Options to Onboard a GCP Cloud Resource Hierarchy into Prisma Cloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
No ratings

By Muhammad Rehan, Customer Success Engineer

Introduction 

 

“Auto Create Account Groups” is a useful feature for managing a large number of GCP projects and folders. 

 

If there are various teams creating folders and projects in your organization, it makes sense to have separate account groups for each team, and create separate alert rules based on the account groups. This will help maintain alert isolation for each team and make it manageable for taking proactive actions to mitigate those alerts. 

 

In this article, we would like to illustrate an example using a GCP account with nested folders and projects in a GCP Organization.

 

The name of the GCP Organization is “example.world” 

 

MRehan_0-1711393941252.png

Figure 1: GCP Organization_org_palo-alto-networks

 

When a GCP organization is onboarded into Prisma Cloud, you have the following options for assigning account groups:


Auto Create Account Groups Disabled 

 

With Auto Create Account Groups disabled, you can select the account groups from the pre-created account groups list and assign it to the account.

 

MRehan_1-1711393941380.png

Figure 2: Auto Create Account Groups Disabled_palo-alto-networks

 

 
 MRehan_2-1711393941396.png

Figure 3: Account Groups_palo-alto-networks 

 

Auto Create Account Groups enabled without Recurse Hierarchy

 

If you choose to enable Auto Create Account Groups without selecting Recurse Hierarchy, you will not have the option to assign account groups manually. Instead, Prisma Cloud will automatically create an account group and attach all cloud accounts to this account group.

 

MRehan_3-1711393940867.png

Figure 4: Auto Create Account Groups Configuration_palo-alto-networks

 

MRehan_4-1711393940921.png

 

 
 MRehan_5-1711393941397.png

Figure 5: Linked Cloud Accounts_palo-alto-networks

Note: Only 1 Account group is created - projects and org are attached to this group.

 

Auto Create Account Groups enabled with Recurse Hierarchy

 

When you choose to create account groups recursively, each account group includes a list of all GCP projects nested within the hierarchical folder structure as you see it on the GCP console. Because the account groups are organized in a flat structure on Prisma Cloud, you cannot see the mapping visually.

 

If you choose to enable Auto Create Account Groups with Recurse Hierarchy, you will not have the option to assign account groups manually.  Instead Prisma Cloud will automatically create separate account groups based on GCP hierarchy.

 

Account groups that are created automatically, and cannot be edited on Prisma Cloud, are indicated with this symbol 

MRehan_6-1711393941377.png

 

MRehan_7-1711393941248.png

Figure 6: Auto created account groups_palo-alto-networks 

Note : Both Child Folder B & Parent Folder B have 1 cloud account attached to their corresponding account groups.

 

For Child Folder B, its nested project “project-1-319810” is attached to its account group.

 

 
 MRehan_8-1711393941381.png

Figure 7: Linked Cloud Accounts_palo-alto-networks 

 

For Parent Folder B, since “project-1-319810” also falls in its hierarchy, hence this project is also attached to its account group.

 

 
 MRehan_9-1711393941472.png

Figure 8: Linked Cloud Accounts_palo-alto-networks 

 

Parent Folder A does not have any child projects, hence there are no cloud accounts associated with its account group as seen below.

 

 
MRehan_10-1711393940938.png

Figure 9: Auto created account groups_palo-alto-networks 

 

Project “exalted-slice-319810” is part of example.world org, hence its not included in “Directly linked Cloud Accounts” for Parent Folder B & Child Folder B.

 

Note: If you had selected Exclude a subset of folders during GCP Onboarding, the ability to Maintain recursive hierarchy is disabled and you must select account groups manually.

 

Conclusion 

 

Using Prisma Cloud Auto Create Account Groups eliminates the need to manually create account groups. For any new projects added in GCP organization, Prisma Cloud will automatically create a corresponding account group. This segregation via account groups makes alert prioritization easy and actionable. Using account groups filters, users can also maintain compliance posture management for each GCP project. Onboarding your GCP Organization with Prisma Cloud’s automated capabilities allows for you to manage your GCP cloud accounts at scale.


Reference

 

Onboard Your GCP Organization

 

About the Author

 

Muhammad Rehan is a Customer Success consultant specializing in Cloud Security Posture Management, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Rehan uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi industry knowledge to inspire success.

Rate this article:
  • 1954 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎10-29-2024 01:13 PM
Updated by: