“Auto Create Account Groups” is a useful feature for managing a large number of GCP projects and folders.
If there are various teams creating folders and projects in your organization, it makes sense to have separate account groups for each team, and create separate alert rules based on the account groups. This will help maintain alert isolation for each team and make it manageable for taking proactive actions to mitigate those alerts.
In this article, we would like to illustrate an example using a GCP account with nested folders and projects in a GCP Organization.
The name of the GCP Organization is “example.world”
Figure 1: GCP Organization_org_palo-alto-networks
When a GCP organization is onboarded into Prisma Cloud, you have the following options for assigning account groups:
Auto Create Account Groups Disabled
With Auto Create Account Groups disabled, you can select the account groups from the pre-created account groups list and assign it to the account.
Figure 2: Auto Create Account Groups Disabled_palo-alto-networks
Figure 3: Account Groups_palo-alto-networks
Auto Create Account Groups enabled without Recurse Hierarchy
If you choose to enable Auto Create Account Groups without selecting Recurse Hierarchy, you will not have the option to assign account groups manually. Instead, Prisma Cloud will automatically create an account group and attach all cloud accounts to this account group.
Figure 4: Auto Create Account Groups Configuration_palo-alto-networks
Figure 5: Linked Cloud Accounts_palo-alto-networks
Note: Only 1 Account group is created - projects and org are attached to this group.
When you choose to create account groups recursively, each account group includes a list of all GCP projects nested within the hierarchical folder structure as you see it on the GCP console. Because the account groups are organized in a flat structure on Prisma Cloud, you cannot see the mapping visually.
If you choose to enable Auto Create Account Groups with Recurse Hierarchy, you will not have the option to assign account groups manually. Instead Prisma Cloud will automatically create separate account groups based on GCP hierarchy.
Account groups that are created automatically, and cannot be edited on Prisma Cloud, are indicated with this symbol
Figure 6: Auto created account groups_palo-alto-networks
Note : Both Child Folder B & Parent Folder B have 1 cloud account attached to their corresponding account groups.
For Child Folder B, its nested project “project-1-319810” is attached to its account group.
Figure 7: Linked Cloud Accounts_palo-alto-networks
For Parent Folder B, since “project-1-319810” also falls in its hierarchy, hence this project is also attached to its account group.
Figure 8: Linked Cloud Accounts_palo-alto-networks
Parent Folder A does not have any child projects, hence there are no cloud accounts associated with its account group as seen below.
Figure 9: Auto created account groups_palo-alto-networks
Project “exalted-slice-319810” is part of example.world org, hence its not included in “Directly linked Cloud Accounts” for Parent Folder B & Child Folder B.
Note: If you had selected Exclude a subset of folders during GCP Onboarding, the ability to Maintain recursive hierarchy is disabled and you must select account groups manually.
Using Prisma Cloud Auto Create Account Groups eliminates the need to manually create account groups. For any new projects added in GCP organization, Prisma Cloud will automatically create a corresponding account group. This segregation via account groups makes alert prioritization easy and actionable. Using account groups filters, users can also maintain compliance posture management for each GCP project. Onboarding your GCP Organization with Prisma Cloud’s automated capabilities allows for you to manage your GCP cloud accounts at scale.
Muhammad Rehan is a Customer Success consultant specializing in Cloud Security Posture Management, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Rehan uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi industry knowledge to inspire success.
