Enterprise Recon Cloud 2.12.0

Download ER Cloud 2.12.0 User Guide (PDF)

How To Scan Google Cloud Storage

This section covers the following topics:

Overview

Support for Google Cloud products is currently available for Google Cloud Storage only.

To set up Google Cloud Storage as a Target:

  1. Configure Google Service Account
  2. Set Up and Scan a Google Cloud Storage Target

To scan a specific path in Google Cloud Storage, refer to Edit Google Cloud Storage Target Path.

Licensing

For Sitewide Licenses, all scanned Google Cloud Storage Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Google Cloud Storage Targets require Server & DB Licenses, and consume data from the Server & DB License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
Recommended Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
  • macOS Agent
TCP Allowed Connections Port 443

Configure Google Service Account

Before adding Google Cloud Storage as a Target, you must create a Google service account for use with ER Cloud. The service account must have the required permissions to allow ER Cloud to authenticate and access (scan) the buckets in your Google Cloud Storage project.

To configure your Google service account for scanning with ER Cloud:

Create a Role

To create a new role for use with ER Cloud:

  1. Log in to the Google Cloud Console.
  2. From the projects list, select the project that you want to scan with ER Cloud.
    Select project in Google Cloud Console
  3. Click the hamburger icon to expand the navigation menu and go to IAM & Admin > Roles.
  4. Click + CREATE ROLE.
    Create new role for project in Google Cloud Console
  5. In the Create role page, fill in the following fields:
    Field Description
    Title

    Enter a descriptive name for the role.

    Example: Enterprise_Recon
    (Optional) Description Provide a description for the new role.
    (Optional) ID

    Edit the default ID for the role.
    + ADD PERMISSIONS

    Search for and select the following permissions to ADD to the role:

    • monitoring.timeSeries.list
    • storage.buckets.list
    • storage.objects.get
    • storage.objects.list
  6. Click CREATE.

Create a Service Account

To create a service account for use with ER Cloud:

  1. Log in to the Google Cloud Console.
  2. From the projects list, select the project that you want to scan with ER Cloud.
    Select project in Google Cloud Console
  3. Click the hamburger icon to expand the navigation menu and go to IAM & Admin > Service Accounts.
  4. Click +CLICK SERVICE ACCOUNT.
    Create service account for project in Google Cloud Console

  5. In the Service account details section, fill in the following fields:

    Field Description
    Service account name

    Enter a descriptive name for the service account.

    Example: enterprise-recon-sa
    (Optional) Service account ID

    Edit the default ID for the service account, or click the button to generate a service account ID.

    Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com
    (Optional) Description Provide a description for the new service account.
  6. Click CREATE AND CONTINUE.
  7. In the Grant this service account access to the project section, click on the Select a role dropdown and select the role created for use with ER Cloud (e.g. Enterprise_Recon). Refer to Create a Role.
  8. Click CONTINUE and DONE.
  9. Back in the Service accounts page, click on the newly created service account.

  10. In the DETAILS tab, take down the Email for the service account (e.g. enterprise-recon-sa@project-id.iam.gserviceaccount.com). This is required when you want to set up and scan a Google Cloud Storage Target. Refer to Set Up and Scan a Google Cloud Storage Target.

  11. In the KEYS tab, click ADD KEY > Create new key.
  12. In the Create private key for '<service account>' dialog box, select "JSON" Key type and click CREATE.

  13. Save the created JSON private key file to a secure location on your computer. This is required when you want to set up and scan a Google Cloud Storage. Refer to Set Up and Scan a Google Cloud Storage Target.

  14. Click Close.

Set Up and Scan a Google Cloud Storage Target

  1. Configure Google Service Account.
  2. From the New Scan page, add Targets. Refer to the Add Targets section.
  3. In the Select Target Type dialog box, click on Google Cloud Platform and select Google Cloud Storage.

  4. Fill in the following fields:
    Dialog box to configure the path, credentials and proxy agent for a Google Cloud Storage Target.

    Field Description
    Project ID

    Enter the ID of the Google Cloud Storage project to scan.

    Go to the Manage Resources page in Google Cloud Console to get the ID for your Google Cloud Storage project. Refer to Google Cloud Console - Manage resources.
    New Credential Label Enter a descriptive label for the Google Cloud Storage credential set.
    Email

    Enter your Google Cloud Storage service account email address.

    Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com

    For more information, refer to step 10 of Create a Service Account.
    Private Key

    Upload the private key (*.json) associated with the Google Cloud Storage service account.

    For more information, refer to step 13 of Create a Service Account.
    Agent to act as a proxy host Select a supported Proxy Agent host with direct Internet access.
  5. Click Test. If ER Cloud can connect to the Target, the button changes to a Commit button.
  6. Click Commit to add the Target.

  7. (Optional) On the Select Locations page, probe the Target to browse and select specific buckets or objects to scan. Refer to Probe Targets in the Start a Scan section.

  8. Click Next.
  9. On the Select Data Types page, select the data type profiles to be included in your scan (refer to the Use Data Type Profile section) and click Next.

  10. On the Set Schedule page, configure the parameters for your scan. For more information, refer to Set Schedule in the Start a Scan section.

  11. Click Next.
  12. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit Google Cloud Storage Target Path

  1. Set Up and Scan a Google Cloud Storage Target.
  2. In the Select Locations section, select the Google Cloud Storage Target location and click Edit.

  3. In the Edit Google Cloud Storage Location dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

    Path Syntax
    Specific bucket

    Syntax: <bucket>

    Example: bucket-1
    Specific folder

    Syntax: <bucket>/<folder>/

    Example: bucket-1/Folder-1/
    Specific object

    Syntax: <bucket>/<folder>/<object>

    Example: bucket-1/Folder-1/My-File-1.txt
  4. Click Test and then Commit to save the path to the Target location.