Enabling Data Protection for Google Project
To enable DLP Scan and Threat Protection (Malware Scan) for a Google Project, follow these steps.
Step 1: Assign permissions to the project
Create Netskopre_role with permissions to the project.
Log into Google Cloud console and click Activate Cloud Shell.
At the shell prompt, type
nano netskope_role.yaml
.Copy the following content into the file.
title: "Netskope_Role" description: "Role for supporting Netskope for performing Storage Scan" stage: "ALPHA" includedPermissions: # get IAM roles to check the Netskope_Role is present - iam.roles.get # allow service account to make calls on behalf of the project - iam.serviceAccounts.actAs # get log sinks created for the project - logging.sinks.get # create pubsub subscription required for sending notification to Netskope - pubsub.subscriptions.create # delete pubsub subscription on delete of the instance - pubsub.subscriptions.delete # get subscriptions for a log sink to check in case of instance creation/regrant - pubsub.subscriptions.get # required for pubsub subscription creation to the topic - pubsub.topics.attachSubscription # get bucket metadata - storage.buckets.get # list storage buckets under the project - storage.buckets.list # get object metadata - storage.objects.get # list objects under the storage buckets - storage.objects.list # get project metadata and list projects under organization - resourcemanager.projects.get # get ACLs if any created for an object which will be used to check for visibility of the object(public/private) - storage.objects.getIamPolicy # get ACLs and Iam policy attached to the bucket used for checking visibility of buckets - storage.buckets.getIamPolicy
Run the following command to create the role and attach it to the organization.
gcloud iam roles create Netskope_Role --project=<project-id> --file=netskope_role.yaml
Verify that the role is created. Run the following command.
gcloud iam roles describe --project=<project-id> Netskope_Role
Step 2: Create a service account for the project
Create a service account for the project and download the private key. This key will be required when setting up the instance in your Netskope tenant.
Select the project for which you want to create a service account and in the left navigation panel, click Service Accounts > Create Service Account.
Provide a name for the service account and click Create and Continue. Click Continue without granting access or permissions to the project. Then click Done without granting user access to the service account.
On the Service accounts page, click the service account you created and select on the Keys tab.
Click Add Key and from the drop-down list click Create new key.
In the Create private key for <service account> dialog box, select the key type as JSON and click Create. The private key is downloaded to your computer.
Click Close.
Step 3: Add the service account as an IAM member of the project
Add the service account as an IAM member with Netskope_Role role.
Select the Details tab of the service account and copy the email address. This service account must be added as an IAM member in the project you are setting up for storage scan.
In the left navigation panel, click IAM and click Add.
In the IAM page click Add. Paste the service account email address in the New member text box of Add members to <project> window.
Click Select a role and select Netskope_Role. Click Save.
Step 4: Create an aggregated log sink router
Create a Pub/Sub topic with permissions to enable the service account to generate JWT tokens. Then create an aggregated log sink router, ns_sink so that Netskope can send and receive notifications.
Select the project for which you created the service account. Click the hamburger icon in the left navigation panel and click Pub/Sub under Big Data.
On the Topics page, click Create Topic. Provide a Topic ID and click Create Topic.
Provide permissions to the Pub/Sub so that the service account can create JWT tokens. Open Cloud Shell and in the terminal run the following command to provide permissions.
gcloud projects add-iam-policy-binding <project_id> --member=serviceAccount:service-<project_number>@gcp-sa-pubsub.iam.gserviceaccount.com --role='roles/iam.serviceAccountTokenCreator'
To get the <project_id>, click on the project at the top of the page. The Select from window displays the project name and ID.
To get the <project_number>, in the Select from window click on the project name. The project dashboard displays the Project info which contains the project number.
Create an aggregated log sink in the Google Cloud Console to send and receive notifications from Netskope. Navigate to Operations Logging and click Logs Router in the left navigation bar.
On the Logs Router page click Create Sink.
Under Sink details, provide the sink name as ns_sink. Add a description and click Next.
Under Sink destination, select Cloud Pub/Sub topic as the sink service and select the Pub/Sub topic you created in step 2. Click Next.
Under Choose logs to include in sink, include the following filters.
resource.type=gcs_bucket AND (protoPayload.methodName=storage.objects.delete OR protoPayload.methodName=storage.objects.create OR protoPayload.methodName=storage.buckets.create OR protoPayload.methodName=storage.buckets.delete)
Click Next.
Click Create Sink.
Step 5: Enable Audit Logs for Cloud Storage in the project
With the project selected from the top of the page, in the left navigation panel, click Audit logs under IAM & Admin.
On the Audit Logs page, search for Google Cloud Storage and select the service.
In the Google Cloud Storage pane on the right side, select Data Write in the Log Type tab. Click Save.
Step 6: Enable Google Cloud APIs for the project
Allow Netskope to make API calls to the project resource by enabling the Google Cloud APIs for the project.
Copy the project ID and connect to the following two URLs to enable the Identity and Access Management (IAM) API, and Cloud Resource Manager API.
https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project=<project-id> https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=<project-id>
Step 7: Setup the Google project instance in your Netskope tenant
Now you can set up the Google project instance for storage scan in your Netskope tenant using the credentials of the service account to which the Netskope_Role is attached.
Log in to the Netskope tenant UI and navigate to Settings > API Data Protection > IaaS.
Click the Google Cloud Platform icon and then click SETUP.
The New Setup window opens.
Under the GCP Service Account section, enter the following details:
Instance Name: Enter a name for the Google Cloud Platform instance.
Admin Email: Enter the email address of the Google Cloud Platform account owner.
Note
You can enter any email address here. Netskope sends notifications to this email address.
Connection Type: Select DLP Scan or Threat Protection (Malware) options to scan storage resources for DLP violations and malware.
Note
Few of the instance type options may be disabled. Contact your Netskope sales representative for additional information.
In the Cloud Provider Information section, enter the following details:
Under the Upload section, click SELECT FILE and upload the private key JSON file that you downloaded in Step 2: Create a service account for the project.
Click SAVE.
On the API Data Protection > IaaS page, click the Google Cloud Platform icon.
Click Grant Access beside the newly created instance.
Refresh your browser, and you will see a green check icon next to the Google Cloud Platform instance name.