Enterprise Recon 2.6.0

Google Cloud Storage

This section covers the following topics:

Overview

Support for Google Cloud products is currently available for Google Cloud Storage only.

To set up Google Cloud Storage as a Target:

  1. Configure Google Service Account
  2. Set Up and Scan a Google Cloud Storage Target

To scan a specific path in Google Cloud Storage, see Edit Google Cloud Storage Target Path.

Licensing

For Sitewide Licenses, all scanned Google Cloud Storage Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Google Cloud Storage Targets require Server & DB Licenses, and consume data from the Server & DB License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
Recommended Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
  • macOS Agent
TCP Allowed Connections Port 443

Configure Google Service Account

Before adding Google Cloud Storage as a Target, you must create a Google service account for use with ER2. The service account must have the required permissions to allow ER2 to authenticate and access (scan) the buckets in your Google Cloud Storage project.

To configure your Google service account for scanning with ER2:

Create a Role

To create a new role for use with ER2:

  1. Log in to the Google Cloud Console.
  2. From the projects list, select the project that you want to scan with ER2.
    Select project in Google Cloud Console
  3. Click the hamburger icon to expand the navigation menu and go to IAM & Admin > Roles.
  4. Click + CREATE ROLE.
    Create new role for project in Google Cloud Console
  5. In the Create role page, fill in the following fields:
    Field Description
    Title

    Enter a descriptive name for the role.

    Example: Enterprise_Recon

    (Optional) Description Provide a description for the new role.
    (Optional) ID

    Edit the default ID for the role.

    + ADD PERMISSIONS

    Search for and select the following permissions to ADD to the role:

    • monitoring.timeSeries.list
    • storage.buckets.list
    • storage.objects.get
    • storage.objects.list
  6. Click CREATE.

Create a Service Account

To create a service account for use with ER2:

  1. Log in to the Google Cloud Console.
  2. From the projects list, select the project that you want to scan with ER2.
    Select project in Google Cloud Console
  3. Click the hamburger icon to expand the navigation menu and go to IAM & Admin > Service Accounts.
  4. Click +CLICK SERVICE ACCOUNT.
    Create service account for project in Google Cloud Console
  5. In the Service account details section, fill in the following fields:

    Field Description
    Service account name

    Enter a descriptive name for the service account.

    Example: enterprise-recon-sa

    (Optional) Service account ID

    Edit the default ID for the service account, or click the button to generate a service account ID.

    Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com

    (Optional) Description Provide a description for the new service account.
  6. Click CREATE AND CONTINUE.
  7. In the Grant this service account access to the project section, click on the Select a role dropdown and select the role created for use with ER2 (e.g. Enterprise_Recon). See Create a Role for more information.
  8. Click CONTINUE and DONE.
  9. Back in the Service accounts page, click on the newly created service account.
  10. In the DETAILS tab, take down the Email for the service account (e.g. enterprise-recon-sa@project-id.iam.gserviceaccount.com). This is required when you want to Set Up and Scan a Google Cloud Storage Target.

  11. In the KEYS tab, click ADD KEY > Create new key.
  12. In the Create private key for '<service account>' dialog box, select "JSON" Key type and click CREATE.
  13. Save the created JSON private key file to a secure location on your computer. This is required when you want to Set Up and Scan a Google Cloud Storage Target.

  14. Click Close.

Set Up and Scan a Google Cloud Storage Target

  1. Configure Google Service Account.
  2. From the New Scan page, Add Targets.
  3. In the Select Target Type dialog box, click on Google Cloud Platform and select Google Cloud Storage.
  4. Fill in the following fields:
    Dialog box to configure the path, credentials and proxy agent for a Google Cloud Storage Target.

    Field Description
    Project ID

    Enter the ID of the Google Cloud Storage project to scan.

    Go to the Manage resources page in Google Cloud Console to get the ID for your Google Cloud Storage project.
    New Credential Label Enter a descriptive label for the Google Cloud Storage credential set.
    Email

    Enter your Google Cloud Storage service account email address.

    Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com

    See Create a Service Account - Step 10 for more information.

    Private Key

    Upload the private key (*.json) associated with the Google Cloud Storage service account.

    See Create a Service Account - Step 13 for more information.

    Agent to act as a proxy host Select a supported Proxy Agent host with direct Internet access.
  5. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  6. Click Commit to add the Target.
  7. (Optional) On the Select Locations page, probe the Target to browse and select specific buckets or objects to scan.

  8. Click Next.
  9. On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
  10. On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.

  11. Click Next.
  12. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit Google Cloud Storage Target Path

  1. Set Up and Scan a Google Cloud Storage Target.
  2. In the Select Locations section, select the Google Cloud Storage Target location and click Edit.
  3. In the Edit Google Cloud Storage Location dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

    Path Syntax
    Specific bucket

    Syntax: <bucket>

    Example: bucket-1

    Specific folder

    Syntax: <bucket>/<folder>/

    Example: bucket-1/Folder-1/

    Specific object

    Syntax: <bucket>/<folder>/<object>

    Example: bucket-1/Folder-1/My-File-1.txt

  4. Click Test and then Commit to save the path to the Target location.