Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • How It Works
  • Protecting Buckets
  • Schedule Status
  • Retro-based scanning on a bucket
  • On-demand Scanning
  • Scheduled Scanning
  • GCP On-demand and Scheduled Scan Job Status
  1. Console Overview
  2. Malware Scanning
  3. GCP

GCP Buckets

Similar to scanning AWS storage volumes you can also scan GCP Buckets.

PreviousGCPNextSee What's Infected

Last updated 10 days ago

Before you can start protecting your data in GCP Buckets you'll need to .

How It Works

When linking an account in the CSS console, we deploy resources in a new CSS Project created in GCP through our Terraform module. Those resources will have access to the customer project(s) denoted in the deployments parameters (projects_to_protect).

Once the projects are linked, GCP buckets will be made available to be scan through the CSS Console in the Protection > GCP Buckets page. You can select buckets to scan or run scans on a schedule basis.

We offer Retro scanning for GCP.

  • Users or apps place files into Google Cloud Storage.

  • The Console Service initiates a scan request to the Cloud Run service that resides in CSS' Project that is provisioned via Terraform.

  • The Cloud Run Job accesses the customer's Cloud Storage and loads a list of its objects in memory, procedurally scanning each item.

  • Results are returned to the Console service for processing.

  • (Optional) The Cloud Run Job will move infected files to a Quarantine Cloud Storage that resides in CSS' Project.

Protecting Buckets

For CSS scanning of GCP, Protection can mean schedule scanning (pre-defined schedule based) and on-demand (pick one or more buckets and scan immediately whenever you want).

Schedule Status

The schedule icons shown below will reflect whether an object is associated with a schedule and whether that schedule is active or not.

Retro-based scanning on a bucket

On-demand Scanning

You can scan pre-existing files in a bucket at anytime by selecting which bucket you'd like to scan and then selecting Scan Existing - AV in the Actions menu.

  • Navigate to Protection > GCP > Buckets page

  • Select the check mark next to the bucket name of your volume

  • Click Actions > Scan Existing - AV

  • Select your date range, prefixes (optional) and whether you'd like to scan files that have been already scanned.

  • Acknowledge that scanning files will result in a charge and scan selected.

Scheduled Scanning

You can add buckets to a schedule by selecting the buckets you want to scan on a scheduled basis and selecting Create AV Schedule in the Actions menu.

  • Navigate to Protection > GCP > Buckets page

  • Select the check mark next to the bucket name of your volume

  • Click Actions > Create AV Schedule

  • Select the Schedule tab and enter in your schedule name, scan period, schedule description (optional), files to scan, and prefixes to crawl (optional).

  • Acknowledge that scanning files will result in a charge and save the schedule.

  • Click on Schedules, find the schedule you created. Click the button with 3 dots on it and click Activate.

GCP On-demand and Scheduled Scan Job Status

If you go to Monitoring > Jobs you'll be able to see the status of on-demand and scheduled retro scans for GCP Buckets.

Protected by Active Schedule -

Part of an Inactive Schedule -

Not a Part of any Schedule -

link in your GCP account(s)
Create AV Schedule