Cloud Service Providers provide mechanisms for creating a hierarchy when a customer has a number of cloud accounts in an AWS or GCP Organization. In this article, we are going to look at a number of ways that a Google Cloud Platform (GCP) Organization can be imported into Prisma Cloud and explore a couple of mechanisms for automatically preserving the structure.
Prisma Cloud AutoMap is a capability available to you when you are onboarding a GCP Organization.
AutoMap is useful for managing a large number of GCP projects and folders. If there are various teams creating folders and projects in your organization, it is recommended to have separate account groups for each team, and create separate alert rules based on the account groups. This will help maintain alert isolation for each team and make it manageable for taking proactive actions to mitigate those alerts.
In this article, we would like to illustrate an example using a GCP account with nested folders and projects in a GCP Organization. The name of the GCP Organization is “example.world”
Figure 1: GCP Organization [Image Name : gcp-org_PaloAltoNetworks]
When a GCP organization is onboarded into Prisma Cloud, you have the following options for assigning account groups:
With Automap disabled, you can select the account groups from the pre-created account groups list and assign it to the GCP Organization’s accounts..
Figure 2: Account Group Configuration
Note: Only 1 account group for the whole organization will be attached as per selection above.
Figure 3: Account Groups_palo-alto-networks
If you choose to enable Auto Map without selecting Recurse Hierarchy, you will not have the option to assign account groups manually. Instead, Prisma Cloud will automatically create an account group & attach all cloud accounts to this group.
Figure 4: AutoMap Configuration_palo-alto-networks
Figure 5: Linked Cloud Accounts_palo-alto-networks
Note: Only 1 Account group is created - projects and org are attached to this group.
When you choose to create account groups recursively, each account group includes a list of all GCP projects nested within the hierarchical folder structure as you see it on the GCP console. Because the account groups are organized in a flat structure on Prisma Cloud, you cannot see the mapping visually.
If you choose to enable Automap with Recurse Hierarchy, you will not have the option to assign account groups manually. Instead Prisma Cloud will automatically create separate account groups based on GCP hierarchy.
Account groups that are created automatically are indicated with
, and cannot be edited on Prisma Cloud.
Figure 6: Auto created account groups_palo-alto-networks
Note: Both Child Folder B and Parent Folder B have 1 cloud account attached to their corresponding account groups.
For Child Folder B, its nested project “project-1-319810” is attached to its account group.
Figure 7: Linked Cloud Accounts_palo-alto-networks
For Parent Folder B, since “project-1-319810” also falls in its hierarchy, hence this project is also attached to its account group.
Figure 8: Linked Cloud Accounts_palo-alto-networks
Parent Folder A does not have any child projects, hence there are no cloud accounts associated with its account group as seen below.
Figure 9: Auto created account groups_palo-alto-networks
Project “exalted-slice-319810” is part of example.world org, hence its not included in “Directly linked Cloud Accounts” for Parent Folder B & Child Folder B.
Note: If you had selected Exclude a subset of folders during GCP Onboarding, the ability to Maintain recursive hierarchy is disabled and you must select account groups manually.
Using Prisma Cloud AutoMap eliminates the need to manually create account groups. For any new projects added in GCP organization, Prisma Cloud will automatically create a corresponding account group. This segregation via account groups makes alert prioritization easy and actionable. Using account groups filters, users can also maintain compliance posture management for each GCP project. Onboarding your GCP Organization with Prisma Cloud’s automated capabilities allows for you to manage your GCP cloud accounts at scale.
Reference : Add Your GCP Organization to Prisma Cloud ; GCP Resource Hierarchy
Muhammad Rehan is a Customer Success consultant specializing in Cloud Security Posture Management, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Rehan uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi industry knowledge to inspire success.
