the setup at any time, you must start over again.
      1. Enable
        Automatically scan new projects
         to scan all new projects.
      2. To select individual projects, select the
        Project
         to scan from the list.
      3. Save
         your scan setting to proceed scanning all discovered projects.
      4. Cancel
         if you do not want to proceed with scanning the discovered projects.
    8. Review the initial bucket scan discoveries and select the buckets to monitor.
      1. Enable
        Scan all current and any new buckets
         to scan all new buckets.
      2. To select individual buckets, select the
        Bucket
         to scan from the list.
      3. Save
         your scan setting to proceed scanning all discovered buckets.
      4. Cancel
         if you do not want to proceed with scanning the discovered buckets.
        After authentication, SaaS Security API adds the new Google Cloud Storage app to the Cloud Apps list as
        Google Cloud Storage
         n, where n is the number of Google Cloud Storage app instances that you have connected to SaaS Security API. For example, if you added one Google Cloud Storage app, the name displays as
        Google Cloud Storage 1
        . You’ll specify a descriptive name soon.
        From this point forward, keep this project exclusively for SaaS Security API. Do not revoke, disable authorization, or change the project in any way. If you do, SaaS Security API stops scanning.
    9. Proceed to Identify Risks.

    Identify Risks

    Select the projects and buckets that you want SaaS Security API to monitor.
    When you add a new cloud app and enable scanning, SaaS Security API automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
    1. Start scanning the new Google Cloud Storage app for risks.
    2. During the discovery phase, SaaS Security API scans files and matches them against enabled default policy rules.
      Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, proceed to the next step.
    3. (
      Optional
      ) Add new policy rules.
      Consider the business use of your app, then identify risks unique to your enterprise. As necessary, add new:
    4. (
      Optional
      ) Configure or edit a data pattern.
      You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.

    View Scan Settings for Project and Buckets

    When you added the cloud app, you configured the projects and buckets you want SaaS Security API to monitor. You can view the scan settings for the
    Projects
     and
    Buckets
     that are currently being scanned.
    1. Log in to SaaS Security.
    2. Select
      Settings
      Cloud App and Scan Settings
      .
    3. Select a Google Cloud Storage app from the list of
      Cloud Apps
       and expand the
      Projects
      Buckets
       to view the scan details.

    Customize Google Cloud Storage App

    If you plan to manage more than one instance of Google Cloud Storage app, consider differentiating your instances.
    1. (
      Optional
      ) Give a descriptive name to this app instance.
      1. Select the Google Storage n link on the Cloud Apps list.
      2. Enter a descriptive
        Name
        .
      3. Click
        Done
         to save your changes.

    Fix Google Cloud Storage Onboarding Issues

    The most common issues related to onboarding the Google Cloud Storage app are as follows:
    Symptom
    Explanation
    Solution

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo