This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Options to Onboard a GCP Cloud Resource Hierarchy into Prisma Cloud

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Options to Onboard a GCP Cloud Resource Hierarchy into Prisma Cloud

MRehan
L2 Linker

on ‎04-14-2023 11:07 AM - edited on ‎04-17-2023 09:58 AM by

No ratings

By Muhammad Rehan, CSE Team Lead - CSPM West

 

Introduction 

 

Cloud Service Providers provide mechanisms for creating a hierarchy when a customer has a number of cloud accounts in an AWS or GCP Organization.  In this article, we are going to look at a number of ways that a Google Cloud Platform (GCP) Organization can be imported into Prisma Cloud and explore a couple of mechanisms for automatically preserving the structure. 

 

What is AutoMap?

 

Prisma Cloud AutoMap is a capability available to you when you are onboarding a GCP Organization. 

 

AutoMap is useful for managing a large number of GCP projects and folders. If there are various teams creating folders and projects in your organization, it is recommended to have separate account groups for each team, and create separate alert rules based on the account groups. This will help maintain alert isolation for each team and make it manageable for taking proactive actions to mitigate those alerts. 

 

In this article, we would like to illustrate an example using a GCP account with nested folders and projects in a GCP Organization. The name of the GCP Organization is “example.world” 

 

MRehan_0-1681492943756.png

Figure 1: GCP Organization [Image Name : gcp-org_PaloAltoNetworks]

 

When a GCP organization is onboarded into Prisma Cloud, you have the following options for assigning account groups:

  1. AutoMap Disabled
  2. AutoMap Enabled without Recurse Hierarchy
  3. AutoMap Enabled with Recurse Hierarchy



1- AutoMap Disabled

 

With Automap disabled, you can select the account groups from the pre-created account groups list and assign it to the GCP Organization’s accounts..

MRehan_1-1681492943699.png

Figure 2: Account Group Configuration 

 

Note: Only 1 account group for the whole organization will be attached as per selection above.

MRehan_2-1681492943694.png

Figure 3: Account Groups 

 

2- AutoMap Enabled without Recurse Hierarchy 

 

If you choose to enable Auto Map without selecting Recurse Hierarchy, you will not have the option to assign account groups manually. Instead, Prisma Cloud will automatically create an account group & attach all cloud accounts to this group.

 

MRehan_3-1681492943679.png

Figure 4: AutoMap Configuration 

 

 
MRehan_4-1681492943690.png

 

 

MRehan_5-1681492943753.png

Figure 5: Linked Cloud Accounts 

 

Note: Only 1 Account group is created - projects and org are attached to this group.

 

3- AutoMap Enabled with Recurse Hierarchy 

 

When you choose to create account groups recursively, each account group includes a list of all GCP projects nested within the hierarchical folder structure as you see it on the GCP console. Because the account groups are organized in a flat structure on Prisma Cloud, you cannot see the mapping visually.

If you choose to enable Automap with Recurse Hierarchy, you will not have the option to assign account groups manually.  Instead Prisma Cloud will automatically create separate account groups based on GCP hierarchy.

 

Account groups that are created automatically are indicated with

MRehan_6-1681492943693.png, and cannot be edited on Prisma Cloud.
 
MRehan_7-1681492943740.png

Figure 6: Auto created account groups 

 

Note: Both Child Folder B and Parent Folder B have 1 cloud account attached to their corresponding account groups.

 

For Child Folder B, its nested project “project-1-319810” is attached to its account group.

MRehan_8-1681492943666.png

Figure 7: Linked Cloud Accounts 

 

For Parent Folder B, since “project-1-319810” also falls in its hierarchy, hence this project is also attached to its account group.

MRehan_9-1681492943711.png

Figure 8: Linked Cloud Accounts 

 

Parent Folder A does not have any child projects, hence there are no cloud accounts associated with its account group as seen below.

MRehan_10-1681492943746.png

Figure 9: Auto created account groups 

 

Project “exalted-slice-319810” is part of example.world org, hence its not included in “Directly linked Cloud Accounts” for Parent Folder B & Child Folder B.

 

Note: If you had selected Exclude a subset of folders during GCP Onboarding, the ability to Maintain recursive hierarchy is disabled and you must select account groups manually.

 

Conclusion 

 

Using Prisma Cloud AutoMap eliminates the need to manually create account groups. For any new projects added in GCP organization, Prisma Cloud will automatically create a corresponding account group. This segregation via account groups makes alert prioritization easy and actionable. Using account groups filters, users can also maintain compliance posture management for each GCP project. Onboarding your GCP Organization with Prisma Cloud’s automated capabilities allows for you to manage your GCP cloud accounts at scale.


Reference : Add Your GCP Organization to Prisma Cloud ; GCP Resource Hierarchy

 

About the Author

 

Muhammad Rehan is a Customer Success consultant specializing in Cloud Security Posture Management, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Rehan uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi industry knowledge to inspire success.

Rate this article:
0 Likes Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎04-17-2023 09:58 AM
Updated by:
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks